Академический Документы
Профессиональный Документы
Культура Документы
October 2015
About Presenter
He is Certified Information Systems Auditor, ISO 27001 Lead Auditor with more
than 10 years of professional IT consulting, project management, information
systems' auditing and ISMS implementation experience. Specialties: ISO 27001
implementation, IT Governance and project management, IS Auditing, Business
Analysis, ISO/IEC 20000, ITIL, CobIT, Business Continuity/Disaster Recovery.
The standard has been prepared to provide requirements for establishing, implementing,
maintaining and continually improving an information security management system (ISMS).
The main objective of ISMS – preserve the confidentiality, integrity and availablility of
information.
Raise Systematically
Top Ensure
awareness follow
management continual
and build implemented
commitment improvement
security ISMS
and support of ISMS
culture processes
Continual and
natural Communication Clearly defined
to ALL ISMS scope,
management interested objectives and
example (role parties benefits
model)
Living ISMS
Effective security Evaluation of ISMS
maintenance and
awareness programs* effectiveness
improvement plan
• Set a clear goal, define metrics • Assign an owner of the ISMS • Define performance evaluation
and measure the progress maintenance and improvement metrics that will monitored
plan
• Involve the right audience • Define when and who will
• Regular reporting to the top analyse the metrics
• Choose the relevant topics and management (use a simple
most effective communication dashboard) • Use the meseament results to
channels evaluate effectiveness and make
• Ensure regular follow-ups with decisions for continual ISMS
• Plan for long-term culture the interested parties to ensure improvement
implemented ISMS processes
are followed, identified risks are
closed, new risks are identified
Source: https://securitycultureframework.net
Copyright © 2015 Accenture All rights reserved.
Why ISO/IEC 27001:2013?
Benefits:
Reveal improving information security as the Improving IS across the whole organisation is the single most important
70% biggest driver for implementing benefit. Others include: meeting industry requirements to comply with
ISO 27001. best practice, and gaining a competitive advantage.
Were asked by their clients about their Respondents reveal that ISO 27001 is a regular requirement for
66% ISO 27001 status in the past 12 months. contracts and tendering for new business.
Have full time ISMS Managers employed at This activity is generally delegated to various other roles within the
23% their company. organisation (e.g. IT Managers). 44% admit that the person managing
their ISMS does not have formal ISO 27001 qualifications.
Challenges
State “obtaining employee buy-in and Engaging staff with the right level of competence and expertise is fundamental
45% raising staff awareness” is one of the to the success and the long-term effectiveness of an ISMS. Increasing IS
biggest challenges in implementing awareness among non-technical staff is essential – employees are the weakest
ISO 27001. link.
The absence of full time staff and formal training for ISMS management may
40% Seek external help for certification. contribute to this result. Large organisations with dedicated ISMS staff still
benefit from external help and advice as implementation can be more
complex.
Find it a challenge “convincing the board Reasons behind this challenge include securing sufficient budget allowance,
20% that information security is a critical gaining permission to employ sufficient resources and having Leadership agree
business issue”. to complete certification.