ISO27001: Implementation & Certification

Process Overview

Shankar Subramaniyan
CISSP,CISM,ABCP,PMP,CEH
 Agenda

• Overview and changes in ISO27001:2013

• Implementation Approach & Common Challenges in Implementation
• Certification Process Overview
Overview and changes in
ISO27001:2013
 Overview

Most widely recognized security standard in the world

Process based to set up Information Security Management

System (ISMS) Framework

Addresses Information security across Industries

Comprehensive in its coverage of security controls

http://www.iso.org/iso/home/standards/certification/iso-survey.htm?certificate=ISO/IEC%2027001&countrycode=US#countrypick
Benefits

Culture and Controls

• ISO27001 is a culture one has to build in the organization which would help to:
– Increase security awareness within the organization
– Identify critical assets via the Business Risk Assessment
– Provide a framework for continuous improvement
– Bring confidence internally as well as to external business partners
– Enhance the knowledge and importance of security-related issues at the management level

• Combined framework to meet multiple client requirements/compliance

requirements

Competitive
Compliance
Advantage

Reduce Process
Cost Improvement

5
 *ISO27000 Series

• 27000, Information Security Management System – Fundamentals

Vocabulary
and vocabulary (13335-1)
standard

• 27001, Information Security Management System – Requirements

Requirement
standards
• 27002, Code of Practice for Information Security Management
• 27003, Information Security Management System – Implementation
Guideline guidelines
• 27004, Information Security Management Measurements (metrics)
standards • 27005, Information Security Risk Management (13335-2)

27001
27005 27002

27004
ISO27001 (certified) vs ISO27002 (compliant)
* Few are mentioned here.
 ISO 27001 2005 vs 2013

2013 2005

1 Scope 1 Scope
2 Normative references 2 Reference to ISO 17799:2005
3 Terms and definitions 3 Terms & Definitions
4 Context of the organization 4 ISMS
5 Leadership
5 Management Responsibility
6 Planning
7 Support 6 Internal ISMS Audits
8 Operation 7 Management Review of ISMS
9 Performance evaluation 8 ISMS Improvement
10 Improvement

The revised version has a high level structure similar to other

management system standards to make integration easier when
implementing more than one management standards . Revision
addresses need to align information security management and its
strategy to the business strategy and make it adaptable for SME

* http://www.dionach.nl/blog/iso-27001-2013-transition-0
 Major Changes

• Context of the organization

• Interested parties
• Interface/boundaries
• Align Organization strategies with security objective
• Risk assessment and treatment
• Asset Register is not mandatory
• Risk owner & approval
• SOA control implementation status
• Objectives, monitoring and measurement
• Risk treatment and ISMS effectiveness
• Communication
• Documented Information
• Corrective & preventive actions

http://www.bsigroup.com/en-GB/iso-27001-information-security/ISOIEC-27001-Revision/
Annexure A (controls)

2005 2013
• Security Policy • Information security policies
• Organization of Information Security
• Organization of information security
• Human resource security
• Assets Management • Asset management
• Human Resource Security
• Access control
• Cryptography
• Physical and Environmental Security • Physical and environmental security
• Operations security
• Communications and Operations Management
• Communications security
• Access Control • System acquisition, development and
maintenance
• Information system acquisition, development • Supplier relationships
and maintenance
• Information security incident management
• Information Security Incident Management • Information security aspects of business
continuity management
• Business Continuity Planning
• Compliance
• Compliance
14 Clauses
11 Clauses (Domains)
(Domains)
39 Control 35 categories
Objectives ( control
133 Control objectives) 114 Control
Activities Activities
Annexure A (control structure)

A.7 Human resource security

A.7.1 Prior to employment

A.7.1.1 Screening
A.7.1.2 Terms and Conditions of Employment

A.7.2 During Employment

A.7.2.1 Management responsibilities
A.7.2.2 Information Security awareness, education and
training
A 7.2.3 Disciplinary process

14 Clauses
(Domains)
35 categories
( control
objectives) 114 Control
Activities
Control Changes
New Controls
• 6.1.4 is Information security in project management
• 14.2.1 Secure development policy – rules for
development of software and information systems
• 14.2.5 Secure system engineering principles –
principles for system engineering
• 14.2.6 Secure development environment –
establishing and protecting development
environment
• 14.2.8 System security testing – tests of security
functionality
• 16.1.4 Assessment of and decision on information
security events – this is part of incident
management
• 17.2.1 Availability of information processing facilities
– achieving redundancy
Controls deleted
• 6.2.2 Addressing security when dealing with customers
• 10.4.2 Controls against mobile code
• 10.7.3 Information handling procedures
• 10.7.4 Security of system documentation
• 10.8.5 Business information systems
• 10.9.3 Publicly available information
• 11.4.2 User authentication for external connections
• 11.4.3 Equipment identification in networks
• 11.4.4 Remote diagnostic and configuration port protection
• 11.4.6 Network connection control
• 11.4.7 Network routing control
• 12.2.1 Input data validation
• 12.2.2 Control of internal processing
• 12.2.3 Message integrity
• 12.2.4 Output data validation
• 11.5.5 Session time out
• 11.5.6 Limitation of connection time
• 11.6.2 Sensitive system isolation
• 12.5.4 Information leakage
• 14.1.2 Business continuity and risk assessment
• 14.1.3 Developing and implementing business continuity plans
• 14.1.4 Business continuity planning framework
• 15.1.5 Prevention of misuse of information processing facilities
• 15.3.2 Protection of information systems audit tools
Implementation Process Overview
ISMS Process PDCA Model

Implement identified Define Security

improvements, Policies
corrective/preventive and Procedures
actions

Review/ audit Implement and

security manage
management Security
and controls controls/process

People Process Technology

Implementation Approach

Project Set up & Plan

Phase I Baseline Information Security Assessment

• Identify the scope and coverage of Information Security
• Assess the current environment
• Prepare baseline information security assessment report

Phase II – Design of Information Security Policy & Procedures

• Establish Security Organization & Governance
• Identify information assets and their corresponding information security requirements
• Assess information security risks and treat information security risks
• Select relevant controls to manage unacceptable risk
• Formulate Information security policy & procedures
• Prepare Statement of Applicability
Phase III – Implementation of Information Security Policy
• Implementation of Controls
• Security Awareness training

Phase IV- Pre Certification Audit

• Review by Internal Audit and Management review
• Corrective Action and continuous improvement
14
Asset Profiling & Risk Assessment

• Information Asset, is any information, in any format, used to operate and manage
business . It includes electronic information, Paper based assets, hardware assets
(servers, desktops, other IT equipments) software assets, Equipments and People .

Sl.no Asset Location Owner Custodian User Asset Number

Risk Factor = Asset Value * Exposure Factor* Probability of occurrence

15
Information Security Policy Management Documents

Business Legal or
Risk Assessment Contractual
Requirements Regulatory
Report Obligations
Requirements

Statement of Applicability

Information Security Policy Document

Information Security Procedures Document

Information Security Guidelines and Standards

Information Security Awareness Solutions

16
Implementation Cost & Timeline

Implementation cost
• Acquiring knowledge (Training/Consultant)
• Implementation of process tools & new technology
• Employees time (Training/ Risk Assessment)
• Certification body

Implementation key events Cost Factors

• Security Organization
Number of Sites
• Asset Profiling
Number of employees
• Risk Assessment
Type of Industry
• Policies & Procedures
Existing process maturity
Development
Number of Servers (IT Landscape)
• Implementation
• Awareness Training
• Internal Audit
• Management Review
17
Common Implementation Challenges

• Business alignment (Management support)

• Allocation of security responsibilities-(IT department is the one who is driving
security)
• Process and People focus (not just technology)
• Communication and delivery of policies& procedure (approachability and
availability of policy documents)
• Adequate deployment
• IT challenges

18
Certification Process Overview
Certification Process

Stage 1 Audit (Desktop/Document Review)

• Desktop Review (Stage 1 Audit) enables the certifying body to gain an
understanding of the ISMS in the context of the organization’s security policy
and objectives and approach to risk management. It provides a focus for
planning out the Stage 2 audit and is an opportunity to check the preparedness
of the organization for implementation.

• It includes a documents review: L1

Security Manual
– Scope document Policy, scope
risk assessment,
– Security Policy and Procedures statement of applicability

– Risk Assessment Report L2 Describes processes – who, Procedures

what, when, where
– Risk Treatment Plan Work
– Statement of applicability L3 Instructions
Describes how tasks and specific
activities are done
, forms, etc.

L4 Provides objective evidence of

compliance to ISMS requirements
Records

20
 Mandatory Documents

List of certification body can be found at

Accrediting Body websites like
http://www.anab.org for USA, For Europe-
http://www.ukas.com and http://www.iaf.nu
for all accreditation body

http://www.bsigroup.com/en-GB/iso-27001-information-security/ISOIEC-27001-Revision/
 Certification Process… (Contd…)

Stage 2 Audit (Implementation)

• Based on Stage 1 Audit Findings the Certification Body produces Stage 2 Audit Plan

• It takes place at the site of the organization

• The Stage 2 audit covers:

– Confirmation that the organization is acting in accordance with its own policies,
objectives and procedures
– Confirmation that the ISMS conforms with all the requirements of the ISO
27001:2013 standard and is achieving the organization's policy objectives

Stage 3 - Surveillance and Recertification

• The certificate that is awarded will last for three years after which the ISMS
needs to be re-certified.
• During this period there will be a surveillance audit (e.g. every 6-9 months)
• After 3 Years one needs to go for recertification.

22
 THANK YOU
Resources
http://iso27001security.com/
http://www.iso27001standard.com/en

Email: 2contactshankar@gmail.com