ISO 27001 & ISMS OVERVIEW & CASE STUDY Neil Hare-Brown
[email protected] ilhb@ i
+44 (0)207 353 9000 www.qccis.com © Copyright QCC Information Security Ltd. 2008
V1.0a dated 28 Jul 08
ISO 27001:2005 HISTORY
2005 New ISO 17799:2005 & ISO 27001:2005 released 2002 BS 7799-2 aligned and revised
ISO 17799:2005 renamed to ISO 27002:2005 in 2007 no change to document until next revision
Dec 2000 BS 7799-1 reviewed and became ISO 17799:2000 1999 New issue of BS 7799 Part 1 & 2 Guide and standard aligned 1998 BS 7799 Part 2 Formed and registered as an ISMS System
1995 BS 7799 Part 1 Guidance only
Where are we now? • ISO 27000 – Principles & Vocabulary • ISO 27001 – ISMS Requirements (BS 7799 Part 2) • ISO 27002 – Controls Guidance (ISO 17799:2005) ISO ISMS Implementation Guidelines ISMS I l i G id li • ISO 27003 – • ISO 27004 – ISMS Measurements and Metrics (soon) • ISO 27005 – ISMS Risk Management • ISO 27006 – Guidelines for Accreditation
Standard started in 1992 when BSI had been approached by certain industry sectors with concerts over potential problems and security issues with ‘electronic systems’. Sept 1993 ‘Code of Practice’ published
STRATEGIC BENEFITS OF ISO 27001 y Improved effectiveness of Information Security y Demonstrates Integrity and Trustworthiness y Ownership by Senior Management y Corporate Governance & Compliance y Structured approach pp y Global acceptance – International Standard y Increased Risk Awareness and better Risk Treatment y Gives an independent review of ISMS y Improved marketing image and customer expectation
ISO 27001 Today (number of certificates)
Source: http://www.iso27001certificates.com p
MEASUREMENT OF BUSINESS BENEFITS y Manage risk M i k down d y Provide tangible g evidence to auditors y Streamlined process of monitoring ISMS effectiveness y Provides proactive toolset y Reduction of security incidents over time y Better root cause analysis of incidents / events y Users see management support and buy-in buy in y Increased awareness of information security
throughout the organisation y Improvement in accountability
What is ISO 27001 y Based on an ISMS that establishes adequate and correct
controls are put place to protect information assets so the business has confidence in its operations y Utilises the PLAN, DO, CHECK, ACT cycle of: y Establishing y Implementing y Operating y Monitoring y Maintaining y Improving
y Uses a comprehensive set of controls applicable to all
industry sectors y The emphasis p is on p prevention
PDCA model applied to the ISMS process PLAN Establish the ISMS
Interested Parties
DO Implement & operated the ISMS
Information security it requirements & expectations p
CONTINUAL IMPROVEMENT
CHECK Monitor & review the ISMS
Interested Parties
ACT Maintain & improve the ISMS
Managed information security
PDCA OVERVIEW y Plan (establish the ISMS) y Establish ISMS policy, objectives, processes and procedures relevant to
g g risk and improving p g information security y to deliver results in managing accordance with an organization’s overall policies and objectives.
y Do ((implement p and operate p the ISMS)) y Implement and operate the ISMS policy, controls, processes and
procedures.
y Check (monitor and review the ISMS) y Assess and, where applicable, measure process performance against
ISMS polic policy, objecti objectives es and practical e experience perience and report the res results lts to management for review.
y Act (maintain and improve the ISMS) y Take corrective and preventive actions, based on the results of the
internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.
PDCA - KEY AREAS y The PDCA cycle is an ongoing process, process management
must continue to support the ISMS through the following key areas of the cycle: y Monitor y Review y Improve
y To T achieve hi compliance li on a yearly l b basis i evidence id
of the above process must be shown
What does the ISMS include? y Policies and Standards y Organisation Structure y Planning Activities y Responsibilities R ibiliti y Practices y Procedures y Process y Resources y Guidelines
ISMS OVERVIEW
EXECUTIVE TEAM
EXCO STATEMENT
SECURITY POLICY
AUA/EAUA
IS STANDARDS IT TEAMS
END USERS
USER GUIDELINES
INSTALL & CONFIG GUIDES
PROCEDURES
ISMS DETAILED VIEW / IMPLEMENTATION AUA / EAUA 3-5 3 5 Pages Sign-off statements for users to ensure they comply to specific company security requirements IS Policy 3-5 Pages Summary of the security standards. This is the main document staff will read and sign
AUA/EAUA
HIGH LEVEL SECURITY KNOWLEDGE
Executive Security Statement
Exec Statement – 1 Pager High level security statement defining the Company’s security ethic and posture, will include a statement of support from the CEO
User Guidelines
Information S Security it Policy
Information Security Guiding Principles
Security Standard
Security Procedure s Procedure ‘s / Baselines
Security Procedure s Procedure ‘s / Baselines
Security Standard
Security Procedure s Procedure ‘s / Baselines
Security Procedure s / Procedure’s / Baselines
Guidelines 3-5 Pages Descriptive advisories to improve end user behaviour, e.g. password guides Guiding Principles 50-100+ Pages This is the core and comprehensive security y document based on ISO27001. The document will follow the ISO standard to define all key security requirements Standards 7-15 Pages Expand specific security requirements and controls to what is expected in a specific area
DETAILED SECURITY KNOWLEDGE
Security Standard
Security Procedure s Procedure ‘s / Baselines
Security Procedure s Procedure ‘s / Baselines
Procedures / Baselines 5-10 Pages Define specific steps that must be taken to implement a control. Baselines define the minimum Requirement for a system or component
ISO 27001 STANDARD OVERVIEW The ISO Standard has: y 11 Sections (A5 – A15) y 39 Control Objectives y 133 Controls
Access Control Security Policy
Information Security Incident Management Information Systems acquisition, development & maintenance
Organisation of Information Security
Physical & Environmental v o e ta Security
ISO 27001:2005 Controls
Human H Resources Security
y Clauses 4 – 8
These are the most important as they are mandatory
Business Continuity Management
Compliance
Communications & Operations Management g
Asset Management
CLAUSES 4 -8 y The five mandatory requirements of the Standard y Information Security Management System (ISMS)
General requirements y Establishing E t bli hi and d maintaining i t i i th the ISMS ((e.g. Ri Risk kA Assessment) t) y Documentation requirements (e.g. Policy, Records, Statements, Plans, Controls)) Management Responsibility y Management Commitment (e.g. Chairman’s Statement) y Resource Management (e.g. Training, Awareness) Internal ISMS Audits Management Review of the ISMS y Review Input (.e.g. Audits, Measurement, Meetings, Recommendations) y Review O Output p (e.g. ( g Up Update Risk,, Treatment Plan,, Action Plan)) ISMS Improvement y Continual Improvement This is the most important clause y Corrective Action y Preventive Action y
y
y y
y
CONTROLS y Annex A of the Standard lists the Control Objectives
and Controls y 11 Sections – A5 – A15 y 29 Control Objectives – Each has a detailed summary
off the th objective bj ti off the th control t l y 133 Controls – Each control has a summary of implementation advice y
ISO 27002:2007 give guidance notes for each control
y The list is not exhaustive and additional controls can
be added y The ISMS process allows you to define which controls are applicable – Controls that are not applicable have to be justified.
A PERSPECTIVE ON CONTROLS Management Controls
Business Processes
Security Policy, IT Policies, y y, , Security Procedures, Business Continuity Plans, Security p , Improvement Plans, Business Objectives, Management Reviews
Risk Assessment & Risk Treatment Management Process, Human Resource , , Process, SOA, Selection Process, Media Handling Process
Operational Controls
Technical Controls
Operational Procedures, g , Change Control, Problem Management, Capacity Management, Release g , p, Management, Back‐up, Secure Disposal, Equipment off site
Patch Management, Malware g , Control, IDS / IPS Monitoring & Handling, Firewalls, g Content Filtering
ACHIEVING COMPLIANCE (OVERVIEW) Define the Scope of the Audit (Scoping Study) p ( p g y) Carryout GAP analysis of current controls against the ISO Standard control set Identify information assets & identify vulnerabilities & threats
During the process an initial interview will take place with the BSI auditor – by this stage you should have a good plan and identified and completed the SoA
Determine risk and establish risk treatment plan (Risk Management) Prepare Statement of Applicability and define security improvement program Start to implement the ISMS – Test and Review Full Implementation & Rollout – Operate the ISMS Audit & Compliance
QCC PROCESS TO COMPLIANCE Visit Client Site Visit Client Site – Initial Scope, NDA, Presentation
Questionnaire
Document Gathering
Statement of A li bilit (S A) / Applicability (SoA) / Initial visit by Auditor (Desktop Review)
Risk Assessment
GAP Analysis
Stage 1 – Implementation Framework
Stage 2 – Project Task Sheet / Project Risk Table
Stage 3 ‐ Document Update & Control Implementation
Stage 5 – g 5 Compliance p – Full Audit
Stage 4 – Operate the ISMS Monitor, ISMS – M it Review, Improve
Timeframe for completion depends on the organisational state
IMPLEMENTATION ISSUES y Documentation development y Approval y Dissemination Di i ti y Hosting y On-going Risk Management Plan y Identification of critical assets / network diagrams y Risk Assessment / Risk Treatment y On-going On going Training Training, Awareness and Development y Policy enforcement y Internal / External assessments y Continual management support and commitment y Resources
BSI COMPLIANCE ROUTE Stage 1
Stage 2
Stage 3
• Establish an Information Security Management System as identified in ISO 27001. Establish an Information Security Management System as identified in ISO 27001
• Upon contacting BSI, we will provide an estimate of costs and timescales for formal assessment.
• Submit a formal application to BSI.
• BSI will undertake a desk top review of the Risk Assessment, Policy, Scope, Statement of Applicability and Procedures. This will then identify any weaknesses and omissions in your Stage 4 management system that need to be resolved.
Stage 55 Stage
• BSI will then conduct an on‐site assessment and make recommendations.
• On successful completion of the audit, a certificate of registration is issued which clearly g identifies the Scope of the Information Security Management System. This certificate remains S Stage 6 valid for three years and is supported by routine assessment visits throughout.
CASE STUDY y Leading UK Law Firm y Wanted ISO 27001 to: y y
More easily respond to client questionnaires on InfoSec/PII Distinguish themselves from the competition
y 30 30-day d QCC R Resource tto supportt iinitiative iti ti y Project Management y Applying Perspective and some Coal-Face work y Client Resource: IT Manager and 2 IT Security staff y Scope: IT Function y Two T UK llocations ti y Statement of Applicability to reflect appropriately
CASE STUDY - PROBLEMS y Resources y Missing an Information Security Officer y Found it hard to dedicate some time to the project p j y Documentation development y Very few IT processes (related to security) documented documented. y Too much in the heads of key staff rather than on paper y Gap vs Risk Analysis y Need to be two distinct sets: no prob with Gap but why then Risk??? y Identification of critical assets y Policies y Very basic Policies in in-place, place no structure structure, no awareness no enforcement
CASE STUDY - SOLUTIONS y Resources y QCC provided virtual Information Security Officer y Project j Management g booked solid days y out y Documentation development y We assisted with considerable library BUT still had to integrate properly. y Facilitated meetings to get knowledge written down y Gap vs Risk Analysis y QCC undertook Gap Analysis y Facilitated a Workshop p for Risk Analysis y ((used OCTAVE)) y Policies y Arranged meetings with HR to get the Policies on track and officially adopted, disseminated and enforced
OVERVIEW OF EACH CONTROL Control A5 – C t l A Security Policy S it P li
Control A6 – Internal Organisation
To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
To manage and plan information security within the organisation, taking into account the needs of both t th d f b th internal and external parties.
Control A7 – Asset Management
Control A8 – Human Resource Security
To deliver appropriate levels of protection and ensure that information receives a level of protection that is appropriate to i its needs. d
To ensure that staff, during p y employment, after termination and during change of employment, are part of the information security process.
OVERVIEW OF EACH CONTROL 9 Physical & y Control A9 – Environmental Security
Control A10 – Communications & Operations Management
To secure buildings, locations and equipment in such a way as to prevent unauthorised physical access, damage and interference to the organisation’s assets, premises and information.
To ensure that information is treated properly, backed up correctly and handled securely t th hi h t t d d to the highest standards available..
Control A11 – Asset Control
Control A12 – Information Systems Acquisition & Development
To control access to information networks and information, networks, and applications. Preventing unauthorised access, i interference, damage and theft. f d d h f
To ensure that security is an integral part of the information system. Securing applications, files and reducing vulnerabilities. d i l bili i
OVERVIEW OF EACH CONTROL 3 Information Control A13 – Security Incident Management
4 Business Control A14 – Continuity Management
To ensure information security events and weaknesses are communicated consistently in a manner allowing timely ll i ti l corrective action to be taken.
To counteract interruptions to p business activities and to protect critical business processes from the j effects of major failures of information systems or disasters and to ensure their timely resumption.
Control A15 ‐ Compliance To avoid breaches of any law, regulation or contractual obligations. To ensure compliance without adverse affects on Information Security.
Thank You Thank You Neil Hare Hare-Brown Bro n MSc CISSP CISA CITP MBCS
[email protected] +44 (0)207 353 9000 www.qccis.com © Copyright QCC Information Security Ltd. 2008
V1.0a dated 28 Jul 08