International Security Management Standards
BS ISO/IEC 17799:2005BS ISO/IEC 27001:2005BS ISO/IEC 17799:2005BS ISO/IEC 27001:2005First edition – ISO/IEC 17799:2000Second edition ISO/IEC 17799:2005
ISO/IEC 17799 takes the form of guidance notes and recommendations, which has been produced following consultation with leading companies.
ISO/IEC 27001:2005 provides requirements for Information Security Management and is relevant to those responsible for initiating, implementing or maintaining security in their organization.
Organizations
ISO – International Organization for Standardization
IEC – International electrotechnical Commission
BSI – British Standards Institute
BS7799-Part2:2002 BS 7799:Part 2 has been updated and was released as
ISO/IEC 27001:2005 on October 15th 2005.
The new international version of the standard clarifies and strengthens the requirements of the original British standard, and includes changes to the following areas:
risk assessment, contractual obligations, scope, management decisions, measuring the effectiveness of selected controls.
Corporate
Information Security Policy
Information Security Management
Policies / Standards framework
Education & awareness
people
Existing Processes
Pro
cesse
s
Technical Control
Tech
nolo
gy
Information Security Risk
Information Security Management System - Key Principles based on BS 7799
POLICYPOLICY
Establish the context
-Define Information Security policy and objectives-ISMS scope and policy-Security Organization-Risk identification and assessment - Identify risks - Analyse risks - Evaluate
Manage the risk- Identify and evaluate options for managing the risks
- Select controls and objectives for the treatment and management of risk
- Implement selected controls
- Statement of applicability
Monitor The ProgressCreate Monitoring RulesMonitor and review ISMS
Improve ISMS
- Identify improvements in the ISMS and implement them
- Take appropriate Corrective and preventive actions
- Communicate and consult (management,stakeholders, users etc.)
ISMS ImplementationISMS Implementation
• The standard for Information Security Management System (ISMS), BS 7799 (now ISO/IEC 27001:2005), has fast become one of the world's established standards for information security
• An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information and information entrusted to companies by third parties so that it remains secure.
• It encompasses people, processes and IT systems.
What is an Information Security Management System (ISMS)?
An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information and information entrusted to companies by third parties so that it remains secure. It encompasses people, processes and IT systems.
What is BS 7799?
BS 7799 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimize the range of threats to which information is regularly subjected.
BS 7799 is organized into 10 sections:
1. Security policy2. Organization of assets and resources3. Asset classification and control4. Personnel security5. Physical and environmental security6. Communications and operations management 7. Access control 8. Systems development and maintenance 9. Business continuity management 10. Compliance
ISO27001:2005
The present standard has :- 11 Domains- 39 Control Objectives- 133 Controls
ISO 27001:2005The 11 domains are:
1. Security Policy2. Organization of Information Security3. Asset Management4. Human Resources Security5. Physical and Environmental Security6. Communications and Operations Management7. Access Control8. Information systems acquisition, development
and maintenance9. Information security Incident Management10. Business Continuity Management11. Compliance
Domain, control obj. & controls – Example
5 Physical and Environmental Security 5.1 Secure Areas
5.1.1 Physical Security Perimeter 5.1.2 Physical Entry Controls 5.1.3 Security Offices, rooms and facilities 5.1.4 Protecting against external and environmental
threats 5.1.5 Working in Secure Areas 5.1.6 Public Access, delivery and loading areas
5.2 Equipment Security5.2.1 Equipment siting and protection
5.2.2 Supporting Utilities5.2.3 Cabling Security5.2.4 Equipment Maintenance5.2.5 Security equipment off-premises5.2.6 Secure disposal or reuse of equipment5.2.7 Removal of property
Domain, control obj. & controls - Example
11 Compliance 11.1 Compliance with legal requirements
6 controls 11.2 Compliance with security standards and
technical compliance- 2 controls
11.3 Information Systems Audit Considerations 2 controls
. Formulation of security requirements and objectives; To ensure that security risks are cost effectively managed;TTo ensure compliance with laws and regulations; As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met; •IIdentification and clarification of existing information security management processes;
To be used by management to determine the status of information security management activities;
To be used by internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization;
To provide relevant information about information security policies, directives, standards and procedures to trading partners;
To provide relevant information about information security to customers.
Laws and Regulations
Regulatory requirements
Establishment Organization Responsibilities Correlation to financial,
operational and IT audit functions
Laws and Regulations Steps to determine compliance with
external requirements: Identify external requirements Document pertinent laws and regulations Assess whether management and the IS function
have considered the relevant external requirements
Review internal IS department documents that address adherence to applicable laws
Determine adherence to established procedures
ISACA Standards and Guidelines for IS Auditing
ISACA IS Auditing Standards
ISACA IS Auditing Guidelines
ISACA Code of Professional Ethics
ISACA Standards and Guidelines for IS Auditing
Objectives of ISACA IS Auditing Standards
• Inform management and other interested parties of the profession’s expectations concerning the work of audit practitioners
• Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code of Professional Ethics
ISACA Standards and Guidelines for IS Auditing
Framework for the ISACA’s Information Systems Auditing Standards:Standards
Guidelines
Procedures
ISACA Standards and Guidelines for IS Auditing
ISACA Standards and Guidelines for IS Auditing
• Audit charter
• Independence
• Professional Ethics and Standards
• Competence
ISACA Standards and Guidelines for IS Auditing
ISACA Standards and Guidelines for IS Auditing Continued...
•Planning
•Performance of audit work
•Reporting
•Follow-up activities
• Audit charter
ISACA Standards and Guidelines for IS Auditing
Responsibility, authority and accountability
ISACA Standards and Guidelines for IS Auditing
• Independence
Professional independence
Organizational relationship
• Professional Ethics and Standards
ISACA Standards and Guidelines for IS Auditing
Code of Professional Ethics
Due professional care
ISACA Standards and Guidelines for IS Auditing
• Competence
Skills and knowledge
Continuing professional education
ISACA Standards and Guidelines for IS Auditing
• Planning
Audit planning
ISACA Standards and Guidelines for IS Auditing
• Performance of audit work
Supervision
Evidence
ISACA Standards and Guidelines for IS Auditing
• Reporting
Report content and form
ISACA Standards and Guidelines for IS Auditing
• Follow-up Activities Review previous conclusions and
recommendations
Review previous relevant findings
Determine whether appropriate actions have been implemented in a timely basis
ISACA Standards and Guidelines for IS Auditing
Use of ISACA Guidelines
• Consider the guidelines in determining how to implement the standards
• Use professional judgment in applying these guidelines
• Be able to justify any departure