Iso 27001 Training

7/31/2019 Iso 27001 Training

http://slidepdf.com/reader/full/iso-27001-training 1/18

ISO/IEC 27001:2005

7/31/2019 Iso 27001 Training


Real World Scenario (PersonalProspective)

Imagine that you are at a restaurant and after

finishing your meal, you hand-over your credit card to the waiter. The waiter takes the

card and returns it after charging the card.

The whole process takes about 5 to 10

minutes. Have you ever asked yourself whether there is a possibility that the card

could be misused during this time?

7/31/2019 Iso 27001 Training


Another example of information produced by

the business is “Business Intelligence” that isused for forecasting as well as for producing

new services and products. Disclosure of this

information may lead to loss of competitive

advantage and subsequent loss of revenueand jobs.

Importance of Business Information

7/31/2019 Iso 27001 Training


Importance of Business Information

Similarly source code and new product

designs are valuable information thatenables the business to produce new

products and to become leaders in their

specific market segment. Disclosure of this

information could lead to loss of competitiveadvantage, loss of market share and

revenue.

7/31/2019 Iso 27001 Training


ISMS and ISO 27001

ISMS or Information Security Management

System.

“An ISMS is a management framework for

identifying important information,

continuously evaluating security risks to thisimportant information and taking reasonable

steps to protect this important information.”

7/31/2019 Iso 27001 Training


An ISMS is a continuous process

An ISMS is a continuous process and lasts

throughout the life of the business.

7/31/2019 Iso 27001 Training


PDCA Model

P-D-C-A model is also called the Dr. W.

Edwards Deming

7/31/2019 Iso 27001 Training


ISO 27001 adheres to the PDCA model

and is in all probability the most widelyused standard for ISMS implementation in

the world.

PDCA is the most widely used modelin the world

7/31/2019 Iso 27001 Training


Now, what is ISO 27001? And, what is

the relationship between an ISMS andISO 27001?

ISO 27001 is an international standard that

provides a model for establishing,implementing, operating, monitoring,

reviewing, maintaining and improving an

ISMS.

To keep it simple, you will use ISO 27001

to create and manage your ISMS.

7/31/2019 Iso 27001 Training


In the PLAN phase, you will focus onestablishing the ISMS

1. Defining the Scope of the ISMS

2. Defining the ISMS Policy 3. Defining the Risk Assessment Approach of the organization

4. Identifying the risks

5. Analyzing risk treatment options

6. Selecting control objectives and controls for treatment of risks

7. Obtaining Management approval and authorization for risktreatment and residual risks

8. Preparing “Statement of Applicability”

7/31/2019 Iso 27001 Training


In the DO phase, we will focus onimplementing and operating the ISMS.

1. Defining and implementing a Risk Treatment

Plan 2. Selecting appropriate controls

3. Defining how to measure the effectiveness of

the controls

4. Implementing training and awareness programs 5. Managing the operation of the ISMS

6. Managing the resources for operating the ISMS

7. Implementing security incident detection and

response procedures

7/31/2019 Iso 27001 Training


Next, we focus on the CHECK phase

1. Executing monitoring and reviewing procedures

2. Measuring the effectiveness of controls 3. Reviewing risk assessments and reviewing

residual risks

4. Conducting internal ISMS audits

5. Undertaking management review of the ISMS

6. Updating security plans based on review andfindings

7. Recording actions and events that may have animpact on the performance of the ISMS

7/31/2019 Iso 27001 Training


We come to the ACT phase, which

focuses on maintaining and improvingthe ISMS

1. Implement the identified improvements

in the ISMS 2. Taking appropriate corrective and

preventive actions

3. Communicate the actions and

improvements to all relevant parties

4. Ensure that the improvements achieve

their intended objectives

7/31/2019 Iso 27001 Training


7/31/2019 Iso 27001 Training


ISO 27001 Structure

Mandatory Requirements-parts 4, 5, 6, 7 and

8. Annex A-that has 133 controls grouped into

11 domains

7/31/2019 Iso 27001 Training


For Learning purpose let us divide ISO27001 into 2 sections

Section 1 consists of a set of mandatoryrequirements, that explains how to build the ISMS in

the PDCA Model. Section 2 consists of Control Objectives and

Controls. In the ISO 27001 standard this is Annex A.“Controls” are essentially “information securitysafeguards”. For example, an “anti-virus” is a control,an “information Security training program” is acontrol, or a “change management process” is acontrol. “Control Objectives” specify the aim for usinga control or a set of controls

ISO 27001 provides a set of 133 controls that youcan use to build your ISMS.

7/31/2019 Iso 27001 Training


ISO 27001 Structure

There is a very simple relationship between

Section 1 and Section 2. Section 1, tells youhow to build the ISMS and Section 2 gives

you a set of controls that you can use to build

the ISMS.

7/31/2019 Iso 27001 Training


Let us look at an examples that explain therelationship between Section 1 and Section 2.

If you read through the standard, you will see

the “Part 4.2 - Define an ISMS policy in termsof the characteristics of the business, ….”..

Now, if you are looking at some more

information on how to go about this, you can

use the control in Section 2, which is “Annex A - A.5.1 Information Security policy

document”.

Documents

Iso 27001 Training