an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 /...

18
© Zygma LLC 2008 1 a briefing to ISACA – Orange County Chapter an introduction to the ISO/IEC 27000 family of standards 2008-03-04 Richard G. WILSHER CEO, Zygma LLC

Transcript of an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 /...

Page 1: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 20081

a briefing toISACA – Orange County Chapter

an introduction tothe ISO/IEC 27000 family of standards

2008-03-04Richard G. WILSHER

CEO, Zygma LLC

Page 2: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 20082

about Zygma

Σ Independent information security consultancy

Σ Est. 1993 (UK) – US since 2003

Σ Specializing in:ISMS implementation and auditFISMAPKIAssurance frameworksStandards development

Page 3: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 20083

what is ‘ISMS’?

Σ information security Management system –part of an enterprise’s internal controls

ΣWidely accepted best practice in infosec

Σ International standard

ΣISO/IEC 27001:2005(we’ll call it ISMS)

Σ The matriarch of a family

Page 4: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 20084

-1BS 7799Code of practice

international ISMS standardisation

past present

ISO/IEC 17799:2005Code of practice

ISO/IEC 17799:2000Code of practice

27002

Σ Produced by ISO & IEC,edited by ISO JTC1/SC27

BS 7799-2Management standard

ISO/IEC 27001:2005Management standard

Page 5: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 20085

the 27000 family

Σ Covers:27000 – Terminology & overview (3CD)27001 - Requirements for an ISMS (pub. 2005)

27002 - ‘Best practice’ controls(pub. 2005) a.k.a. 17799

27003 - Guidance for implementation (4WD)27004 - Measurement (metrics) (2CD)27005 - Risk management (FCD)27006 - Requirements for Accreditation ofCertification Bodies (pub. 2007)

27007 – Auditor guidelines (NP)270xx – Domain-specific guidance (various)

Page 6: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 20086

principles of ISO/IEC 27001

Scope •Policy •

Risk Assessment (RA) •Risk Treatment Plan (RTP) •

Statement of Applicability (SoA) •

Operate Controls •

Awareness & Training •

Prevention, Detection and Response to •Incidents

Manage Resources • •Internal ISMS Audit

•Management Review

•Corrective Action

•Preventive Action

•ISMS Improvements

This is theDeming cycle

Page 7: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 20087

Augm

ent/

rein

forc

e

structure of ISO/IEC 27001

Σ §4 Information Security Management SystemEstablish the ISMSImplement and operate the ISMSMonitor and review the ISMSMaintain and improve the ISMSDocumentation requirements

Σ §5 Management responsibility

Σ §6 Internal ISMS audits

Σ §7 Management review of the ISMS

Σ §8 ISMS improvement

Page 8: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 20088

27001 / 27002 correspondance

§4 – Information security management system

§5 – Management responsibility

§6 – Internal ISMS audits

§7 – Management review of the ISMS

§8 – ISMS improvements

Implementation OtherGuidance Information

27001 - requirements

27002 – code of practiceAnnex A – (normative) Control objectives and controls

Objective Control

[A] 5 Security Policy

[A] 15 Compliance

The organization shall …The organization should …

Page 9: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 20089

why implement an ISMS?

Σ It’s a management system

Σ It has definitive criteria for:Policy, Risk managementProcesses & proceduresControlsAddressing the organization

Σ Risk is actively assessed, by mandate

Σ It has an international certification scheme

Σ It is flexible and superior to other audit methods

Page 10: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 200810

why implement an ISMS? (2)

Σ It can encompass other standards, regulation, &c.FFIEC, FISMA, GLBA, HIPAA, other ISO, SOX, …

Σ It can fit within other standards & regulationFFIEC, ISO 20000-1

Σ ScaleableSelect all or part of the organizationBig and smallCan be constructed hierarchically• Corporate• National / Regional• Different levels of security protection

Page 11: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 200811

what’s the take-up?

Σ Globally – in excess of 3,600(but .. around 2,350 of these are in Japan!)

Σ US = 60? (vs. IN = 385; UK = 365; CN = 100;AU = 53)

Page 12: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 200812

are there any downsides?

Σ Yesmanagement perspective implies a high levelof abstractionlower-level controls & requirements notspecifically addressed some topic areas could be better addressed(revision 2008 – 2010)but …

Σ Its very flexibility allows these drawbacks to be overcome

Page 13: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 200813

multi-standard conformity

Σ Map the ISMS processes & controls to therequirements of each target standard / regulation/ …

Σ Implement all ISMS processes – mandatory; theywill cover all processes of the target standard

Σ Show where processes fulfill the needs of targetstandards

Σ Where ISMS controls don’t fulfill a need of a targetstandard, write a new control yourself, an Extended ControlSet

Σ Construct the Extended Statement of Applicability (ESA)

Σ Implement the ISMS against the ESA

Page 14: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 200814

multi-standard conformity (2)

Σ The benefits:one audit can fulfill many assurance needsresolves the problems of a plethora of standardssignificantly reduces costs through deliveringmultiple assurances

Σ Implementors need to understand where differentlevels of granularity will still mandate lower-levelassessment

Σ Assessor teams need the full gamut of skills

Page 15: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 200815

multi-standard conformity (3)

27001

Processes

ControlsDomain-specific

guidance

270xx

ECS

GenericGuidance

27002

ApplicableControl

Set

Page 16: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 200816

conclusions

Σ take-up in the US is increasing

Σ intelligent implementation yields early benefits

Σ It puts management in charge

Σ It will become the dominant information security management model in the US and abroad

Page 17: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 200817

freebies, anyone?

Σ A free single-user fully-licensed copy ofISO/IEC 27001:2005 will be provided if youinvite Zygma to discuss with you how ourservices might help you take a step forwardwith your information security management

Σ Just email me with a suggested day, time andthe nature of your interest.

Σ Offer valid until 2008-03-20!

Page 18: an introduction to the ISO/IEC 27000 family of standards ISACA-OC ISMS-101 2008-03-04 v1.pdf27001 / 27002 correspondance §4 – Information security management system §5 – Management

© Zygma LLC 200818

questions / follow-up

For further contact :

Richard G. Wilsher

+1 714 965 99 42 (office)

+1 714 797 99 42 (mobile)

[email protected]

www.Zygma.biz[/Certificates.cfm]