ISO 27001 Lead Implementer Instructor Guide

Certified ISO/IEC 27001

Lead Implementer

Instructor Guide

Information Security Training

Copyright ISO 27001 Lead Implementer, Classroom course, release 5.0.0

Copyright and Trademark Information for Partners/Stakeholders.

ITpreneurs Nederland B.V. is affiliated to Veridion.

Copyright © 2013 ITpreneurs. All rights reserved.

Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.

The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.

Certified ISO/IEC 27001 | Lead Implementer | Instructor Guide

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 1

Follow Us

Before you start the course, please take a moment to:

“Like us” on Facebook

http://www.facebook.com/ITpreneurs

“Follow us” on Twitter

http://twitter.com/ITpreneurs

"Add us in your circle" on Google Plus

http://gplus.to/ITpreneurs

"Link with us" on Linkedin

http://www.linkedin.com/company/ITpreneurs

"Watch us" on YouTube

http://www.youtube.com/user/ITpreneurs

This

page

has b

een l

eft bl

ank i

ntenti

onall

y



Contents

Certified ISO/IEC 27001 Lead Implementer

Day 1 ------------------------------------------------------------ 5

Day 2 ------------------------------------------------------------ 135 Day 3 ------------------------------------------------------------ 265 Day 4 ------------------------------------------------------------ 389 Appendix A: Case Study --------------------------------------- 493 Appendix B: Exercises List ---------------------------------- 501 Appendix C: Correction Key ---------------------------------- 519 Appendix D: Release Notes ----------------------------------- 535

This

page

has b

een l

eft bl

ank i

ntenti

onall

y



Day 1

ISO 27001 Lead Implementer



DAY 1

Certified ISO 27001Lead Implementer

Schedule for Day 1

Section 1 : Course objective and structure Section 2 : Standard and regulatory framework Section 3 : Information Security Management System (ISMS) Section 4 : Fundamental Principles of Information Security Section 5 : Initiating the ISMS implementation Section 6 : Understanding the organization and clarifying the information security objectives Section 7 : Analysis of the existing management system © 2005 PECB Version 4.5 René St-Germain and Eric Lachapelle (Editor) Document number: ISMSLID1V4.5 Documents provided to participants are strictly reserved for training purposes and are copyrighted by PECB. Unless otherwise specified, no part of this publication may be, without PECB’s written permission, reproduced or used in any way or format or by any means whether it be electronic or mechanical including photocopy and microfilm.



Normative references used in this training Main standards

ISO 19011:2011, Guidelines for auditing management systems. ISO/IEC 27000:2009, Information technology — Security techniques — Information

security management systems — Overview and vocabulary. ISO/IEC 27001:2005, Information Security Management Systems – Requirements. ISO/IEC 27002:2005, Information technology — Security techniques — Code of practice

for information security management. ISO/IEC 27003:2010, Information technology — Security techniques — Information

security management system implementation guidance. ISO/IEC 27004:2009, Information technology – Security techniques – Information

security management – Measurement. ISO/IEC 27005:2011, Information technology — Security techniques — Information

security risk management. 2. Other standard references

ISO Guide 73:2009, Risk management – Vocabulary. ISO 9000:2005, Quality management systems – Fundamentals and vocabulary. ISO 9001:2008, Quality management systems – Requirements. ISO 14001:2004, Environmental management systems – Requirements with guidance

for use. ISO/IEC 17011:2004, Conformity assessment – General requirements for accreditation

bodies accrediting conformity assessment bodies. ISO 17021:2011, Conformity assessment — Requirements for bodies providing audit

and certification of management systems. ISO 17024:2003, Conformity assessment — General requirements for bodies operating

certification of persons. OHSAS 18001:2007, Occupational Health and Safety Management Systems —

Requirements. ISO/IEC 20000-1:2011, Information Technology — Service Management. Information

technology — Part 1: Service management system requirements. ISO/IEC 20000-2:2012, Information technology — Service management — Part 2:

Guidance on the application of service management systems. ISO 22000:2005, Food safety management systems — Requirements for any

organization in the food chain. ISO 22301:2012, Societal security — Business continuity management systems —

Requirements. ISO/IEC 27006:2011, Information technology — Security techniques — Requirements for

bodies providing audit and certification of information security management systems. ISO/IEC 27007:2011, Information technology — Security techniques — Guidelines for

information security management systems auditing. ISO/IEC TR 27008:2011, Information technology — Security techniques — Guidelines

for auditors on information security controls. ISO 28000:2007, Specification for security management systems for the supply chain.

ISO 31000:2009, Risk Management – Principles and Guidelines.



List of acronyms and abbreviations used in this training ANSI: American National Standards Institute BS: British Standard BCMS: Business continuity management system CERT: Computer Emergency Response Team CMS: Content Management System CobiT: Control Objectives for Business and related Technology COSO: Committee of Sponsoring Organizations of the Treadway Commission CPD: Continuing Professional Development DMS: Document Management System EA: European Co-operation for Accreditation EDM: Electronic Document Management System EMS: Environment management system FISMA: Federal Information Security Management Act GAAS: Generally Accepted Auditing Standards GLBA: Gramm-Leach-Bliley Act HIPAA: Health Insurance Portability and Accountability Act IAF: International Accreditation Forum IFAC: International Federation of Accountants IMS2: Integrated Implementation Methodology for Management Systems and Standards ISMS: Information security management system ISO: International Standards Organization ITIL: Information Technology Infrastructure Library LA: Lead auditor LI: Lead Implementer NC: Non-conformity NIST: National Institute of Standards and Technology OHSAS: Occupational Health and Safety Assessment Series OECD: Organization for Economic Co-operation and Development PCI-DSS: Payment Card Industry Data Security Standard PDCA: Plan-Do-Check-Act QMS: Quality management system PECB: Professional Evaluation and Certification Board ROI: Return on Investment ROSI: Return on Security Investment SMS: Service management system SoA: Statement of applicability SOX: Sarbanes-Oxley Act



2

Certified ISO 27001 Lead Implementer Training

Section 1

a. Meet and greet

b. General points

c. Training objectives

d. Educational approach

e. Examination and certification

f. PECB

g. Schedule for the training

Course objectives and structure

3

Activity

Meet and greet

To break the ice, participants introduce themselves stating:

Name; Current position; Knowledge of and experience with information security;



Knowledge of and experience with ISO 27001 and other standards of the 27000 family (27002, 27003, 27004, 27005,...);

Knowledge and experience with other management systems (ISO 9001, ISO 14001, ISO 20000, ISO 22301, etc.);

Course expectations and objectives. Duration of activity: 20 minutes

4

General Information

Smoking area

MealsTimetable and breaks

Use of mobile phones and recording devices

Absences

Use of a computer and access to the Internet

For simplification, only the masculine is used throughout this training and is not meant to offend anyone.

In case of emergency, please be aware of exits. Agree on course schedule and two breaks (be on time). Set your cell phone on vibration and if you need to take a call, please do it outside the

classroom. Recording devices are prohibited because they may restrict free discussions.



5

Understand the components and the operation of an Information Security Management System based on ISO 27001 and its principal processes

Understand the goal, content and correlation between ISO 27001 and ISO 27002 as well as with other standards and regulatory frameworks

Master the concepts, approaches, standards, methods and techniques for the implementation and effective management of an ISMS

1

2

3

Training Objectives

Acquiring knowledge

The main objective of this training is to acquire and/or enhance the knowledge and competencies to participate in the implementation of an Information Security Management System based on ISO 27001. From an educational view, competency consists of the following 3 elements:

Knowledge; Skill; Behavior (attitude).

The training focuses on the acquisition of knowledge necessary for the implementation of a compliance framework for ISO 27001 and not on the acquisition of expertise in information security. Minimal knowledge of information security is however required for successful completion of the course. This training is not intended as a simple list of the prerequisites of the ISO 27001 standard and a high-level advice on the implementation approach. In addition to presenting the theoretical knowledge needed by an ISMS project manager, a comprehensive methodology for the implementation is presented. Thus, at the end of this course, participants will gain knowledge on how to implement a compliance framework for ISO 27001 and not only on why or what to do. To obtain more in-depth knowledge of the audit techniques of an ISMS, it is recommended to take the Certified ISO 27001 Lead Auditor course.



6

Training Objectives

Development of competencies

Interpret the ISO 27001 requirements in the specific context of an organization

Develop the expertise to support an organization to plan, implement, manage, monitor and maintain an ISMS as specified in ISO 27001

Acquire the expertise to advise an organization on information security management best practices

Strengthen the personal qualities necessary to act with due professional care when conducting a compliance projectSpr

1

2

3

4

The objective of this training is to ensure that on the day following the end of the training, the candidate can actively participate at the implementation of a compliance framework for ISO 27001. This training focuses on the reality of conducting a compliance project. The case study and exercises are used to simulate conditions as close as possible to reality. Regarding attitude, several exercises will allow the candidate to strengthen his personal qualities necessary for an implementer to act with due professional care during the implementation such as decision-making ability, teamwork, openness of mind, etc.



7

Educational Approach

Students at the center

This course is primarily based on: Trainer lead sessions, where questions are welcomed. Student involvement in various ways: exercises, case studies, notes, reactions,

discussions (participant experiences). Remember, this course is yours: you are the main players of its success. Students are encouraged to take additional notes. Extra blank pages are available at the end of each day notes. Exercises are essential to acquire the skills needed to conduct a the implementation of a management. It is therefore very important to do them conscientiously. In addition, these exercises prepare students for the final examination.



8

Examination

Competency domains

1 Fundamental principles of information security

2 Information security control best practice based on ISO 27002

3 Planning an ISMS based on ISO 27001

4 Implementing an ISMS based on ISO 27001

5 Performance evaluation, monitoring and measurement of an ISMS based on ISO 27001

6 Continual improvement of an ISMS based on ISO 27001

7 Preparing for an ISMS certification audit

1

2

3

4

5

6

7

The objective of the certification examination is to ensure that implementer candidates have mastered ISMS concepts and techniques so that they are able to participate in ISMS project assignments. The PECB examination committee shall ensure that the development and adequacy of the exam questions are maintained based upon current professional practice.

The questions are developed and maintained by a committee of information security specialists that are all ISO 27001 Lead Implementer certified.

The exam only contains essay questions. The duration of the exam is 3 hours. The minimum passing score is 70%.

All notes and reference documents may be used during the exam excluding the use of a computer.

The exam is available in several languages. When taking the exam, please ask the trainer or check on the PECB website to know the list of available languages. All seven competency domains are covered by the examination. To read a detailed description of each competency domain, please visit the PECB website.



9

Certified ISO 27001 Lead Implementer

Prerequisites for certification

Pass the exam

Adhere to the PECB Code of Ethics

5 years professional experience

2 years information security experience

300 hours activity

123456

Professional references

Certified ISO 27001Lead Implementer

Passing the exam is not the only pre-requisite to obtain the credential of “Certified ISO/IEC 27001 Lead Implementer”. This credential will endorse both the passing the exam and the validation of the professional experience records. Unfortunately, many people claim they are ISO 27001 Lead Implementer-qualified following a successful exam, although they don’t have the required experience level. The set of criteria and the certification process are explained in details at the last day of the training. A candidate with lesser experience can apply for the credential of “Certified ISO/IEC 27001 Implementer” or “Certified ISO/IEC 27001 Provisional Implementer”. Important note: Certification fees are included in the examination price. The candidate will therefore not have to pay any additional costs when applying for certification at their corresponding experience level, so as to receive one of the professional credentials: Certified ISO/IEC 27001 Provisional Implementer, Certified ISO/IEC 27001 Implementer or Certified ISO/IEC 27001 Lead Implementer.



10

Certificate

Candidates who met all the prerequisites forcertification will receive a certificate:

After passing the exam, the candidate has a maximum period of three years to apply for one of the professional credentials related to the ISO 27001 certification scheme. When the candidate is certified, he will receive, via electronic mail, from PECB a certificate valid for three years. To maintain his certification, the applicant must demonstrate every year that he is satisfying the requirements for the assigned credential and abiding to PECB’s Code of Ethics. To learn more about certificate maintenance and renewal procedure please visit PECB Website. At the end of the training, more details will be given. An electronic version (in .PDF) course completion certificate which is valid of 31 CPD (Continuing Professional Development) credits will be issued (sent via email) to participants after the training.



11

What is PECB?

Professional Evaluation and Certification Board

Main services: 1. Certification of personnel

(Auditor and Implementer)2. Certification of training organizations 3. Certification of trainers

Founded in 2005, PECB is a personnel certification body for various standards, including ISO 9001 (Quality), ISO 14001 (Environment), OHSAS 18001 (Health & Safety), ISO 20000 (IT Service), ISO 22000 (Food safety), ISO 22301 (Business continuity), ISO 26000 (Social Responsibility), ISO 27001 (Information security), ISO 27005 (Information security risk) and ISO 28000 (Supply Chain Security). Our mission is to provide our clients with comprehensive individual examination and certification services. PECB develops, maintains and continually improves high quality recognized certification programs. PECB is accredited by ANSI under ISO/IEC 17024 (accreditation ID: 1003). PECB is the only personnel certification body certified ISO 9001 and ISO 27001. The purpose of PECB, as stated in its Bylaws, is to develop and promote professional standards for certification and to administer credible certification programs for individuals who practice in disciplines involving the audit and the implementation of a compliant management system. This principal purpose includes:

Establishing the minimum requirements necessary to qualify certified professionals; Reviewing and verifying the qualifications of applicants for eligibility to sit for the

certification examinations; Developing and maintaining reliable, valid, and current certification examinations; Granting certificates to qualified candidates, maintaining certificant records, and

publishing a directory of the holders of valid certificates; Establishing requirements for the periodic renewal of certification and determining

compliance with those requirements; Ascertaining that certificants meet and continue to meet the PECB Code of Ethics; Representing its members, where appropriate, in matters of common interest; Promoting the benefits of certification to employers, public officials, practitioners in

related fields, and the public.



12

Personnel Certification Bodies

ISO 17024

ISO 17024 specifies the criteria for an organization thatconducts certification of persons in relation to specificrequirements, including developing and maintaining acertification scheme for persons

PECB is accredited by ANSI under ISO/IEC 17024

Most of the organizations proposing certifications ofprofessionals are not accredited certification bodies

The ISO 17024 standard provides a comprehensive framework for certification bodies of persons such as PECB to operate coherently, comparable and trusted in the world. The primary function of the certification body of persons is an independent assessment of the demonstrated experience, knowledge and attitudes of a candidate that are applicable to the field for which certification is granted. The ISO 17024 standard provides a uniform set of guidelines for organizations that manage the qualification and certification of persons, including procedures relating to the preparation and updating of a certification scheme. The standard is designed to help organizations that carry out certification of persons to conduct well-planned and structured assessments using objective criteria of competencies and grading to ensure impartiality of operations and reduce the risk of conflict interest. The ISO 17024 addresses the structure and governance of the certification body, the characteristics of the certification programme, information that must be made available to candidates and the renewal of the certification of the certification body. ANSI is the largest and most recognized organization to offer an accreditation program to ISO 17024. PECB is accredited by ANSI under ISO/IEC 17024 (accreditation ID: 1003). Important note: PECB is the only personal certification body accredited by ANSI for ISO 27001 certification program. Most of the organizations proposing certifications of professionals are not accredited certification bodies. Only a certification body accredited under ISO 17024 standard ensures an international recognition. It’s important to validate the status of a certification body with the associated accreditation authority such as ANSI and UKAS.



13

Qualifying oneself to manage an ISMS project

Formal and independent recognition of personal competencies

Certified professionals usually earn salaries higher than those of non-certified professionals

Why becoming Certified Implementer?

Advantages

An internationally recognized certification can help you maximize your career potential and reach you professional objectives.

An international certification is the formal recognition of personal competencies in

improving the performance of organizations. According to salary surveys published by the Quality Progress magazine in the last five

years, certified professionals have an average salary considerably higher than their non-certified counterparts.



14

Customer Service

Comments, questions and complaints

TrainingProviderTrainingParticipant

2. Answer in writing

Answer

1. Submit a complaint

Submit a

3. Appeal 4. Finalarbitration

PECB

In order to ensure your satisfaction and continually improve the training, examination and certification processes, PECB Customer Service has established a support ticket system for handling complaints and services for our clients.

As a first step, we invite you to discuss the situation with the trainer. If necessary, do not hesitate to contact the head of the training organization where you are registered. In all cases, we remain at your disposal to arbitrate any dispute that might arise between you and these parties.

To send comments, questions or complaints, please open a ticket on PECB’s website in the Contact Us section. If you have suggestions for improving PECB’s training materials, we'd like to hear from you. We read and evaluate the input we get from our members. Please open a ticket directed to Training Department on PECB’s website in the Contact Us section.

In case of dissatisfaction with the training (trainer, training room, equipment,...), the examination or the certification processes, please open a ticket under “Make a complaint” category on PECB’s website in the Contact Us section.



1515

Schedule for the Week

Day 1: Introduction to ISO 27001 and initiation of an ISMS Section 1 : Course objective and structure Section 2 : Standard and regulatory framework Section 3 : Information Security Management System (ISMS) Section 4 : Fundamental principles of information security Section 5 : Initiating the ISMS implementation Section 6 : Understanding the organization and clarifying the information security objectives

Section 7 : Analysis of the existing management system Day 2: Plan the implementation of the ISMS Section 8: Leadership and approval of the ISMS project Section 9: ISMS scope Section 10: Policies for information security Section 11: Risk assessment Section 12: Statement of Applicability and management decision to implement the ISMS Section 13: Definition of the organizational structure of information security

Day 3: Deploying the ISMS Section 14: Definition of the document management process Section 15: Design of security controls and drafting of specific policies & procedures Section 16: Communication plan Section 17: Training and awareness plan Section 18: Implementation of security controls Section 19: Incident Management Section 20: Operations Management



Day 4: ISMS measurement, continuous improvement and preparation for certification audit Section 21: Monitoring, measurement, analysis and evaluation Section 22: Internal audit Section 23: Management review Section 24: Treatment of problems and non-conformities Section 25: Continual improvement Section 26: Preparing for the certification audit Section 27: Competence and evaluation of implementers Section 28: Closing the training

16

Questions?



17

Certified ISO 27001 Lead Implementer Training

Section 2

a. ISO structure

b. Fundamental ISO principles

c. Information Security Standards

d. ISO 27000 family

e. Integrated normative framework

f. Project Management Standards

Standard and regulatory framework

During this training, we will adopt the following convention: standards will often be referenced as “ISO XXXX” in the slide instead of their official designation “ISO/IEC XXXXX:20XX” without specifying their publication date, each referring to its latest version. ISO documents are copyright protected. Each participant has a responsibility to possess a legal copy of the standards required for this course. If a standard is included or was given to you for the period of this training, you must follow the conditions for use stated by ISO. No part of this publication may be reproduced by any means or use in any way whether it be electronic our mechanical, including photocopies and microfilms, without written permission from ISO (see address below) or a member of the ISO organization located in the country of the person of the related organization. Copies of the different ISO standards can be bought online on the ISO website (www.iso.org) or from the accreditation authority of each country. For example, you can buy ISO standards from ANSI (webstore.ansi.org).

Important note on terminology: Depending on the standard, there are different terms used to refer to specific part of a standard like clause, section, paragraph or chapter. In this course we will use "clause" to express any reference to a specific part of a norm or standard.



18

What is ISO?

ISO is a network of national standardization bodies from over 160 countries

The final results of ISO works are published as international standards

Over 19 000 standards have been published since 1947

History In 1946, delegates from 25 countries met in London and decided to create a new international organization, of which the object would be "to facilitate the international coordination and unification of industrial standards". The new organization officially began operations on 23 February 1947, in Geneva, Switzerland. The International Standards Organization (ISO) is a non-governmental organization that holds a special position between the public sector and the private sector. Its members include national standards organizations who often are part of government structures in their countries or who are mandated by these governments. Other members belong to the private sector as national partnerships of industry associations. Goals/Advantages The role of ISO is to facilitate international coordination and the standardization of industrial standards. To reach these objectives, ISO publishes technical standards. These standards contribute to the development, manufacturing and delivery of products and services that are more effective, safer and clearer. They facilitate fair trade between countries. In addition, they bring a technical foundation for health, security, and environmental legislation to governments; and they help transfer technologies to developing countries. ISO standards are also used to protect consumers and general users of products and services. These standards are also used to simplify their lives. Note on terminology: Because "International Organization for Standardization" would have different acronyms in different languages ("IOS" in English, "OIN" in French for Organisation internationale de normalisation), its founders decided to give it also a short, all-purpose name. They chose "ISO", derived from the Greek isos, meaning "equal". Source: www.iso.org



How ISO standards are developed?

The national delegations of experts of a committee meet to discuss, debate and argue until they reach consensus on a draft agreement. The “organizations in liaison” also take part in this work. In some cases, advanced work within these organizations means that substantial technical development and debate has already occurred, leading to some international recognition and in this case, a document may be submitted for "fast-track" processing. In both cases, the resulting document is circulated as a Draft International Standard (DIS) to all ISO's member bodies for voting and comment. If the voting is in favor, the document, with eventual modifications, is circulated to the ISO members as a Final Draft International Standard (FDIS). If that vote is positive, the document is then published as an International Standard. (There is no FDIS stage in the case of documents processed through the fast track procedure of the joint technical committee ISO/IEC JTC 1, Information technology.)

Every working day of the year, an average of seven ISO technical meetings takes place around the world. In between meetings, the experts continue the standards' development work by correspondence. Increasingly, their work is carried out by electronic means, which speeds up the development of standards and cuts travel costs.

International Standards are developed by a six-step process: Stage 1: Proposal stage The first step in the development of an International Standard is to confirm that a particular International Standard is needed. A new work item proposal (NP) is submitted for vote by the members of the relevant TC or SC to determine the inclusion of the work item in the programme of work. The proposal is accepted if a majority of the P-members of the TC/SC votes in favor and if at least five P-members declare their commitment to participate actively in the project. At this stage a project leader responsible for the work item is normally appointed.

Stage 2: Preparatory stage Usually, a working group of experts, the chairman (convener) of which is the project leader, is set up by the TC/SC for the preparation of a working draft. Successive working drafts may be considered until the working group is satisfied that it has developed the best technical solution to the problem being addressed. At this stage, the draft is forwarded to the working group's parent committee for the consensus-building phase. Stage 3: Committee stage As soon as a first committee draft is available, it is registered by the ISO Central Secretariat. It is distributed for comment and, if required, voting, by the P-members of the TC/SC. Successive committee drafts may be considered until consensus is reached on the technical content. Once consensus has been attained, the text is finalized for submission as a draft International Standard (DIS). Stage 4: Enquiry stage The draft International Standard (DIS) is circulated to all ISO member bodies by the ISO Central Secretariat for voting and comment within a period of five months. It is approved for submission as a final draft International Standard (FDIS) if a two-thirds majority of the P-members of the TC/SC are in favor and not more than one-quarter of the total number of votes cast are negative. If the approval criteria are not met, the text is returned to the



originating TC/SC for further study and a revised document will again be circulated for voting and comment as a draft International Standard.

Stage 5: Approval stage The final draft International Standard (FDIS) is circulated to all ISO member bodies by the ISO Central Secretariat for a final Yes/No vote within a period of two months. If technical comments are received during this period, they are no longer considered at this stage, but registered for consideration during a future revision of the International Standard. The text is approved as an International Standard if a two-thirds majority of the P-members of the TC/SC is in favor and not more than one-quarter of the total number of votes cast are negative. If these approval criteria are not met, the standard is referred back to the originating TC/SC for reconsideration in light of the technical reasons submitted in support of the negative votes received. Stage 6: Publication stage Once a final draft International Standard has been approved, only minor editorial changes, if and where necessary, are introduced into the final text. The final text is sent to the ISO Central Secretariat which publishes the International Standard. Reference: www.iso.org

19

1. Equal representation: 1 vote per country

2. Voluntary membership: ISO does not have the authority to force adoption of its standards

3. Business orientation: ISO only develops standards for which a market demand exists

4. Consensus approach: looking for a large consensus among the different stakeholders

5. International cooperation: over 160 member countries plus liaison bodies

1. Equ

2. Vauth

3.sta

4. Ccon

5. Intercountri

Basic principles of

ISO standards

Basic Principles – ISO Standards

ISO basic principles

1. Equal representation: Every ISO member (full-fledged member) has the right to participate in the development of any standard it deems important to the economy of its country. Whatever the size or strength of the economy, each participating member can claim their right to vote. ISO activities are thus carried out in a democratic structure where member countries are on the same footing in terms of their influence on work orientation.



2. Voluntary: Adoption of ISO standards is voluntary. As a non-governmental organization, ISO has no legal authority for their implementation. A percentage of ISO standards – more particularly those related to health, security and the environment – have been adopted in several countries as part of the regulatory framework, or are mentioned in the legislation for which they act as a technical basis. Such adoptions are sovereign decisions by regulatory organizations or governments.

ISO itself does not regulate, or legislate. However, although ISO standards are voluntary, they can become a market requirement, as is the case with ISO 9001 or with freight container dimensions, the traceability of food products, etc. 3. Business orientation: ISO only develops standards for which a market demand exists. Work is carried out by experts in the related industrial, technical and business sectors. These experts may be joined by other experts holding the appropriate knowledge such as public organizations, academic world and testing laboratories. ISO launches the development of new standards in response to sectors and stakeholders that express a clearly established need for them. An industry sector or other stakeholder group typically communicates its requirement for a standard to one of ISO's national members. The latter then proposes the new work item to the relevant ISO technical committee developing standards in that area. New work items may also be proposed by organizations in liaison with such committees. When work items do not relate to existing committees, proposals may also be made by ISO members to set up new technical committees to cover new fields of activity. 4. Consensus approach: ISO standards are based on a representative consensus approach of the different stakeholders (experts, industries, researchers, governments, etc.). This ensures a larger circulation and a greater application. ISO standards are developed by technical committees, (subcommittees or project committees) comprising experts from the industrial, technical and business sectors which have asked for the standards, and which subsequently put them to use. These experts may be joined by representatives of government agencies, testing laboratories, consumer associations, non-governmental organizations and academic circles. Proposals to establish new technical committees are submitted to all ISO national member bodies, who may opt to be participating (P), observer (O) or non-members of the committee. The secretariat (i.e. the body providing the administrative support to the work of the committee) is allocated by the Technical Management Board (which itself reports to the ISO Council), usually to the ISO member body which made the proposal. The secretariat is responsible for nominating an individual to act as chair of the technical committee. The chair is formally appointed by the Technical Management Board. Experts participate as national delegations, chosen by the ISO national member body for the country concerned. National delegations are required to represent not just the views of the organizations in which their participating experts work, but those of other stakeholders too. National delegations are usually based on and supported by national mirror committees to which the delegations report. According to ISO rules, the national member body is expected to take account of the views of all parties interested in the standard under development. This enables them to present a consolidated, national consensus position to the technical committee. International and regional organizations from both business and the public sector may apply for liaison status to participate in developing a standard, or to be informed about the work.



Such “organizations in liaisons” are accepted through voting by the relevant ISO committee. They may comment on successive drafts, propose new work items or even propose documents for “fast tracking” , but they have no voting rights. 5. International cooperation: ISO standards are technical agreements that bring, at the international level, technological compatibility structures. Developing a technical consensus on an international scale is a major activity. 3 000 technical ISO groups are identified (technical committees, subcommittees, work groups, etc.) within which 50 000 experts take part in developing standards annually. Source: www.iso.org

20

Eight ISO Management Principles

Customer focus: Organizations depend on their customers and therefore should understand current and future customer needs, should meet customer requirements and strive to exceed customer expectations. Management system implications

Researching and understanding customer needs and expectations. Ensuring that the objectives of the organization are linked to customer needs and expectations.

Communicating customer needs and expectations throughout the organization. Systematically managing customer relationships. Ensuring a balanced approach between satisfying customers and other interested

parties (such as owners, employees, suppliers, financiers, local communities and society as a whole).

Leadership: Leaders establish unity of purpose and direction of the organization. They

should create and maintain the internal environment in which people can become fully involved in achieving the organization's objectives. Management system implications



Considering the needs of all interested parties including customers, owners, employees, suppliers, financiers, local communities and society as a whole.

Establishing a clear vision of the organization's future. Setting challenging goals and targets. Creating and sustaining shared values, fairness and ethical role models at all levels

of the organization. Establishing trust and eliminating fear. Providing people with the required resources, training and freedom to act with

responsibility and accountability. Inspiring, encouraging and recognizing people's contributions.

Involvement of people: People at all levels are the essence of an organization and their

full involvement enables their abilities to be used for the organization's benefit. Management system implications

People understanding the importance of their contribution and role in the organization.

People identifying constraints to their performance. People accepting ownership of problems and their responsibility for solving them. People evaluating their performance against their personal goals and objectives. People actively seeking opportunities to enhance their competence, knowledge and

experience. People freely sharing knowledge and experience. People openly discussing problems and issues.

Process approach: A desired result is achieved more efficiently when activities and

related resources are managed as a process. Management system implications

Systematically defining the activities necessary to obtain a desired result. Establishing clear responsibility and accountability for managing key activities. Analyzing and measuring of the capability of key activities. Identifying the interfaces of key activities within and between the functions of the

organization. Focusing on the factors such as resources, methods, and materials that will

improve key activities of the organization. Evaluating risks, consequences and impacts of activities on customers, suppliers

and other interested parties.

System approach to management: Identifying, understanding and managing interrelated processes as a system contributes to the organization's effectiveness and efficiency in achieving its objectives.

Management system implications Structuring a system to achieve the organization's objectives in the most effective

and efficient way. Understanding the interdependencies between the processes of the system. Structured approaches that harmonize and integrate processes. Providing a better understanding of the roles and responsibilities necessary for

achieving common objectives and thereby reducing cross-functional barriers. Understanding organizational capabilities and establishing resource constraints

prior to action. Targeting and defining how specific activities within a system should operate.

Continually improving the system through measurement and evaluation.



6. Continual improvement: Continual improvement of the organization's overall performance should be a permanent objective of the organization.

Management system implications Employing a consistent organization-wide approach to continual improvement of the

organization's performance. Providing people with training in the methods and tools of continual improvement. Making continual improvement of products, processes and systems an objective for

every individual in the organization. Establishing goals to guide, and measures to track, continual improvement. Recognizing and acknowledging improvements.

Factual approach to decision making: Effective decisions are based on the analysis

of data and information. Management system implications

Ensuring that data and information are sufficiently accurate and reliable. Making data accessible to those who need it. Analyzing data and information using valid methods. Making decisions and taking action based on factual analysis, balanced with

experience and intuition. Mutually beneficial supplier relationships: An organization and its suppliers are

interdependent and a mutually beneficial relationship enhances the ability of both to create value.

Management system implications Establishing relationships that balance short-term gains with long-term

considerations. Pooling of expertise and resources with partners. Identifying and selecting key suppliers. Clear and open communication. Sharing information and future plans. Establishing joint development and improvement activities. Inspiring, encouraging and recognizing improvements and achievements by

suppliers. Source: www.iso.org



21

Management System StandardsPrimary standards against which an organization can be certified

ISO 9001Quality

ISO 14001Environment

OHSAS 18001Health and Safety

at work

ISO 20000IT Service

ISO 22000Food Safety

ISO 22301Business continuity

ISO 27001Information

security

ISO 28000Supply Chain

Security

Since 1947 ISO has published over 19 000 international standards. ISO publishes standards related to traditional activities such as agriculture and construction, media devices and the most recent development in information technologies, such as the digital coding of audiovisual signals for multimedia applications. ISO 9000 and ISO 14000 families are among the best known ISO standards. The ISO 9000 standard has become an international reference in regard to the quality requirements in commerce and business transactions. The ISO 14000 standard, for its part, is used to help organizations meet challenges of an environmental nature.

ISO 9001 is related to quality management. It contains the good practices that aim to improve customer satisfaction, achievement of customer requirements and regulatory requirements as well as continuous improvement actions in those fields. In December of 2009, 1 064 785 organizations were ISO 9001 certified (China having the most certified organizations: 257 076).

ISO 14001 is mainly related to environmental management. It defines the actions that the organization can implement for the maximum reduction of negative impacts of its activities on the environment and for the continuous improvement of its environmental performance. In December 2009, 223 149 organizations were ISO 14001 certified (China having the most certified organizations: it had in 2009, 55 316; Japan is second with 39 556 certified organizations). OHSAS 18001 (OHSAS = Occupational Health and Safety Assessment Series) identifies best practices for the rigorous management and effective protection of the occupational health and safety. In spite of the publication of the ISO 18001 standard after various disagreements within the ISO organization to create a management standard for health and safety, OHSAS 18001 is the de facto standard for health and safety at the enterprise. OHSAS 18001 is a private norm. It was developed from existing national standards (BS



8800, UNE 81900, VCA) and standards published by different certification bodies (OHSMS, SafetyCert, SMS 8800). ISO 20000-1 defines the requirements that an information technology service provider must apply. This standard applies to service providers regardless of the organization’s size or type. The standard consists of two parts. The first part defines the specifications the organization shall apply to obtain certification. The second part (ISO 20000-2) explains the different practices or recommendations to reach the objectives previously defined.

ISO 22000 creates and manages a food safety management system (FSMS). This standard applies to all organizations that are involved in any aspects of the food supply chain and want to implement a system to continuously provide safe food. This standard focuses on personnel competencies, continuous information research about food products (new legislations, standards, rules…). Organizations must perform a HACCP (Hazard Analysis Critical Control Point) to identify, analyze and evaluate the risks for food safety. For each risk that has been defined as significant, the organization must define controls to implement. ISO 22301 defines the requirements that an organization must apply to certify a Business Continuity Management System (BCMS). To comply with the requirements of this standard the organization needs to document a model to develop, implement, operate, monitor, review, maintain and improve a BCMS to increase the resilience of an organization in case of a disaster. This standard is compatible with PAS 22399 (Guideline for incident preparedness and operational continuity management) and BS 25999 (British Standard on business continuity). ISO 27001 defines the requirements that an organization must apply to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization's information risk management processes. The ISO 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO 27002. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls. ISO 28000 prescribes the requirements applicable to a security management system of the supply chain. An organization has to define, implement, maintain, and improve a supply chain security management system during each step of production: manufacturing, maintenance, storage or transport of goods.



22

Integrated Management System

Common structure of ISO standards

Requirements ISO9001:2008

ISO 14001:2004

ISO20000:2011

ISO22301:2012

ISO 27001:2005

Objectives of the management system 5.4.1 4.3.3 4.5.2 6.2 4.2.1

Policy of the management system 5.3 4. 2 4.1.2 5.3 4.2.1

Management commitment 5.1 4.4.1 4.1 5.2 5

Documentation requirements 4.2 4.4 4.3 7.5 4.3

Internal audit 8.2.2 4.5.5 4.5.4.2 9.2 6

Continual improvement 8.5.1 4.5.3 4.5.5 10 8

Management review 5.6 4.6 4.5.4.3 9.3 7

More and more organizations have to manage several compliance frameworks simultaneously. To simplify the work, to avoid conflicts and to reduce duplication of documents, it is recommended to implement an integrated management system. An integrated management system (IMS) is a management system which integrates all components of a business into one coherent system so as to enable the achievement of its purpose and mission. The table in the slide presents certain requirements that are common to all management systems.

There are several good reasons for integration, to: harmonize and optimize practices eliminate conflicting responsibilities and relationships balance conflicting objectives formalize informal systems reduce duplication and therefore costs reduce risks and increase profitability turn the focus into business goals create consistency

improve communication facilitate training and awareness

Important note: In June 2009, the Technical Steering Committee of ISO adopted a resolution asking the committees involved in the development of standards to specify the requirements of a management system (ISO 14001, ISO 22000, ISO 27001, etc.) by following a common structure of clauses in line with ISO 9001. This Directive is applicable to the versions published after 2011. So the common elements to every management system will have the same reference. The main objective is to facilitate the combined management of a normative framework for an organization.



23

Other Information Security Standards

Examples

As of March 2012, there are 106 published ISO standards on information security (JTC 1/SC 27 technical committee) including the following examples: ISO 9798: This standard specifies a general model including the requirements and constraints for the use of identity authentication mechanisms. These mechanisms are used in to demonstrate that an entity is who it claims to be. Details on the different mechanisms are explained in different parts of this standard. ISO 11770: This standard defines a general model for key management independent of the cryptographic algorithm used. This standard addresses both the automatic and manual key and the required sequence of operations. However, it does not specify details on the interface protocols needed for the operations. ISO 15408: Under the general title Common Criteria, the scope of this standard is the use of it as a basis to evaluate the security properties of products and systems of Information Technology (IT). A free copy can be downloaded from the ISO website. It contains the following parts: Part 1: Introduction and general model; Part 2: Security functional components; Part 3: Security assurance components.

ISO 21827 specifies the Systems Security Engineering - Capability Maturity Model® (SSE-CMM®), which describes the essential characteristics of an organization's security engineering process that must exist to ensure good security. ISO 21827 does not prescribe a particular process or sequence, but captures practices generally observed in industry. The objective is to facilitate an increase of maturity of the security engineering processes within the organization. ISO 24761 specifies the structure and elements of a mechanism for authentication using biometrics in the verification process.



ISO 27033 provides an overview of network security and related definitions. It defines and describes the concepts associated with network security. The various parts of ISO 27033 address specific topics related to network security.

24

19901995

20002007 2008+

ISO 27006

Certification organization requirements

Publication ofother standards

of the 27000 family

Revision toISO 27001 &ISO 27002in progress

BS7799-1

Code of best practices

BS7799-2 ISMS

certification schema

Code of best practises

(Published by a group of

companies)

ISO 17799

Best practices code

New Version of ISO 17799 ISO 27001 publication

History of the ISO 27001 Series

Important dates

19982005

Beginning of the1990s An industry need expressed in terms of better practices and controls to support trade and

government in the implementation and improvement of information security; Ministry of Commerce and Industry (United Kingdom) forms a work group grouping

together directors with experience in information security; Publication of a collective work of advice on the management of information security.

1992

Guide of good practices of the industry (September) initially published as a British Standard Institute (BSI) publication;

This guide was the basis for the British Standard: BS 7799-1. 1995

BS 7799-1:1995 published as a British standard. 1996 - 1997

Identification of a need to increase the level of confidence in the BS 7799 standard; The industry request a certification programme for an ISMS.

1998

Launch of the ISMS certification model (Published as BS 7799-2:1998). 1999 Revision of BS 7799-1:1999 (updates and addition of new security controls):

New security controls: e-commerce, mobile IT, third-party agreements; Suppression of specific references to United Kingdom.



BS 7799-2:1999 (Alignment of controls to BS7799-1).

2000 Publication of ISO 17799:2000.

2002

Launch of BS 7799-2:2002. The main updates are:

Integration of the Plan-Do-Check-Act (PDCA) Model; ISO 17799 controls included as an annex to the standard; Annex demonstrating the connection between BS7799-2, ISO 9001 and ISO

14001. 2005

Publication of the new version of ISO 17799:2005. Publication of ISO 27001:2005, which replaces BS7799-2, and contains:

ISMS specifications; ISO 17799 controls in standard annex; Annex demonstrating the connection between ISO 9001 and ISO 14001.

2007

Publication of ISO 27002:2005 replacing ISO 17799:2005 (No change in the content, just identification number);

Publication of ISO 27006:2007 (Requirements for bodies providing audit and certification of information security management systems).

2008

Publication of ISO 27005:2008 (Information security risk management); Publication of ISO 27011:2008 (Information security management guidelines for

telecommunications organizations based on ISO 27002). 2009

Publication of ISO 27000:2009 (Information security management systems -- Overview and vocabulary);

Publication of ISO 27004:2009 (Information security management – Measurement); Publication of ISO 27033-1:2009 (Network security -- Part 1: Overview and concepts).

2010

Publication of ISO 27003:2010 (Information security management system implementation guidance);

Publication of ISO 27033-3:2010 (Network security -- Part 3: Reference networking scenarios -- Threats, design techniques and control issues).

2011

Publication of ISO 27005:2011 (Information security risk management); Publication of ISO 27006:2011 (Requirements for bodies providing audit and certification

of information security management systems); Publication of ISO 27007:2011 (Guidelines for information security management systems

auditing); Publication of ISO 27008:2011 (Network security -- Part 3: Reference networking scenarios -- Threats, design techniques and control issues).



25

ISO 27000 Family

Voca

bula

ryR

equi

rem

ents

Gen

eral

guid

esIn

dust

ry

guid

es

ISO 27001ISMS

requirements

ISO 27006Certification organization requirements

ISO 27005Risk

management

ISO 27004Metrics

ISO 27003Implementation

guide

ISO 27002Code of

practices

ISO 27007-27008Audit guides

ISO 27011Telecommunications

ISO 27799Health

ISO 270XXothers

ISO 27000Vocabulary

Resulting from International workgroup reflections dedicated to the information security scope, the ISO 27000 family is progressively published since 2005. ISO 27001:2005 is the only certifiable standard of the ISO 27000 family. The other standards are guidelines.

ISO 27000: This information security standard develops the basic concepts as well as the vocabulary that applies when analyzing Information Security Management Systems. A free copy of this standard can be downloaded from the ISO website.

ISO 27001: This information security standard defines the requirements of the Information Security Management Systems (ISMS).

ISO 27002 (previously ISO 17799): Guide of best practices for the management of information security. This standard defines objectives and recommendations in terms of information security and anticipates meeting global concerns of organizations relating to information security for their overall activities.

ISO 27003: Guide for implementing or setting up an ISMS. ISO 27004: Guide of metrics to facilitate ISMS management, it provides a method to

define the objectives for implementation and effectiveness criteria, of follow-up and evolution measurements all through the process. ISO 27005: Guide for information security risk management which complies with the concepts, models and general processes specified in ISO 27001.

ISO 27006: Guide for organizations auditing and certifying ISMS’s. ISO 27007: Guidelines for information security management systems auditing. ISO 27008: Guidelines for auditors on information security controls. ISO 27011: Guidelines for the use of ISO 27002 in telecommunication industry. ISO 27031: Guidelines for information and communication technology readiness for

business continuity. ISO 27799: Guidelines for the use of ISO 27002 in health informatics.



26

ISO 27001

Specifies requirements for ISMS management (Clause 4 to 8)

Requirements (clauses) are written using the imperative verb “shall”Annex A: 11 clauses containing 39 control objectives and 133 controlsOrganization can obtain certification against this standard

ISO 27001: A set of normative requirements for the establishment, implementation, operation,

monitoring and review to update and improve a Information Security Management System (ISMS);

A set of requirements for selecting security controls tailored to the needs of each organization based on industry best practices;

A management system that is integrated in the overall risk framework associated with the activity of the organization;

An internationally-recognized process, defined and structured to manage information security;

An international standard to suit all types of organizations (e.g. commercial enterprises, government agencies, nonprofit organizations ...), of all sizes in all industries.

ISO 27001, clause 0.1: General This International Standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an organization’s ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization. These and their supporting systems are expected to change over time. It is expected that an ISMS implementation will be scaled in accordance with the needs of the organization, e.g. a simple situation requires a simple ISMS solution. This International Standard can be used in order to assess conformance by interested internal and external parties.