First Practice - Information Security

Management System Implementation and

ISO 27001 Certification
 Scope
NBG Services

Evaluation criteria

Services and Business processes

Evaluation results

ISO/IEC 27001:2013 Certification

Legal requirements
 Scope
International Payment and Reserve Management
Service

Georgian Payment and Security Settlement Service

Human resources, Public Relations, Chancellery,

Logistics, Legal, Accounting, Internal Audit)

All Types of Information Assets

Approach
 Goals
Ensure compliance
Confidentiality, Availability And Integrity needs.
Establish controls for protection.
Motivate employees
Ensure in continuity.
Ensure the protection of personal data (privacy).
Ensure the availability and reliability of
Infrastructure.
Comply with - ISO/IEC 27001:2013.
Ensure in external service providers compliance.
Ensure flexibility and an acceptable level of
InfoSec security
 Acceptable Level
Current CMM Level Req. CMM Level

A.5 Information Security Policies

5 4 A.6 Organisation of information
A.18 Compliance
4 4 security
4
3
A.17 Information security aspects of
business continuity management 4 3 4 A.7 Human resources security
2
3
2 1

A.16 Information security incident

management 4 1 4 A.8 Asset management
3
2

3
A.15 Supplier relationships 4 1 4 A.9 Access control

3
A.14 System acquisition, 4 4 A.10 Cryptography
development and maintenance
3 3
3
4 4A.11 Physical and environmental
A.13 Communications security
security
4
A.12 Operations security
 Initiation Project
Competent Consultancy service

Accreditation requirements

Tender documentation

Service requirements

Project Management Practice

 Policy
Context of the National Bank of Georgia
Scope (Procedure)
policy (Policy)
Objectives (Procedure)
Roles and Responsibilities (Procedure)
Risk management (Procedure)
Documented information (Procedure)
Internal audit (Procedure)
ISMS Policy Manual
Employee Guidelines National Bank of Georgia
 Policy Cont.
Business Continuity Plan
BCP Procedure (Procedure)
Business continuity (policy)
Risk treatment plan
Statement of Applicability (SoA)
Plan to archive Information security objectives
Contracting rules and templates
Contract template with new employee (Contract
template)
Internal audit plan
Information classification rule (Procedure)
Awareness program and training presentation
 Records, Reports
Business impact analysis (Record)
BCP Testing and Maintenance Cycles (Record)
BCP Testing Report (Report)
Assets register (Report)
Risk identification and assessment (Report)
Risk treatment report (Report)
ISMS objectives status report (Report)
Evidence of competence (Record)
Monitoring and measurement (Record)
Internal audit program (Record)
Internal Audit report (Report)
List of corrective actions with results of effectively analysis (Record)
ISMS Management review (Record)
ISMS Contacts with authorities and special groups (Record)
List of suppliers related to ISMS (Record)
Regulation about acceptance of residual risks (Report)
 Decision Making
Maximum 1 Working day

Information security management committee and

working group

Change management committee

Business continuity management committee and working

group

2 months for 1 Service.

 Acceptable Level
A.5 Information Security Policies
5 A.6 Organisation of information
A.18 Compliance
security
4
A.17 Information security aspects
of business continuity A.7 Human resources security
management 3

A.16 Information security incident

A.8 Asset management
management 1

A.15 Supplier relationships A.9 Access control

A.14 System acquisition,

A.10 Cryptography
development and maintenance

A.11 Physical and environmental

A.13 Communications security
security
A.12 Operations security
Current CMM Level

Req. CMM Level

 Audit Result
No critical nonconformities

No nonconformities

Several recommendations

8 domains are on fifth level of CMM

6 domains are on fourth level of CMM

ISO/IEC 27001:2013 cerficate

Thank You