ISO 27001 & ISMS  OVERVIEW & CASE  STUDY Neil Hare-Brown [email protected] ilhb@ i

+44 (0)207 353 9000 www.qccis.com © Copyright QCC Information Security Ltd. 2008

V1.0a dated 28 Jul 08

ISO 27001:2005 HISTORY

2005 New ISO 17799:2005 & ISO 27001:2005 released 2002 BS 7799-2 aligned and revised

ISO 17799:2005 renamed to ISO 27002:2005 in 2007 no change to document until next revision

Dec 2000 BS 7799-1 reviewed and became ISO 17799:2000 1999 New issue of BS 7799 Part 1 & 2 Guide and standard aligned 1998 BS 7799 Part 2 Formed and registered as an ISMS System

1995 BS 7799 Part 1 Guidance only

Where are we now? • ISO 27000 – Principles & Vocabulary • ISO 27001 – ISMS Requirements (BS 7799 Part 2) • ISO 27002 – Controls Guidance (ISO 17799:2005) ISO    ISMS Implementation Guidelines  ISMS I l i  G id li   • ISO 27003 – • ISO 27004 – ISMS Measurements and Metrics (soon) • ISO 27005 – ISMS Risk Management  • ISO 27006 – Guidelines for Accreditation 

Standard started in 1992 when BSI had been approached by certain industry sectors with concerts over potential problems and security issues with ‘electronic systems’. Sept 1993 ‘Code of Practice’ published

STRATEGIC BENEFITS OF ISO 27001 y Improved effectiveness of Information Security y Demonstrates Integrity and Trustworthiness y Ownership by Senior Management y Corporate Governance & Compliance y Structured approach pp y Global acceptance – International Standard y Increased Risk Awareness and better Risk Treatment y Gives an independent review of ISMS y Improved marketing image and customer expectation

ISO 27001 Today (number of certificates)

Source: http://www.iso27001certificates.com p

MEASUREMENT OF BUSINESS BENEFITS y Manage risk M i k down d y Provide tangible g evidence to auditors y Streamlined process of monitoring ISMS effectiveness y Provides proactive toolset y Reduction of security incidents over time y Better root cause analysis of incidents / events y Users see management support and buy-in buy in y Increased awareness of information security

throughout the organisation y Improvement in accountability

What is ISO 27001 y Based on an ISMS that establishes adequate and correct

controls are put place to protect information assets so the business has confidence in its operations y Utilises the PLAN, DO, CHECK, ACT cycle of: y Establishing y Implementing y Operating y Monitoring y Maintaining y Improving

y Uses a comprehensive set of controls applicable to all

industry sectors y The emphasis p is on p prevention

PDCA model applied to the ISMS process PLAN Establish the  ISMS

Interested Parties

DO Implement &  operated the  ISMS

Information security it requirements & expectations p

CONTINUAL IMPROVEMENT

CHECK Monitor &  review the  ISMS

Interested Parties

ACT Maintain &  improve the  ISMS

Managed information security

PDCA OVERVIEW y Plan (establish the ISMS) y Establish ISMS policy, objectives, processes and procedures relevant to

g g risk and improving p g information security y to deliver results in managing accordance with an organization’s overall policies and objectives.

y Do ((implement p and operate p the ISMS)) y Implement and operate the ISMS policy, controls, processes and

procedures.

y Check (monitor and review the ISMS) y Assess and, where applicable, measure process performance against

ISMS polic policy, objecti objectives es and practical e experience perience and report the res results lts to management for review.

y Act (maintain and improve the ISMS) y Take corrective and preventive actions, based on the results of the

internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.

PDCA - KEY AREAS y The PDCA cycle is an ongoing process, process management

must continue to support the ISMS through the following key areas of the cycle: y Monitor y Review y Improve

y To T achieve hi compliance li on a yearly l b basis i evidence id

of the above process must be shown

What does the ISMS include? y Policies and Standards y Organisation Structure y Planning Activities y Responsibilities R ibiliti y Practices y Procedures y Process y Resources y Guidelines

ISMS OVERVIEW

EXECUTIVE TEAM

EXCO STATEMENT

SECURITY POLICY

AUA/EAUA

IS  STANDARDS IT TEAMS

END USERS

USER  GUIDELINES

INSTALL &  CONFIG GUIDES

PROCEDURES

ISMS DETAILED VIEW / IMPLEMENTATION AUA / EAUA 3-5 3 5 Pages Sign-off statements for users to ensure they comply to specific company security requirements IS Policy 3-5 Pages Summary of the security standards. This is the main document staff will read and sign

AUA/EAUA

HIGH LEVEL SECURITY KNOWLEDGE

Executive  Security  Statement

Exec Statement – 1 Pager High level security statement defining the Company’s security ethic and posture, will include a statement of support from the CEO

User  Guidelines

Information  S Security  it   Policy

Information  Security Guiding  Principles

Security  Standard

Security  Procedure  s  Procedure ‘s  / Baselines

Security  Procedure  s  Procedure ‘s  / Baselines

Security  Standard

Security  Procedure  s  Procedure ‘s  / Baselines

Security  Procedure s /  Procedure’s /  Baselines

Guidelines 3-5 Pages Descriptive advisories to improve end user behaviour, e.g. password guides Guiding Principles 50-100+ Pages This is the core and comprehensive security y document based on ISO27001. The document will follow the ISO standard to define all key security requirements Standards 7-15 Pages Expand specific security requirements and controls to what is expected in a specific area

DETAILED SECURITY KNOWLEDGE

Security  Standard

Security  Procedure  s  Procedure ‘s  / Baselines

Security  Procedure  s  Procedure ‘s  / Baselines

Procedures / Baselines 5-10 Pages Define specific steps that must be taken to implement a control. Baselines define the minimum Requirement for a system or component

ISO 27001 STANDARD OVERVIEW The ISO Standard has: y 11 Sections (A5 – A15) y 39 Control Objectives y 133 Controls

Access Control Security Policy

Information  Security  Incident  Management Information  Systems  acquisition,  development &  maintenance

Organisation  of Information  Security

Physical &  Environmental  v o e ta Security

ISO 27001:2005  Controls

Human   H Resources  Security

y Clauses 4 – 8

These are the most important as they are mandatory

Business  Continuity  Management

Compliance

Communications  & Operations  Management g

Asset  Management

CLAUSES 4 -8 y The five mandatory requirements of the Standard y Information Security Management System (ISMS)

General requirements y Establishing E t bli hi and d maintaining i t i i th the ISMS ((e.g. Ri Risk kA Assessment) t) y Documentation requirements (e.g. Policy, Records, Statements, Plans, Controls)) Management Responsibility y Management Commitment (e.g. Chairman’s Statement) y Resource Management (e.g. Training, Awareness) Internal ISMS Audits Management Review of the ISMS y Review Input (.e.g. Audits, Measurement, Meetings, Recommendations) y Review O Output p (e.g. ( g Up Update Risk,, Treatment Plan,, Action Plan)) ISMS Improvement y Continual Improvement This is the most important clause y Corrective Action y Preventive Action y

y

y y

y

CONTROLS y Annex A of the Standard lists the Control Objectives

and Controls y 11 Sections – A5 – A15 y 29 Control Objectives – Each has a detailed summary

off the th objective bj ti off the th control t l y 133 Controls – Each control has a summary of implementation advice y

ISO 27002:2007 give guidance notes for each control

y The list is not exhaustive and additional controls can

be added y The ISMS process allows you to define which controls are applicable – Controls that are not applicable have to be justified.

A PERSPECTIVE ON CONTROLS Management Controls

Business Processes

Security Policy, IT Policies,  y y, , Security Procedures, Business  Continuity Plans, Security  p , Improvement Plans, Business  Objectives, Management  Reviews

Risk Assessment & Risk  Treatment Management  Process, Human Resource  , , Process, SOA, Selection  Process, Media Handling  Process

Operational Controls

Technical Controls

Operational Procedures,  g , Change Control, Problem  Management, Capacity  Management, Release  g , p, Management, Back‐up, Secure  Disposal, Equipment off site

Patch Management, Malware  g , Control, IDS / IPS Monitoring  & Handling, Firewalls,  g Content Filtering

ACHIEVING COMPLIANCE (OVERVIEW) Define the Scope of the Audit (Scoping Study) p ( p g y) Carryout GAP analysis of current controls  against the ISO Standard control set Identify information assets & identify  vulnerabilities & threats

During the process an initial interview will take place with the BSI auditor – by this stage you should have a good plan and identified and completed the SoA

Determine risk and establish risk treatment  plan (Risk Management) Prepare Statement of Applicability and define  security improvement program Start to implement the ISMS – Test and  Review Full Implementation & Rollout – Operate the  ISMS Audit & Compliance

QCC PROCESS TO COMPLIANCE Visit Client Site  Visit Client Site – Initial Scope, NDA,  Presentation

Questionnaire

Document Gathering

Statement of  A li bilit  (S A) /  Applicability (SoA) /  Initial visit by Auditor  (Desktop Review)

Risk Assessment

GAP Analysis

Stage 1 – Implementation  Framework

Stage 2 – Project Task  Sheet / Project Risk  Table

Stage 3  ‐ Document  Update & Control  Implementation

Stage 5 – g 5 Compliance  p – Full Audit

Stage 4 – Operate the  ISMS  Monitor,  ISMS – M it   Review, Improve

Timeframe for completion depends on the organisational state

IMPLEMENTATION ISSUES y Documentation development y Approval y Dissemination Di i ti y Hosting y On-going Risk Management Plan y Identification of critical assets / network diagrams y Risk Assessment / Risk Treatment y On-going On going Training Training, Awareness and Development y Policy enforcement y Internal / External assessments y Continual management support and commitment y Resources

BSI COMPLIANCE ROUTE Stage 1

Stage 2

Stage 3

• Establish an Information Security Management System as identified in ISO 27001. Establish an Information Security Management System as identified in ISO 27001

• Upon contacting BSI, we will provide an estimate of costs and timescales for formal assessment.

• Submit a formal application to BSI.

• BSI will undertake a desk top review of the Risk Assessment, Policy, Scope, Statement of  Applicability and Procedures. This will then identify any weaknesses and omissions in your  Stage 4 management system that need to be resolved.

Stage 55 Stage

• BSI will then conduct an on‐site assessment and make recommendations.

• On successful completion of the audit, a certificate of registration is issued which clearly  g identifies the Scope of the Information Security Management System. This certificate remains  S Stage 6   valid for three years and is supported by routine assessment visits throughout.

CASE STUDY y Leading UK Law Firm y Wanted ISO 27001 to: y y

More easily respond to client questionnaires on InfoSec/PII Distinguish themselves from the competition

y 30 30-day d QCC R Resource tto supportt iinitiative iti ti y Project Management y Applying Perspective and some Coal-Face work y Client Resource: IT Manager and 2 IT Security staff y Scope: IT Function y Two T UK llocations ti y Statement of Applicability to reflect appropriately

CASE STUDY - PROBLEMS y Resources y Missing an Information Security Officer y Found it hard to dedicate some time to the project p j y Documentation development y Very few IT processes (related to security) documented documented. y Too much in the heads of key staff rather than on paper y Gap vs Risk Analysis y Need to be two distinct sets: no prob with Gap but why then Risk??? y Identification of critical assets y Policies y Very basic Policies in in-place, place no structure structure, no awareness no enforcement

CASE STUDY - SOLUTIONS y Resources y QCC provided virtual Information Security Officer y Project j Management g booked solid days y out y Documentation development y We assisted with considerable library BUT still had to integrate properly. y Facilitated meetings to get knowledge written down y Gap vs Risk Analysis y QCC undertook Gap Analysis y Facilitated a Workshop p for Risk Analysis y ((used OCTAVE)) y Policies y Arranged meetings with HR to get the Policies on track and officially adopted, disseminated and enforced

OVERVIEW OF EACH CONTROL Control A5 – C t l A   Security Policy S it  P li

Control A6 – Internal  Organisation

To provide management  direction and support for  information security in  accordance with business  requirements and relevant laws  and regulations.

To manage and plan  information security  within  the organisation, taking into  account the needs of both  t th   d   f b th  internal and external parties.

Control A7 – Asset Management

Control A8 – Human Resource  Security

To deliver appropriate levels of  protection and ensure that  information receives a level of  protection that is appropriate to  i   its needs. d

To ensure that staff, during  p y employment, after  termination and during  change of employment, are  part of the information  security process.

OVERVIEW OF EACH CONTROL 9 Physical &  y Control A9 – Environmental Security

Control A10 – Communications  & Operations Management

To secure buildings, locations  and equipment in such a way as  to prevent unauthorised physical  access, damage and interference  to the organisation’s assets,  premises and information.

To ensure that information is  treated properly, backed up  correctly and handled securely  t  th  hi h t  t d d   to the highest standards  available..

Control A11 – Asset Control

Control A12 – Information  Systems Acquisition &  Development

To control access to  information  networks  and  information, networks, and  applications. Preventing  unauthorised access,  i interference, damage and theft. f  d   d  h f

To ensure that security is an  integral part of the  information system. Securing  applications, files and  reducing vulnerabilities. d i   l bili i

OVERVIEW OF EACH CONTROL 3 Information  Control A13 – Security Incident Management

4 Business  Control A14 – Continuity Management

To ensure information security  events and weaknesses are  communicated consistently in a  manner allowing timely    ll i  ti l   corrective action to be taken.

To counteract interruptions to  p business activities and to protect  critical business processes from the  j effects of major failures of  information systems or disasters and  to ensure their timely resumption.

Control A15 ‐ Compliance To avoid breaches of any law,  regulation or contractual  obligations. To ensure  compliance without adverse  affects on Information Security.

Thank You Thank You Neil Hare Hare-Brown Bro n MSc CISSP CISA CITP MBCS

[email protected] +44 (0)207 353 9000 www.qccis.com © Copyright QCC Information Security Ltd. 2008

V1.0a dated 28 Jul 08