Information Security Management Systems

Certification value on IT Governance & Management

Certification value on IT Governance & Management

Fabrizio Giara ([email protected])

24/10/2012

Copyright © 2012 BSI. All rights reserved.

Who is BSI? – 10 fast facts Global independent business services organization

Founded in 1901 Standards, Assessment, testing certification, training, software

Copyright © 2012 BSI. All rights reserved.

No owners/ shareholders… all profit reinvested into business

#1 certification body in the UK, USA and Korea

World’s #1 Standards Body 57 offices located around the world

2

64,000 clients in 147 countries

>2,500 staff and >50% non-UK

£244.9m revenue in 2011

2

Agenda • Main points • IT Governance • IT Security (series Iso 27000- certification Iso 27001) • IT Risk Analysis (Iso 27005- Iso 31000 series) • Iso 27001 benefits • Key 27000 series standards • Trends in Information Risk / Security

Copyright © 2012 BSI. All rights reserved.

3

IT Governance • IT Corporate Governance of IT (Iso/Iec 38500:08 – see picture) • BUSINESS PROCESS (ITIL (Service delivery and Service support/COBIT Control objectives –Audit // with best practices) • ISMS security- series Iso 27000 (Iso 27001 for certification) (CONFORMANCE-DIRECT) • IT risk management (Iso 27005 and Iso 31000 series) (EVALUATE) • Audit: ISO 19011 :2011 Guidelines for auditing management systems (MONITOR)

Copyright © 2012 BSI. All rights reserved.

4

ISO 27001 vs COBIT/ITIL • ISO27001 vs ITIL/COBIT • ISO 27001 only addresses the selection and management of information security controls (COBIT/ITIL focus on IT Governance (service delivery, service support, control objectives, audit guideline, management guidelines) • ISO 27001 is interested in: • • • • •

WHAT (requirements). WHY (risk mitigation and risk analysis and risk treatment). WHEN (tasks and schedules, window of vulnerability). WHO (roles and responsibilities). not HOW (COBIT/ITIL)

Copyright © 2012 BSI. All rights reserved.

5

The Importance of Information Security

“Information can have great value as an organisational asset but can become a toxic liability if not handled properly” Richard Thomas, UK Information Commissioner, 2008

For an organization to succeed, its information must be: • • •

available when needed reliable accessible only to those who need it

including customers, suppliers and other key stakeholders…

Copyright © 2012 BSI. All rights reserved.

6

7

What ISO/IEC 27001 is not • ISO/IEC 27001 is not an IT only standard. • •

There are no technology requirements in ISO/IEC 27001, such as a firewall or even the need for a computer. There are however IT related controls.

Copyright © 2012 BSI. All rights reserved.

7

8

ISO/IEC 27002 Controls

Copyright © 2012 BSI. All rights reserved.

8

9

Building a Framework

Copyright © 2012 BSI. All rights reserved.

9

10

ISO/IEC 27001:2005 Annex A 1

Information Security Domains

5

Security policy

6

Organization of information security

7

Asset management

8

Human resources security

9

Physical and environmental security

10

Communications and operations management

11

Access control

12

Information systems acquisition, development and maintenance

13

Information security incident management

14

Business continuity management

15

Compliance

Copyright © 2012 BSI. All rights reserved.

10

11

Establish the ISMS (Plan)

Define the scope and boundaries of the Information Security Management System (ISMS)

Copyright © 2012 BSI. All rights reserved.

11

IT risk analysis – (Iso 27005 (Iso 31000))

Copyright © 2012 BSI. All rights reserved.

12

Iso 27001 and Iso 20000-1 certification (from iso 27013)

Copyright © 2012 BSI. All rights reserved.

13

14

Benefits of ISO/IEC 27001 Certification

Framework that will take account of your legal, regulatory and contractual requirements (see domain and connected to Dlgs 231/01 to control different Information crimes). Gives you the ability to demonstrate, and independently assure, the internal controls of your organization (corporate governance) Proves that your senior management are commitment to the security of your business and your customer’s information Helps provide your organization with a competitive advantage Give you a “reference” criteria how to manage the IT system (“ISMS treaceability with Iso std”) Increase the stakeholder trust vs company “management risk” approach

Copyright © 2012 BSI. All rights reserved.

14

15

Benefits of ISO/IEC 27001 Certification

Formalizes, and independently verifies, your Information Security processes, procedures and documentation Independently verifies that risks to your organization are properly identified and managed Demonstrates to your customers that security of their information is taken seriously Risk analysis will be integrated with other management system (ie QMS/EMS/OHSAS) and monitoring and measuremnt plan will be the tools to mitigate/control the risk

Copyright © 2012 BSI. All rights reserved.

15

16

Product Attractiveness Economic interested areas

Low

Medium

High

Agriculture, fishing

Education

Aerospace

Chemical products and fibres

Electricity Supply

Financial Health and social work

Construction

Food products, beverages and tobacco

Engineering services

Gas Supply

Machinery and equipment

Hotels and restaurants

Printing companies

Publishing companies

Recycling

Transport, storage and communication

Shipbuilding

Water Supply Copyright © 2012 BSI. All rights reserved.

Wholesale and retail trade

Information Technology Nuclear fuel Other social services Pharmaceuticals Post and Telecommunications Government, Local Government, Public administration and defence

16

Proven Benefits of 27001 87% of respondents to a recent BSI Erasmus survey stated that implementing ISO/IEC 27001 had a “positive” or “very positive” outcome. • • • • • • •

Increased ability to meet compliance requirements (69%) Increased ability to respond to tenders* (43%) Increased external customer satisfaction (51%) Increased relative competitive position* (43%) Decreased number of security incidents (39%) Decreased down-time of IT systems (39%) ROI and Sales increased despite rise in cost to develop and support IT

* “Although we have only recently gained certification to ISO 27001, there are at least three recent incidences where we have won contracts as a result of certification.”

Copyright © 2012 BSI. All rights reserved.

17

Key 27000 series standards

• ISO/IEC 27002 - Code of Practice for Information Security Management

Estimated publication date of revision: 2013 (NOT CERTIFIABLE)

Establishes: guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.

• ISO/IEC 27001 - Requirement for an Information Security Management System

Estimated publication date of revision: 2013 (CERTIFIABLE)

Specifies: the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within the context of the organization’s overall business risks. It specifies requirements for the implementation and selection of adequate and proportionate security controls

Copyright © 2012 BSI. All rights reserved.

18

ISO/IEC 27000 Series - Published

19

ISO/IEC 27000 - Overview and vocabulary

2009

ISO/IEC 27001 - Information security management systems – Requirements (today is on ISO/IEC CD 27001 (today the TC: JTC1/SC27 is in stage 30.60)

2005 2013

ISO/IEC 27002 - Code of practice for Information security management

2005

ISO/IEC 27003 - ISMS implementation guidance

2010

ISO/IEC 27004 - Information security management - Measurement

2009

ISO/IEC 27005 - Information security risk management

2011

ISO/IEC 27006 - Guidance to Certification Bodies

2007

ISO/IEC 27007 - Guidelines for ISMS auditing

2011

ISO/IEC 27008 - Guidelines for auditors on information security controls

2011

ISO/IEC 27010 - Guidance for inter-sector and inter-organizational communications

2012

ISO/IEC 27011 - Guidance to telecommunications

2008

ISO/IEC 27031 - Guidelines for ICT readiness for business continuity

2011

ISO/IEC 27033-1 - Security Techniques, Network Security

2009

Copyright © 2012 BSI. All rights reserved.

19

Other 27000 standards in development ISO/IEC 27013

Guidelines on the integrated implementation of ISO/IEC 27001 & ISO/IEC 20000-1

(2012)

ISO/IEC 27014

Governance of information security

(2012)

ISO/IEC 27015

Information security management guidelines for financial services

(2013)

ISO/IEC 27016

Information security management – Organizational economics

(2014/15)

ISO/IEC 27017

Information Security in Cloud Computing (relevant controls in 27001)

(2014)

ISO/IEC 27018

Information Security in Cloud Computing (relevant controls in 27001 - DP/Privacy)

(2014)

ISO/IEC 27032

Guidelines for cyber-security

(2012)

ISO/IEC 27034

Guidelines for application security (6 part standard)

(2012…)

ISO/IEC 27036

Information security for supplier relationships (4 part standard)

(2012/13)

ISO/IEC 27037

Guidelines for identification, collection, acquisition and preservation of digital evidence (possibly a 4 part

(2013/14)

standard) ISO/IEC 27038

Specification for digital redaction

(2013)

ISO/IEC 27039

Selection, deployment and operations of intrusion detection and prevention systems

(2013/14)

ISO/IEC 27040

Storage security

(2014)

Copyright © 2012 BSI. All rights reserved.

20

Trends in Information Risk / Security • Government move towards ‘shared services’ • Greater outsourcing / off-shoring • Cloud Computing (“Software as a Service”…) For cloud area the JT1 is working on new ISO/IEC DIS 17826:2011 Cloud Data Management Interface (CDMI™)• In the cloud area , BSI is working, with Cloud Security Alliance and other primary organisations, to consider the objective controls with the new architecture structural cloud (ie ISO/IEC WD TS 27017 Information technology – Security techniques -- Information security management - Guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 ) • New Iso 27001 (final version 2013) today is on ISO/IEC CD 27001 ( the TC: JTC1/SC27 is in stage 30.60) • Convergence of business continuity, resilience and ICT readiness (new Iso 22301 business continuity, 24 May in Milan there was a national presentation, focus on Business continuity plan (clause 8.4.4) and recovery (clause 8.4.5) on Iso 22301)

Copyright © 2012 BSI. All rights reserved.

21

Trends in Information Risk / Security • Risk analysis will be the tools to manage and control the risk (Iso 31000) • •The third party registraion helps to follow the new EU directive on IT field referred to new technologies (Annex A Iso 27001) • • PAS 99:2006 Specification of common management system requirements as a framework for integration management system (ie for Iso/Iec 27001:05 and Iso/Iec 20000:05 Information technology- Service management- see Iso 27013) • Increased use of mobile working / ‘consumerisation’ (“Bring Your Own Device”) • Growth in use of social media

Copyright © 2012 BSI. All rights reserved.

22