an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 /...
Transcript of an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 /...
© Zygma LLC 20081
a briefing toISACA – Orange County Chapter
an introduction tothe ISO/IEC 27000 family of standards
2008-03-04Richard G. WILSHER
CEO, Zygma LLC
© Zygma LLC 20082
about Zygma
Σ Independent information security consultancy
Σ Est. 1993 (UK) – US since 2003
Σ Specializing in:ISMS implementation and auditFISMAPKIAssurance frameworksStandards development
© Zygma LLC 20083
what is ‘ISMS’?
Σ information security Management system –part of an enterprise’s internal controls
ΣWidely accepted best practice in infosec
Σ International standard
ΣISO/IEC 27001:2005(we’ll call it ISMS)
Σ The matriarch of a family
© Zygma LLC 20084
-1BS 7799Code of practice
international ISMS standardisation
past present
ISO/IEC 17799:2005Code of practice
ISO/IEC 17799:2000Code of practice
27002
Σ Produced by ISO & IEC,edited by ISO JTC1/SC27
BS 7799-2Management standard
ISO/IEC 27001:2005Management standard
© Zygma LLC 20085
the 27000 family
Σ Covers:27000 – Terminology & overview (3CD)27001 - Requirements for an ISMS (pub. 2005)
27002 - ‘Best practice’ controls(pub. 2005) a.k.a. 17799
27003 - Guidance for implementation (4WD)27004 - Measurement (metrics) (2CD)27005 - Risk management (FCD)27006 - Requirements for Accreditation ofCertification Bodies (pub. 2007)
27007 – Auditor guidelines (NP)270xx – Domain-specific guidance (various)
© Zygma LLC 20086
principles of ISO/IEC 27001
Scope •Policy •
Risk Assessment (RA) •Risk Treatment Plan (RTP) •
Statement of Applicability (SoA) •
Operate Controls •
Awareness & Training •
Prevention, Detection and Response to •Incidents
Manage Resources • •Internal ISMS Audit
•Management Review
•Corrective Action
•Preventive Action
•ISMS Improvements
This is theDeming cycle
© Zygma LLC 20087
Augm
ent/
rein
forc
e
structure of ISO/IEC 27001
Σ §4 Information Security Management SystemEstablish the ISMSImplement and operate the ISMSMonitor and review the ISMSMaintain and improve the ISMSDocumentation requirements
Σ §5 Management responsibility
Σ §6 Internal ISMS audits
Σ §7 Management review of the ISMS
Σ §8 ISMS improvement
© Zygma LLC 20088
27001 / 27002 correspondance
§4 – Information security management system
§5 – Management responsibility
§6 – Internal ISMS audits
§7 – Management review of the ISMS
§8 – ISMS improvements
Implementation OtherGuidance Information
27001 - requirements
27002 – code of practiceAnnex A – (normative) Control objectives and controls
Objective Control
[A] 5 Security Policy
[A] 15 Compliance
The organization shall …The organization should …
© Zygma LLC 20089
why implement an ISMS?
Σ It’s a management system
Σ It has definitive criteria for:Policy, Risk managementProcesses & proceduresControlsAddressing the organization
Σ Risk is actively assessed, by mandate
Σ It has an international certification scheme
Σ It is flexible and superior to other audit methods
© Zygma LLC 200810
why implement an ISMS? (2)
Σ It can encompass other standards, regulation, &c.FFIEC, FISMA, GLBA, HIPAA, other ISO, SOX, …
Σ It can fit within other standards & regulationFFIEC, ISO 20000-1
Σ ScaleableSelect all or part of the organizationBig and smallCan be constructed hierarchically• Corporate• National / Regional• Different levels of security protection
© Zygma LLC 200811
what’s the take-up?
Σ Globally – in excess of 3,600(but .. around 2,350 of these are in Japan!)
Σ US = 60? (vs. IN = 385; UK = 365; CN = 100;AU = 53)
© Zygma LLC 200812
are there any downsides?
Σ Yesmanagement perspective implies a high levelof abstractionlower-level controls & requirements notspecifically addressed some topic areas could be better addressed(revision 2008 – 2010)but …
Σ Its very flexibility allows these drawbacks to be overcome
© Zygma LLC 200813
multi-standard conformity
Σ Map the ISMS processes & controls to therequirements of each target standard / regulation/ …
Σ Implement all ISMS processes – mandatory; theywill cover all processes of the target standard
Σ Show where processes fulfill the needs of targetstandards
Σ Where ISMS controls don’t fulfill a need of a targetstandard, write a new control yourself, an Extended ControlSet
Σ Construct the Extended Statement of Applicability (ESA)
Σ Implement the ISMS against the ESA
© Zygma LLC 200814
multi-standard conformity (2)
Σ The benefits:one audit can fulfill many assurance needsresolves the problems of a plethora of standardssignificantly reduces costs through deliveringmultiple assurances
Σ Implementors need to understand where differentlevels of granularity will still mandate lower-levelassessment
Σ Assessor teams need the full gamut of skills
© Zygma LLC 200815
multi-standard conformity (3)
27001
Processes
ControlsDomain-specific
guidance
270xx
ECS
GenericGuidance
27002
ApplicableControl
Set
© Zygma LLC 200816
conclusions
Σ take-up in the US is increasing
Σ intelligent implementation yields early benefits
Σ It puts management in charge
Σ It will become the dominant information security management model in the US and abroad
© Zygma LLC 200817
freebies, anyone?
Σ A free single-user fully-licensed copy ofISO/IEC 27001:2005 will be provided if youinvite Zygma to discuss with you how ourservices might help you take a step forwardwith your information security management
Σ Just email me with a suggested day, time andthe nature of your interest.
Σ Offer valid until 2008-03-20!
© Zygma LLC 200818
questions / follow-up
For further contact :
Richard G. Wilsher
+1 714 965 99 42 (office)
+1 714 797 99 42 (mobile)
www.Zygma.biz[/Certificates.cfm]