ISMS Concepts

1
Session 1

• ISMS Concepts

• Information and Information Security
• Information Security Management System
• Purpose of ISMS
• Process of developing ISMS
• Characteristics of good ISMS

2
What is Information ?

• Information is an asset that, like other
  important business assets, is essential to an
  organizations business and consequently needs to
  be suitably protected. (ISO/ IEC 27002)
• Asset Anything that has value to the
  organization

• Can exist in many forms
• data stored on computers
• transmitted across networks
• printed out
• written on a paper sent by fax
• stored on disks
• held on microfilm
• spoken in conversations over the telephone
• ..

Whatever form the information takes, or means by
which it is shared or stored, it should always be
appropriately protected throughout its life cycle
3
Some Common Security Concerns to Information
Assets
High User knowledge of IT sys.
Theft , Sabotage, Misuse, Hacking
Version Control Problems
Systems / Network Failure
Lack of documentation
Fire

• Natural calamities

4
What is needed?

• Management concerns
• Market reputation
• Business continuity
• Disaster recovery
• Business loss
• Loss of confidential data
• Loss of customer confidence
• Legal liability
• Cost of security

• Security
• Measures/Controls
• Technical
• Procedural
• Physical
• Logical
• Personnel
• Management

Examples ?
5
Information Security
Information Security is about protecting
Information through selection of appropriate
Security Controls

• protects information from a range of threats
• ensures business continuity
• minimizes financial loss
• maximizes return on
• investments and business
• opportunities

IS A BUSINESS ISSUE
6
Objectives of Information Security

• Preservation of
• Confidentiality
• Ensuring that information is available to only
  those authorised to have access.
• Integrity
• Safeguarding the accuracy and completeness of
  information processing methods.
• Availability
• Ensuring that information and vital services are
  available to authorized users when required.

7
Information Security Model
8
Why ISMS ?

• Information security that can be achieved through
  technical means is limited
• Security also depends on people, policies,
  processes and procedures
• Resources are not unlimited
• It is not a once off exercise, but an ongoing
  activity

All these can be addressed effectively and
efficiently only by establishing a proper
Information Security Management System(ISMS)
9
Information Security Management System (ISMS)

• ISMS is that part of overall management system
  based on a business risk approach to
• Establish
• Implement
• Operate
• Monitor
• Review
• Maintain
• Improve
• Information security
• ISMS is a management assurance mechanism for
  security of information asset concerning its
• availability
• integrity and
• Confidentiality

10
Process for developing an ISMS
Selection of controls (ISO/IEC 27001)
Information Security Management System
Legal Requirements
Business Requirements
Security Requirements
Risk Assessment
Policy, Procedures Controls
Assets identification valuation
Threats Vulnerabilities Assessment
11
Characteristics of a good ISMS
PreventionReduction
Threat
Detection
Incident
Repression
Damage
Correction
Recovery
Evaluation
12
ISMS Standards

• ISO/ IEC 27001 2005
• A specification (specifies requirements for
  implementing, operating, monitoring, reviewing,
  maintaining improving a documented ISMS)
• Specifies the requirements of implementing of
  Security control, customised to the needs of
  individual organisation or part thereof.
• Used as a basis for certification
• ISO/IEC 27002 2005 (Originally ISO/IEC
  177992005)
• A code of practice for Information Security
  management
• Provides best practice guidance
• Use as required within your business
• Not for certification

Both ISO 27001 and ISO 27002 security control
clauses are fully harmonized
13
ISMS family of Standards Relationship
Status as on 31st March,2010
14
Other Related Standards

• ISO/ IEC TR 180442004
• IT Security techniques Information security
  incident management
• ISO/IEC 17021
• Conformity assessment Requirements for bodies
  providing audit and certification of management
  systems
• ISO/IEC 190112002
• Guidelines for management system auditing

15
PDCA Model applied to ISMS Processes
Plan
Interested Parties
Interested Parties
Establish ISMS
Act
Do
Implement Operate ISMS
Maintain Improve ISMS
Development, Maintenance and Improvement Cycle
Monitor Review ISMS
Information Security Requirements Expectations
Managed Information Security
Check
16
ISO 27001 Structure
1. Scope 2. Normative References 3. Terms
Definitions 4. Information Security Management
System 4.1 General 4.2 Establish and manage
ISMS 4.3 Documentation 4.3.3 Control of
Records 5. Management Responsibility 5.1
Management Commitment 5.2 Resource
Management 6. Internal ISMS Audits
7. Management Review of the
ISMS 8. ISMS Improvement 8.1 Continual
Improvement 8.2 Corrective Actions 8.3
Preventive Actions Annexure A,B
C
17
ISMS process framework requirements
ISO 27001 Clause 4-8
18
ISMS process framework requirements

• 4. Information Security Management System
• 4.2 Establishing and managing the ISMS
• 4.3 Documentation requirements
• 5. Management Responsibility
• 6. Internal ISMS Audits
• 7. Management Review of the ISMS
• 8. ISMS Improvements

Why conduct Internal Audits? Who conducts
Internal Audits?
What is the difference between Corrective Action
and Preventive action?
19
ISMS control requirements

• Annexure A Control objectives controls

20
ISO 27001 Control Objectives and Controls
39 Control Objectives
Satisfies Objectives
Specifies Requirements
133 Controls
11 Domains
21
Structure of Annexure-A
22
ISO 27002 Structure

• 1 introductory clause on Risk assessment and
  Treatment.
• 11 security Control Clauses (fully harmonised
  with ISO 27001)
• 39 main Security categories each containing
• Control Objective and
• One or more control to support achievement of
  control objective
• Control descriptions each containing
• Control statement
• Implementation Guidance
• Other Information

23
Session 05

• ISMS Implementation, Documentation,
• Maintenance Improvement

• Action plan for ISMS implementation
• Activities in establishing, implementing,
  monitoring and improving ISMS
• Documentation requirements of ISMS

24
Preparation Implementation

• Management Decision Continued Commitment
• Study ISO 270012005
• Establish ISMS Framework
• Establish Security Organization, Responsibility
  Infrastructure
• Designate Chief Information Security Officer
• Establish Security Forum
• Encourage Participation by All
• Develop Inventory of Assets
• Gap Analysis / Status Appraisal
• Establish ISMS
• Document
• Create Awareness - Provide Training(s) as needed
• Implement
• Monitor
• Technical Compliance
• Internal ISMS Audits
• Management Review
• Update Continually Improvement

25
Establishing and Managing ISMS

1. Establish ISMS (PLAN)
2. Implement ISMS (DO)
3. Monitor and review ISMS (CHECK)
4. Maintain Improve ISMS (ACT)

The participants in four groups are to identify
various activities identified under PLAN, DO,
CHECK and ACT . Preparation time 10 min.
26
ISMS Documentation

• Why Documentation?
• What needs to be documented ?
• What are the mandatory Procedures required by ISO
  27001 ?

Documents and records can be in any form or type
of medium
27
Typical ISMS Document Classification

• Security Policy Manual
• Summary of management framework including the
  information security policy and the control
  objectives and implemented controls given in the
  statement of applicability.
• Procedures
• Procedures adopted to implement the controls
  required.
• Operational Documents
• Explains details of specific tasks or activities.
• Records
• Evidence of activities carried out.

28
Extent of Documentation
29
Session 11

• Certification Industry Process

• Certification Process
• ISMS certification and Legal compliance

30
Certification Process

• Application
• Application Fee
• Supporting Documents
• Cursory Evaluation
• Adequacy Assessment
• Stage 1 Audit
• Stage 2 Audit
• Certification
• Maintenance of Certification
• Other Aspects
• Renewal
• Modification to Scope of Certification
• Suspension/Withdrawal/Cancellation
• Appeals Complaints

31
Basic Requirements for Certification - 1
Evidence of creation of ISMS through system
requirements

• Information Security Policy
• Scope Statement
• Risk Assessment
• Statement of Applicability
• The Management System

32
Basic Requirements for Certification - 2
Evidence of operation of Management controls

• Management Review
• Various forms of system review
• Document management
• Records Management
• Existence of essential controls
• Implementation effectiveness of controls
  selected as applicable

33
Maintenance of Certification

• Surveillance Audits
• The purpose of surveillance is
• to verify that the approved ISMS continues to be
  implemented,
• to consider the implications of changes to that
  system initiated as a result of changes in the
  client organizations operation and
• to confirm continued compliance with
  certification requirements.
• Surveillance programs should normally cover
• the system maintenance elements which are
  internal ISMS audit, management review and
  preventive and corrective action
• changes to the documented system
• areas subject to change
• selected elements of ISO/IEC 27001
• other selected areas as appropriate.

34
ISMS Certification V/s Legal Compliance

• ISMS Certification is a voluntary Certification
  and is not a substitute for compliance to legal
  requirements. Compliance with ISO 27001 does not
  in itself confer immunity from legal obligations.
• The maintenance and evaluation of legal and
  regulatory compliance is the responsibility of
  the client organization.
• The certification body shall restrict itself to
  checks and samples in order to establish
  confidence that the ISMS functions in this
  regard.
• The certification body shall verify that the
  client organization has a management system to
  achieve legal and regulatory compliance
  applicable to the information security risks and
  impacts.

35
Benefits of ISO27001 Certification

• An internationally recognized structured
  methodology
• A single reference point for identifying a range
  of controls needed for most situations where
  information systems are used
• A defined process to evaluate, implement,
  maintain and manage information security
• The standard provides a yardstick against which
  security can be judged
• A set of tailored policy, standards, procedures
  and guidelines
• Facilitation of Trade in trusted environment

36
4. Information Security Management System

• 4. 1 General
• 4.2 Establishing and managing the ISMS
• Establish
• Implement and Operate
• Monitor and Review
• Maintain and Improve
• 4.3 Documentation requirements
• 4.3.2 Control of documents
• 4.3.3 Control of records