Embed Size (px)
Citation preview
ISO 27001 and ISO ISO 27001 and ISO 27002:200527002:2005
INFORMATION SECURITY MANAGEMENT INFORMATION SECURITY MANAGEMENT SYSTEMS(ISMS)SYSTEMS(ISMS)
Dr Muliaro J Wafula PhD,FCCS
Aims/objectivesAims/objectives
1. Introduction2. Info security stds
◦Clauses ◦Control objectives◦controls
3. ISMS Implementation using PDCA Model
Dr Muliaro-ISMS 2
Information Security (IS) Information Security (IS) DefnDefnWhy IS?
1. Ensure business continuity2. Reduce/prevent damage on business3. Ensure preservation of confidentiality, integrity
and availability of info. Also authenticity , accountability, non-repudation and reliability enhanced.
4. Interconnection of networks pose risk5. Trends in distributed computing6. Participation of customers/employees/stakeholder7. Marketing of products/services8. Internal management tool-for control &
confidence9. Dependence on Info systems-vulnerable to IS
threats10. Information, systems & networks are key
business assets
Dr Muliaro-ISMS 3
Information Security Information Security Management System (ISMS)Management System (ISMS)Defination:- that part of overall magmt system,
based on business risk approach, to establish, implement, operate, monitor, review, maintain and improve info security.
A management process with 3 key components:◦Confidentiality-available to authorized only◦Integrity-accurate and complete◦Availability –accessible/usable by
authorized
Dr Muliaro-ISMS 4
Information TypesInformation TypesInternalPublicPrivateCustomer/clientShared etc
Dr Muliaro-ISMS 5
Info security risksInfo security risksInfo theftIntrusion and subversion of system
resourcesDenial of servicesLossCorruptionMasqueradePaper documentWhat are the most common IS
mistakes made by individuals?
Dr Muliaro-ISMS 6
Common IS mistakesCommon IS mistakes1. Unattended
comp. left on2. Bad password
etiquette-no default
3. Laptops stolen4. Keeping p/words
on post-it notes5. Opening e-mail
attachments from strangers
1. Loose talk about p/word in public
2. Getting into rush & bypassing key security measures
3. Vague knowledge of security policy
4. Non-reporting of security violations
5. Late in updating6. Check in/out
workers ethics
Dr Muliaro-ISMS 7
Selection of ControlsSelection of ControlsIts expenditure need to balance
against business harm/riskCommon ones include:
◦Data protection and privacy of personal information (15.1.4)
◦Protection of org. records (15.1.3)◦Intellectual property rights (15.1.2)◦Information security policy document
(5.1.1)◦Business continuity mgt (14) etc
Dr Muliaro-ISMS 8
ISO 27002:2005ISO 27002:2005Provides guidance on best
practices for ISMPrime objectives are:
◦A common basis for organizations◦Build confidence in inter-
organizational dealingsIt defines a set of control
objectives, controls and implementation guidance.
Dr Muliaro-ISMS 9
ISO 27001:2005ISO 27001:2005Specifies requirements for
establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented ISMS
Its designed to ensure adequate security controls to protect info assets, and documenting ISMS
Applicable for assessment and certification
Dr Muliaro-ISMS 10
ClausesClausesClause 4-8 are mandatory.How would you ensure that
management:◦Management is committed to IS?◦Establishes roles and responsibilities
for IS?◦Provides training, awareness and
competency?◦Carry out review of the ISMS?
Dr Muliaro-ISMS 11
PPDCA Model: Establishment DCA Model: Establishment & Mgmt of ISMS (& Mgmt of ISMS (planplan) ) 1. Scope and boundaries2. Policy/objectives3. Define risk assessment approach4. Identify risk5. Analyse and evaluate risks6. Identify and evaluate options of risk
treatment7. Select control objectives and controls8. Obtain mgmt approval on residual risk9. Obtain mgmt authorization to
implement and operate the ISMS10. Prepare statement of applicability
Dr Muliaro-ISMS 12
PPDDCA Model: Implementation CA Model: Implementation & Operation of ISMS (& Operation of ISMS (DoDo) ) 1. Formulate risk treatment plan2. Implement risk treatment plan3. Define how to measure
effectiveness of selected controls4. Implement controls selected to
meet control objectives5. Implement training and awareness6. Manage operations and resources7. Implement procedures and other
controlsDr Muliaro-ISMS 13
PDPDCCA Model: Monitoring & A Model: Monitoring & reviewing of ISMS (reviewing of ISMS (CheckCheck) ) 1. Execute monitoring procedures and
other controls2. Undertake regular reviews of the
effectiveness of ISMS3. Measure effectiveness of controls4. Review risks assessments at planned
intervals5. Review level of residual risk and
identified acceptable risk6. Internal ISMS audit/magmt review7. Update security plans8. Records actions and events
Dr Muliaro-ISMS 14
PDCPDCAA Model: Maintaining & Model: Maintaining & Improving of ISMS (Improving of ISMS (ACTACT) ) 1. Implement identified
improvements2. Take appropriate corrective and
preventive actions3. Communicate the actions and
improvements4. Ensure improvements achieve
intended objectives
Dr Muliaro-ISMS 15
ISMS Critical Success ISMS Critical Success FactorsFactors1. Info security policy, objectives, and activities that reflect
business objectives2. An approach and framework to implementing,
maintaining, monitoring, and improving IS that is consistent with org. culture
3. Visible support and commitment from all levels of management
4. A good understanding of the information security requirements, risk assessment, and risk management.
5. Effective marketing of IS to all managers, employees, and other parties to achieve awareness
6. Distribution of guidance on IS policy and std to all managers/employees/stakeholders
7. Funding IS management activites 8. Providing appropriate awareness , training, and education9. Establishment of an effective IS incident mgmt process10. Implementation of a measurement system for
performance in IS mgmt and feedback info for improvment
Dr Muliaro-ISMS 16
JKUAT Information Security Policy JKUAT Information Security Policy (JISP)(JISP)
The specific objectives of information
security are to:◦ Protect information resources from
unauthorized access;◦ Ensure the continuity of systems
processing services;◦ Guarantee the privacy and accuracy of
information resources;◦ Allow proper restoration of the functionality
of damaged resources; ◦ Prevent and detect possible threats,
violations and security incidents
Dr Muliaro-ISMS 17
