Information Security Management Systems
Certification value on IT Governance & Management
Certification value on IT Governance & Management
Fabrizio Giara (
[email protected])
24/10/2012
Copyright © 2012 BSI. All rights reserved.
Who is BSI? – 10 fast facts Global independent business services organization
Founded in 1901 Standards, Assessment, testing certification, training, software
Copyright © 2012 BSI. All rights reserved.
No owners/ shareholders… all profit reinvested into business
#1 certification body in the UK, USA and Korea
World’s #1 Standards Body 57 offices located around the world
2
64,000 clients in 147 countries
>2,500 staff and >50% non-UK
£244.9m revenue in 2011
2
Agenda • Main points • IT Governance • IT Security (series Iso 27000- certification Iso 27001) • IT Risk Analysis (Iso 27005- Iso 31000 series) • Iso 27001 benefits • Key 27000 series standards • Trends in Information Risk / Security
Copyright © 2012 BSI. All rights reserved.
3
IT Governance • IT Corporate Governance of IT (Iso/Iec 38500:08 – see picture) • BUSINESS PROCESS (ITIL (Service delivery and Service support/COBIT Control objectives –Audit // with best practices) • ISMS security- series Iso 27000 (Iso 27001 for certification) (CONFORMANCE-DIRECT) • IT risk management (Iso 27005 and Iso 31000 series) (EVALUATE) • Audit: ISO 19011 :2011 Guidelines for auditing management systems (MONITOR)
Copyright © 2012 BSI. All rights reserved.
4
ISO 27001 vs COBIT/ITIL • ISO27001 vs ITIL/COBIT • ISO 27001 only addresses the selection and management of information security controls (COBIT/ITIL focus on IT Governance (service delivery, service support, control objectives, audit guideline, management guidelines) • ISO 27001 is interested in: • • • • •
WHAT (requirements). WHY (risk mitigation and risk analysis and risk treatment). WHEN (tasks and schedules, window of vulnerability). WHO (roles and responsibilities). not HOW (COBIT/ITIL)
Copyright © 2012 BSI. All rights reserved.
5
The Importance of Information Security
“Information can have great value as an organisational asset but can become a toxic liability if not handled properly” Richard Thomas, UK Information Commissioner, 2008
For an organization to succeed, its information must be: • • •
available when needed reliable accessible only to those who need it
including customers, suppliers and other key stakeholders…
Copyright © 2012 BSI. All rights reserved.
6
7
What ISO/IEC 27001 is not • ISO/IEC 27001 is not an IT only standard. • •
There are no technology requirements in ISO/IEC 27001, such as a firewall or even the need for a computer. There are however IT related controls.
Copyright © 2012 BSI. All rights reserved.
7
8
ISO/IEC 27002 Controls
Copyright © 2012 BSI. All rights reserved.
8
9
Building a Framework
Copyright © 2012 BSI. All rights reserved.
9
10
ISO/IEC 27001:2005 Annex A 1
Information Security Domains
5
Security policy
6
Organization of information security
7
Asset management
8
Human resources security
9
Physical and environmental security
10
Communications and operations management
11
Access control
12
Information systems acquisition, development and maintenance
13
Information security incident management
14
Business continuity management
15
Compliance
Copyright © 2012 BSI. All rights reserved.
10
11
Establish the ISMS (Plan)
Define the scope and boundaries of the Information Security Management System (ISMS)
Copyright © 2012 BSI. All rights reserved.
11
IT risk analysis – (Iso 27005 (Iso 31000))
Copyright © 2012 BSI. All rights reserved.
12
Iso 27001 and Iso 20000-1 certification (from iso 27013)
Copyright © 2012 BSI. All rights reserved.
13
14
Benefits of ISO/IEC 27001 Certification
Framework that will take account of your legal, regulatory and contractual requirements (see domain and connected to Dlgs 231/01 to control different Information crimes). Gives you the ability to demonstrate, and independently assure, the internal controls of your organization (corporate governance) Proves that your senior management are commitment to the security of your business and your customer’s information Helps provide your organization with a competitive advantage Give you a “reference” criteria how to manage the IT system (“ISMS treaceability with Iso std”) Increase the stakeholder trust vs company “management risk” approach
Copyright © 2012 BSI. All rights reserved.
14
15
Benefits of ISO/IEC 27001 Certification
Formalizes, and independently verifies, your Information Security processes, procedures and documentation Independently verifies that risks to your organization are properly identified and managed Demonstrates to your customers that security of their information is taken seriously Risk analysis will be integrated with other management system (ie QMS/EMS/OHSAS) and monitoring and measuremnt plan will be the tools to mitigate/control the risk
Copyright © 2012 BSI. All rights reserved.
15
16
Product Attractiveness Economic interested areas
Low
Medium
High
Agriculture, fishing
Education
Aerospace
Chemical products and fibres
Electricity Supply
Financial Health and social work
Construction
Food products, beverages and tobacco
Engineering services
Gas Supply
Machinery and equipment
Hotels and restaurants
Printing companies
Publishing companies
Recycling
Transport, storage and communication
Shipbuilding
Water Supply Copyright © 2012 BSI. All rights reserved.
Wholesale and retail trade
Information Technology Nuclear fuel Other social services Pharmaceuticals Post and Telecommunications Government, Local Government, Public administration and defence
16
Proven Benefits of 27001 87% of respondents to a recent BSI Erasmus survey stated that implementing ISO/IEC 27001 had a “positive” or “very positive” outcome. • • • • • • •
Increased ability to meet compliance requirements (69%) Increased ability to respond to tenders* (43%) Increased external customer satisfaction (51%) Increased relative competitive position* (43%) Decreased number of security incidents (39%) Decreased down-time of IT systems (39%) ROI and Sales increased despite rise in cost to develop and support IT
* “Although we have only recently gained certification to ISO 27001, there are at least three recent incidences where we have won contracts as a result of certification.”
Copyright © 2012 BSI. All rights reserved.
17
Key 27000 series standards
• ISO/IEC 27002 - Code of Practice for Information Security Management
Estimated publication date of revision: 2013 (NOT CERTIFIABLE)
Establishes: guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.
• ISO/IEC 27001 - Requirement for an Information Security Management System
Estimated publication date of revision: 2013 (CERTIFIABLE)
Specifies: the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within the context of the organization’s overall business risks. It specifies requirements for the implementation and selection of adequate and proportionate security controls
Copyright © 2012 BSI. All rights reserved.
18
ISO/IEC 27000 Series - Published
19
ISO/IEC 27000 - Overview and vocabulary
2009
ISO/IEC 27001 - Information security management systems – Requirements (today is on ISO/IEC CD 27001 (today the TC: JTC1/SC27 is in stage 30.60)
2005 2013
ISO/IEC 27002 - Code of practice for Information security management
2005
ISO/IEC 27003 - ISMS implementation guidance
2010
ISO/IEC 27004 - Information security management - Measurement
2009
ISO/IEC 27005 - Information security risk management
2011
ISO/IEC 27006 - Guidance to Certification Bodies
2007
ISO/IEC 27007 - Guidelines for ISMS auditing
2011
ISO/IEC 27008 - Guidelines for auditors on information security controls
2011
ISO/IEC 27010 - Guidance for inter-sector and inter-organizational communications
2012
ISO/IEC 27011 - Guidance to telecommunications
2008
ISO/IEC 27031 - Guidelines for ICT readiness for business continuity
2011
ISO/IEC 27033-1 - Security Techniques, Network Security
2009
Copyright © 2012 BSI. All rights reserved.
19
Other 27000 standards in development ISO/IEC 27013
Guidelines on the integrated implementation of ISO/IEC 27001 & ISO/IEC 20000-1
(2012)
ISO/IEC 27014
Governance of information security
(2012)
ISO/IEC 27015
Information security management guidelines for financial services
(2013)
ISO/IEC 27016
Information security management – Organizational economics
(2014/15)
ISO/IEC 27017
Information Security in Cloud Computing (relevant controls in 27001)
(2014)
ISO/IEC 27018
Information Security in Cloud Computing (relevant controls in 27001 - DP/Privacy)
(2014)
ISO/IEC 27032
Guidelines for cyber-security
(2012)
ISO/IEC 27034
Guidelines for application security (6 part standard)
(2012…)
ISO/IEC 27036
Information security for supplier relationships (4 part standard)
(2012/13)
ISO/IEC 27037
Guidelines for identification, collection, acquisition and preservation of digital evidence (possibly a 4 part
(2013/14)
standard) ISO/IEC 27038
Specification for digital redaction
(2013)
ISO/IEC 27039
Selection, deployment and operations of intrusion detection and prevention systems
(2013/14)
ISO/IEC 27040
Storage security
(2014)
Copyright © 2012 BSI. All rights reserved.
20
Trends in Information Risk / Security • Government move towards ‘shared services’ • Greater outsourcing / off-shoring • Cloud Computing (“Software as a Service”…) For cloud area the JT1 is working on new ISO/IEC DIS 17826:2011 Cloud Data Management Interface (CDMI™)• In the cloud area , BSI is working, with Cloud Security Alliance and other primary organisations, to consider the objective controls with the new architecture structural cloud (ie ISO/IEC WD TS 27017 Information technology – Security techniques -- Information security management - Guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 ) • New Iso 27001 (final version 2013) today is on ISO/IEC CD 27001 ( the TC: JTC1/SC27 is in stage 30.60) • Convergence of business continuity, resilience and ICT readiness (new Iso 22301 business continuity, 24 May in Milan there was a national presentation, focus on Business continuity plan (clause 8.4.4) and recovery (clause 8.4.5) on Iso 22301)
Copyright © 2012 BSI. All rights reserved.
21
Trends in Information Risk / Security • Risk analysis will be the tools to manage and control the risk (Iso 31000) • •The third party registraion helps to follow the new EU directive on IT field referred to new technologies (Annex A Iso 27001) • • PAS 99:2006 Specification of common management system requirements as a framework for integration management system (ie for Iso/Iec 27001:05 and Iso/Iec 20000:05 Information technology- Service management- see Iso 27013) • Increased use of mobile working / ‘consumerisation’ (“Bring Your Own Device”) • Growth in use of social media
Copyright © 2012 BSI. All rights reserved.
22