Kenneth-Tsun_SGS

8/13/2019 Kenneth-Tsun_SGS

http://slidepdf.com/reader/full/kenneth-tsunsgs 1/38

ISO/IEC 27001ISO/IEC 27001Information SecurityInformation Security

Management SystemManagement SystemSpeaker: Kenneth Tsun

Certification Officer, IRCA Certified Lead Auditor, CISA, PCI QSA

SGS Hong Kong Limited, Systems and Services Certification

Date: 30 Sep 2011



2

TodayToday’’s Agendas Agenda

Why you need ISO 27001?

What is ISO 27001?

How to use ISMS effectively

How to get ISMS certification

Successful cases sharing

Our Service

Q&A





4

As dependency on IT grows As dependency on IT grows……

Increasingly interconnected

through the Internet Moving Internet use beyond

just websites and email

Wireless networks and Voice

over IP telephony nowbecome mainstream

Source: BIS 2010 Information Security Breaches Survey



5

More industries rely on information systemMore industries rely on information system

managementmanagement

Industries include:

•

Financial• Manufacturing

• Assembly

• Telecommunications

• Logistics, etc.

Their operations rely on

• Customer Relationship Management (CRM)

• Enterprise Resource Planning (ERP)

• Supply Chain Management (SCM)

• Payment and Collection Management

• Employee Relationship Management (ERM)





7

Controls are improvingControls are improving……

Technical controls have

improved People, as the greatest asset,

are the greatest vulnerability

Increasing security awareness

Strong authentication (e.g.smart cards or biometrics)

Source: BERR 2008 Information Security Breaches Survey



8

But the protections are not enough.But the protections are not enough.




9

New threats increase the demand forNew threats increase the demand for

assuranceassurance

Mandatory security

requirements are becomingmore common

Organizations that use thirdparty services often do not

demand the same level ofassurance that their customersare demanding from them




10

Information security management system (ISMS)

Framework for managing an organization’s informationsecurity

Focuses on Information Security not IT security

Risk based process approach to information security

A continual improvement system

ISO/IEC 27001 ISMSISO/IEC 27001 ISMS



11

ISO/IEC 27001:2005 – Information technology – Securitytechniques – Information security management systems –

Requirements

but it is commonly known as ‘ISO 27001’

International ISMS standard

Compliance standard and the ONLY ISO/IEC standard forISMS certification

Intended to be used in conjunction with ISO/IEC 27002,the Code of Practice for Information Security Management

ISO/IEC 27001ISO/IEC 27001



12

ISO/IEC 27001 uses the well-known process modelreferred to the PDCA (Plan-Do-Check-Act) Model which is

used by other ISO management system standards, e.g.Quality Management System, Environmental ManagementSystem, Food Safety Management System, IT ServiceManagement System

Applicable to organizations of all shapes and sizes

Banking, telecoms, healthcare, utilities (electricity, gas,water, oil..), transportation, food supply chain, retailindustry, service sector, manufacturing sector, small-

medium sized companies, multionational companies,governments, research institutes, academic institutions...




13

To achieve effective information securitymanagement

• Minimise business information security risks

• Maximise business opportunities andinvestments

• Maintain business continuity and availability




14

InformationInformation

Information is an asset, like other important

business assets, has value to an organization and

consequently needs to be suitably protected . Also, information is the lifeblood of an organisation.

Identifying and protecting that information is the essence ofISO 27001.

Information assets exist in many forms:

• Content, container, carrier

• Databases, applications, registries & IT systems

•

Legal, Board & Organizational records• Intellectual property

• Reputation / Brand

• People



15

Examples of informationExamples of information

Electronic files

• Quotation through emails

• Finance data

• Technical drawings providedby customers

• Customer lists

• Production data

Paper documents• Contracts

• Price list

• Application forms

• Photos

A/V Recordings

• interviews

• Product testings

Communications

• Uncollected faxes

• Phone conversations

• SMS



16

ISMS Core ConceptsISMS Core Concepts

Confidentiality

Integrity

Availability



17

ISO/IEC 27000 ISMS FamilyISO/IEC 27000 ISMS Family



18

Interested

InformationSecurity

requirementsand

expectations

Parties

PDCA model applied to ISMS processesPDCA model applied to ISMS processes

Interested

Parties

Managed

Information

security

Establish theISMS

Establish theISMS

Implement andoperate the

ISMS

Implement and

operate theISMS

Maintain andimprove the

ISMS

Maintain and

improve theISMS

Monitor andreview the ISMS

Monitor andreview the ISMS

Plan

Do Act

Check

Developmentmaintenance

andimprovement

cycle



19

ISO/IEC 27001 Plan (4.2.1)ISO/IEC 27001 Plan (4.2.1)

ISMS Policy, objectives and business requirements

Define approach to risk management and criteria and levels

of risk assessment Risk assessment, treatment and selection of controls

Statement of applicability



20

ISO/IEC 27001 Do (4.2.2)ISO/IEC 27001 Do (4.2.2)

Treatment plan and its implementation

Allocation of roles and responsibilities

Resources and their management

Awareness and training

Produce and deploy policies and procedures

Implement and deploy incident handling process

Implement measurement process



21

ISO/IEC 27001 Check (4.2.3)ISO/IEC 27001 Check (4.2.3)

Monitoring ISMS and information security controls

Monitor risks and assess the effectiveness of the controls

Reviews

Audits

Recommend improvements



22

ISO/IEC 27001 Act (4.2.4)ISO/IEC 27001 Act (4.2.4)

Make improvements

Test improvements

Deploy improvements

Update policies, procedures, plans and processes

Communicate improvements

Carryout awareness and training where necessary



23

ISO 27001 General ClausesISO 27001 General Clauses

4 Information security management system

4.1 General requirements

4.2 Establishing and managing the ISMS

4.2.1 Establish the ISMS

4.2.2 Implement and operate the ISMS

4.2.3 Monitor and review the ISMS

4.2.4 Maintain and improve the ISMS

4.3 Documentation requirements

4.3.1 General

4.3.2 Control of documents

4.3.3 Control of records

5.2.2 Training, awareness andcompetence

5.2.1 Provision of resources

5.2 Resource management

5.1 Management commitment

5 Management responsibility 8 ISMS improvement

8.1 Continual improvement

8.2 Corrective action

8.3 Preventive action

6 Internal ISMS audits

7.3 Review output

7.2 Review input

7.1 General

7 Management review of the ISMS



24

ISO 27001 Annex A (normative)ISO 27001 Annex A (normative)

A.5A.5InformationInformation

Security PolicySecurity Policy

A.8A.8Human ResourceHuman Resource

SecuritySecurity

A.7A.7Asset ManagementAsset Management

A.11A.11Access ControlAccess Control

A.12A.12Systems Acquisition,Systems Acquisition,

Development &Development &

MaintenanceMaintenance

A.13A.13Security IncidentSecurity Incident

ManagementManagement

A.14A.14Business ContinuityBusiness Continuity


A.6A.6OrganizationalOrganizational

SecuritySecurity

A.9A.9Physical & EnvironmentPhysical & Environment

SecuritySecurity

A.10A.10Communication andCommunication and

OperationsOperations


A.15A.15ComplianceCompliance



25

ISO 27001 Annex A (normative)ISO 27001 Annex A (normative)

A.14 Business continuity management (1/5)

A.13 Information security incident management (2/5)

A.15 Compliance (3/10)

A.12 Information systems acquisition, development and maintenance (6/16)

A.11 Access control (7/25)

A.10 Communications and operations management (10/32)

A.9 Physical and environmental security (2/13)

A.8 Human resources security (3/9)

A.7 Asset management (2/5)

A.6 Organization of information security (2/11)

A.5 Security policy (1/2)

SGS IS RECOGNIZED AS THE GLOBAL BENCHMARK IN QUALITY AND INTEGRITY

Total

39 control objectives

133 controls





27

Documented statements of security policy and controlobjectives

Scope, procedures and controls to support ISMS

Risk assessment report

Risk treatment plan

The mandatory documented procedures

Records

Statement of Applicability (SoA)

• State which controls to be applied and how they are implemented.Explanations are required for those controls not applied.

(ISO 27001:2005, para. 4.3.1)

ISMS must include:ISMS must include:



28

Better business continuity – 24%

Marketing – 24%

Greater efficiency – 19%

Improved or more consistent security controls – 14%

Greater security awareness – 10%

Better risk management for senior management – 9%

Note: For large businesses, greater security awareness is rated higher

than marketing

Benefits from ISO 27001 in 2008 (UK)Benefits from ISO 27001 in 2008 (UK)

Source: BERR 2008 Information Security Breaches Survey



29

Improvedcontingency

planningBrand Protection

KPIMeasurement

BusinessAdvantages

Confidences

Risk Reduction

Corporate

Safety Nets

BenefitsBenefits

Best Practice

Safeguard

Information

Communication

Cost Saving



30

Number of Certificates per CountryNumber of Certificates per Country

Updated on

29 Sep 2011



31

Effective threat protection requires theEffective threat protection requires the

right security behaviourright security behaviour

Rise in incidents is due to themore complex threats

Technical controls are nolonger enough to protectorganizations

A combination of people,technology and process isnow required




32

Demand for ISO 27001Demand for ISO 27001

ISO 27001 is becoming

common standard forcompliance

Demand is highest in thetelecommunications sector

Two-fifths of financial servicesare being asked to complywith ISO 27001

Source: BIS 2010 Information SecurityBreaches Survey





34

Audit Criteria Audit Criteria

Agreed scope & sites by both parties

Local applicable regulations & legislations

ISO 27001 standard requirements

Commitments toward all the interest parties

Expectation & requirements from major interest parties

All the house rules



35

PDCA Process ModelPDCA Process Model

Process Approach Process Approach

Sampling Method Sampling Method

Hands Free Practice Hands Free Practice



36

SummarySummary

ISO 27001:2005 as International Standard for InformationSecurity and ISO 27002:2005 as Code of Practice

Appendix A is a list of controls, including 133 controls,contained in 11 major control areas.

Information security is defined as the ‘preservation ofconfidentiality, integrity and availability of information.

Plan-Do-Check-Act cycle is applied to ISMS.

Statement of Applicability (SoA), risk assessment reportand risk treatment plan are required.

ISMS is a management system,ISMS is a management system,

based on systematic business risk approach,based on systematic business risk approach,

to establish, implement, monitor and improve information securit to establish, implement, monitor and improve information securit y.y.



37

Our ServiceOur Service

Public Training

IRCA ISO 27001 ISMS Foundation (1 day)

IRCA ISO 27001 ISMS Internal Auditor (2 days)

IRCA ISO 27001 ISMS Lead Auditor (5 days)

Gap Analysis Assessment

Audit & Certification



THANK YOU!THANK YOU!For enquiries, please contact:

Hotline: 2765 3620E-mail: [email protected]: www.hk.sgs.com/certification

www.hk.sgs.com/training

Documents

Kenneth-Tsun_SGS