Upload
freeman-mak
View
219
Download
0
Embed Size (px)
Citation preview
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 1/38
ISO/IEC 27001ISO/IEC 27001Information SecurityInformation Security
Management SystemManagement SystemSpeaker: Kenneth Tsun
Certification Officer, IRCA Certified Lead Auditor, CISA, PCI QSA
SGS Hong Kong Limited, Systems and Services Certification
Date: 30 Sep 2011
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 2/38
2
TodayToday’’s Agendas Agenda
Why you need ISO 27001?
What is ISO 27001?
How to use ISMS effectively
How to get ISMS certification
Successful cases sharing
Our Service
Q&A
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 3/38
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 4/38
4
As dependency on IT grows As dependency on IT grows……
Increasingly interconnected
through the Internet Moving Internet use beyond
just websites and email
Wireless networks and Voice
over IP telephony nowbecome mainstream
Source: BIS 2010 Information Security Breaches Survey
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 5/38
5
More industries rely on information systemMore industries rely on information system
managementmanagement
Industries include:
•
Financial• Manufacturing
• Assembly
• Telecommunications
• Logistics, etc.
Their operations rely on
• Customer Relationship Management (CRM)
• Enterprise Resource Planning (ERP)
• Supply Chain Management (SCM)
• Payment and Collection Management
• Employee Relationship Management (ERM)
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 6/38
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 7/38
7
Controls are improvingControls are improving……
Technical controls have
improved People, as the greatest asset,
are the greatest vulnerability
Increasing security awareness
Strong authentication (e.g.smart cards or biometrics)
Source: BERR 2008 Information Security Breaches Survey
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 8/38
8
But the protections are not enough.But the protections are not enough.
Source: BIS 2010 Information Security Breaches Survey
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 9/38
9
New threats increase the demand forNew threats increase the demand for
assuranceassurance
Mandatory security
requirements are becomingmore common
Organizations that use thirdparty services often do not
demand the same level ofassurance that their customersare demanding from them
Source: BIS 2010 Information Security Breaches Survey
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 10/38
10
Information security management system (ISMS)
Framework for managing an organization’s informationsecurity
Focuses on Information Security not IT security
Risk based process approach to information security
A continual improvement system
ISO/IEC 27001 ISMSISO/IEC 27001 ISMS
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 11/38
11
ISO/IEC 27001:2005 – Information technology – Securitytechniques – Information security management systems –
Requirements
but it is commonly known as ‘ISO 27001’
International ISMS standard
Compliance standard and the ONLY ISO/IEC standard forISMS certification
Intended to be used in conjunction with ISO/IEC 27002,the Code of Practice for Information Security Management
ISO/IEC 27001ISO/IEC 27001
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 12/38
12
ISO/IEC 27001 uses the well-known process modelreferred to the PDCA (Plan-Do-Check-Act) Model which is
used by other ISO management system standards, e.g.Quality Management System, Environmental ManagementSystem, Food Safety Management System, IT ServiceManagement System
Applicable to organizations of all shapes and sizes
Banking, telecoms, healthcare, utilities (electricity, gas,water, oil..), transportation, food supply chain, retailindustry, service sector, manufacturing sector, small-
medium sized companies, multionational companies,governments, research institutes, academic institutions...
ISO/IEC 27001ISO/IEC 27001
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 13/38
13
To achieve effective information securitymanagement
• Minimise business information security risks
• Maximise business opportunities andinvestments
• Maintain business continuity and availability
ISO/IEC 27001ISO/IEC 27001
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 14/38
14
InformationInformation
Information is an asset, like other important
business assets, has value to an organization and
consequently needs to be suitably protected . Also, information is the lifeblood of an organisation.
Identifying and protecting that information is the essence ofISO 27001.
Information assets exist in many forms:
• Content, container, carrier
• Databases, applications, registries & IT systems
•
Legal, Board & Organizational records• Intellectual property
• Reputation / Brand
• People
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 15/38
15
Examples of informationExamples of information
Electronic files
• Quotation through emails
• Finance data
• Technical drawings providedby customers
• Customer lists
• Production data
Paper documents• Contracts
• Price list
• Application forms
• Photos
A/V Recordings
• interviews
• Product testings
Communications
• Uncollected faxes
• Phone conversations
• SMS
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 16/38
16
ISMS Core ConceptsISMS Core Concepts
Confidentiality
Integrity
Availability
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 17/38
17
ISO/IEC 27000 ISMS FamilyISO/IEC 27000 ISMS Family
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 18/38
18
Interested
InformationSecurity
requirementsand
expectations
Parties
PDCA model applied to ISMS processesPDCA model applied to ISMS processes
Interested
Parties
Managed
Information
security
Establish theISMS
Establish theISMS
Implement andoperate the
ISMS
Implement and
operate theISMS
Maintain andimprove the
ISMS
Maintain and
improve theISMS
Monitor andreview the ISMS
Monitor andreview the ISMS
Plan
Do Act
Check
Developmentmaintenance
andimprovement
cycle
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 19/38
19
ISO/IEC 27001 Plan (4.2.1)ISO/IEC 27001 Plan (4.2.1)
ISMS Policy, objectives and business requirements
Define approach to risk management and criteria and levels
of risk assessment Risk assessment, treatment and selection of controls
Statement of applicability
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 20/38
20
ISO/IEC 27001 Do (4.2.2)ISO/IEC 27001 Do (4.2.2)
Treatment plan and its implementation
Allocation of roles and responsibilities
Resources and their management
Awareness and training
Produce and deploy policies and procedures
Implement and deploy incident handling process
Implement measurement process
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 21/38
21
ISO/IEC 27001 Check (4.2.3)ISO/IEC 27001 Check (4.2.3)
Monitoring ISMS and information security controls
Monitor risks and assess the effectiveness of the controls
Reviews
Audits
Recommend improvements
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 22/38
22
ISO/IEC 27001 Act (4.2.4)ISO/IEC 27001 Act (4.2.4)
Make improvements
Test improvements
Deploy improvements
Update policies, procedures, plans and processes
Communicate improvements
Carryout awareness and training where necessary
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 23/38
23
ISO 27001 General ClausesISO 27001 General Clauses
4 Information security management system
4.1 General requirements
4.2 Establishing and managing the ISMS
4.2.1 Establish the ISMS
4.2.2 Implement and operate the ISMS
4.2.3 Monitor and review the ISMS
4.2.4 Maintain and improve the ISMS
4.3 Documentation requirements
4.3.1 General
4.3.2 Control of documents
4.3.3 Control of records
5.2.2 Training, awareness andcompetence
5.2.1 Provision of resources
5.2 Resource management
5.1 Management commitment
5 Management responsibility 8 ISMS improvement
8.1 Continual improvement
8.2 Corrective action
8.3 Preventive action
6 Internal ISMS audits
7.3 Review output
7.2 Review input
7.1 General
7 Management review of the ISMS
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 24/38
24
ISO 27001 Annex A (normative)ISO 27001 Annex A (normative)
A.5A.5InformationInformation
Security PolicySecurity Policy
A.8A.8Human ResourceHuman Resource
SecuritySecurity
A.7A.7Asset ManagementAsset Management
A.11A.11Access ControlAccess Control
A.12A.12Systems Acquisition,Systems Acquisition,
Development &Development &
MaintenanceMaintenance
A.13A.13Security IncidentSecurity Incident
ManagementManagement
A.14A.14Business ContinuityBusiness Continuity
ManagementManagement
A.6A.6OrganizationalOrganizational
SecuritySecurity
A.9A.9Physical & EnvironmentPhysical & Environment
SecuritySecurity
A.10A.10Communication andCommunication and
OperationsOperations
ManagementManagement
A.15A.15ComplianceCompliance
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 25/38
25
ISO 27001 Annex A (normative)ISO 27001 Annex A (normative)
A.14 Business continuity management (1/5)
A.13 Information security incident management (2/5)
A.15 Compliance (3/10)
A.12 Information systems acquisition, development and maintenance (6/16)
A.11 Access control (7/25)
A.10 Communications and operations management (10/32)
A.9 Physical and environmental security (2/13)
A.8 Human resources security (3/9)
A.7 Asset management (2/5)
A.6 Organization of information security (2/11)
A.5 Security policy (1/2)
SGS IS RECOGNIZED AS THE GLOBAL BENCHMARK IN QUALITY AND INTEGRITY
Total
39 control objectives
133 controls
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 26/38
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 27/38
27
Documented statements of security policy and controlobjectives
Scope, procedures and controls to support ISMS
Risk assessment report
Risk treatment plan
The mandatory documented procedures
Records
Statement of Applicability (SoA)
• State which controls to be applied and how they are implemented.Explanations are required for those controls not applied.
(ISO 27001:2005, para. 4.3.1)
ISMS must include:ISMS must include:
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 28/38
28
Better business continuity – 24%
Marketing – 24%
Greater efficiency – 19%
Improved or more consistent security controls – 14%
Greater security awareness – 10%
Better risk management for senior management – 9%
Note: For large businesses, greater security awareness is rated higher
than marketing
Benefits from ISO 27001 in 2008 (UK)Benefits from ISO 27001 in 2008 (UK)
Source: BERR 2008 Information Security Breaches Survey
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 29/38
29
Improvedcontingency
planningBrand Protection
KPIMeasurement
BusinessAdvantages
Confidences
Risk Reduction
Corporate
Safety Nets
BenefitsBenefits
Best Practice
Safeguard
Information
Communication
Cost Saving
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 30/38
30
Number of Certificates per CountryNumber of Certificates per Country
Updated on
29 Sep 2011
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 31/38
31
Effective threat protection requires theEffective threat protection requires the
right security behaviourright security behaviour
Rise in incidents is due to themore complex threats
Technical controls are nolonger enough to protectorganizations
A combination of people,technology and process isnow required
Source: BIS 2010 Information Security Breaches Survey
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 32/38
32
Demand for ISO 27001Demand for ISO 27001
ISO 27001 is becoming
common standard forcompliance
Demand is highest in thetelecommunications sector
Two-fifths of financial servicesare being asked to complywith ISO 27001
Source: BIS 2010 Information SecurityBreaches Survey
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 33/38
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 34/38
34
Audit Criteria Audit Criteria
Agreed scope & sites by both parties
Local applicable regulations & legislations
ISO 27001 standard requirements
Commitments toward all the interest parties
Expectation & requirements from major interest parties
All the house rules
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 35/38
35
PDCA Process ModelPDCA Process Model
Process Approach Process Approach
Sampling Method Sampling Method
Hands Free Practice Hands Free Practice
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 36/38
36
SummarySummary
ISO 27001:2005 as International Standard for InformationSecurity and ISO 27002:2005 as Code of Practice
Appendix A is a list of controls, including 133 controls,contained in 11 major control areas.
Information security is defined as the ‘preservation ofconfidentiality, integrity and availability of information.
Plan-Do-Check-Act cycle is applied to ISMS.
Statement of Applicability (SoA), risk assessment reportand risk treatment plan are required.
ISMS is a management system,ISMS is a management system,
based on systematic business risk approach,based on systematic business risk approach,
to establish, implement, monitor and improve information securit to establish, implement, monitor and improve information securit y.y.
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 37/38
37
Our ServiceOur Service
Public Training
IRCA ISO 27001 ISMS Foundation (1 day)
IRCA ISO 27001 ISMS Internal Auditor (2 days)
IRCA ISO 27001 ISMS Lead Auditor (5 days)
Gap Analysis Assessment
Audit & Certification
8/13/2019 Kenneth-Tsun_SGS
http://slidepdf.com/reader/full/kenneth-tsunsgs 38/38
THANK YOU!THANK YOU!For enquiries, please contact:
Hotline: 2765 3620E-mail: [email protected]: www.hk.sgs.com/certification
www.hk.sgs.com/training