1

ALOKE

AuditorTraining on ISO
27001:2013

• "Information technology— Security techniques —

Information security management systems —
Requirements“

• Based on ISO 27001:2013

Prepared
By
Aloke Ganguly
 2

ALOKE

What is Information Security

The protection of information against unauthorized disclosure, transfer, modification, or
destruction, whether accidental or intentional

Information Assets
▫ Asset is something that has “value to the organization”
▫ Information assets of an organization can be:
 business data
 E-mail data
 Employee information
 Research records
 Price lists
 Tender documents
 Spoken in conversations over the telephone

Organization must determine which assets can materially affect the delivery of product/service by
their absence or degradation
Information Security Management relates to all types of information, be it paper-based, electronic
or other. It determines how information is processed, stored, transferred, archived and destroyed.
A secure information is one which ensures Confidentiality, Integrity, and Availability.
It is all about protecting information assets from potential security breaches.
 3

ALOKE

What is Information Security

• Confidentiality
• Is my communication private?
• Ensuring that the data is read only by the intended person
• Protection of data against unauthorized access or disclosure
• Possible through access control and encryption

• Integrity
• Has my communication been altered?
• Protection of data against unauthorized modification or substitution
• If integrity is compromised, no point in protecting data
• A transparent envelope that is tamper evident

• Availability
• Are the systems responsible for delivering, storing and processing
information accessible when needed
• Are the above systems accessible to only those who need them
 4

ALOKE

Need for ISMS

Management Concerns Security
• Market reputation Measures/Controls
• Business continuity • Technical
• Disaster recovery • Procedural
• Business loss • Physical
• Loss of confidential data • Logical
• Loss of customer confidence • Personnel
• Legal liability • Management
• Cost of security

All these can be addressed effectively and

efficiently only by establishing a proper
Information Security Management System (ISMS)
 5

ALOKE

Comparing ISO 27001:2005 to ISO 27001:2013

• ISO 27001:2005 ISO 27001:2013

Structure
The specification is spread
across 5 clauses, which
approach the ISMS from a
managerial perspective.
4.Information security
management system
5.Management responsibility
6.Internal ISMS audits
7.Management review of the
ISMS
8.ISMS improvement
Structure
The specification is spread
across 7 clauses, which do
not have to be followed in
the order they are listed.
4.Context of the organization
5.Leadership
6.Planning
7.Support
8.Operation
9.Performance evaluation
10.Improvement

Comparing ISO 27001:2005 to ISO 27001:2013
• ISO 27001:2005
Process
The standard clearly states that it follows
the PDCA (Plan-Do-Check-Act) model
Governance and management
Senior management plays a major role.
Management and board engagement is high but
the separation between board and management
is not clear.
6
ALOKE
ISO 27001:2013
Process
The standard does not specify any particular
process model.
The standard requires that a process of
continual improvement is used
Governance and management
Management roles are described as
‘management’ and ‘top management’,
removing reference to the board.
The organization is that part of the business
that falls within the scope, and not
necessarily the legal entity.
The board initiates the ISMS; management
oversees the implementation of the ISMS

Comparing ISO 27001:2005 to ISO 27001:2013
• ISO 27001:2005
Risk assessments
The definition of risk is the “combination of
the probability of an event and its
consequences”.
The organization identifies risks against
assets.
The asset owner determines how to treat the
risk, accepting residual risk. Controls are
drawn from Annex A.
Annex A is not exhaustive, so additional
controls can be drawn from other sources.
The Statement of Applicability records
whether a control from Annex A is selected
and why.
7
ALOKE
ISO 27001:2013
Risk assessments
The definition of risk is the “effect of
uncertainty on objectives”, which may be
positive or negative.
Baseline controls based on regulatory,
business and contractual obligations may
be identified and implemented before the
risk assessment is conducted.
The organization identifies risks to the
organization's information the assessment
does not have to be asset-based.
The risk owner determines how to treat
the risk, accepting residual risk.
Controls are drawn from any source or
control Set
Selected controls are compared to those in
Annex A.
The Statement of Applicability records
whether a control from Annex A is
 8

ALOKE

Comparing ISO 27001:2005 to ISO 27001:2013

• ISO 27001:2005 ISO 27001:2013

Controls
Annex A contains 133 controls across 11
control categories.
Controls from other sources are used to ‘plug
gaps’ not covered by Annex A controls
Controls
Annex A contains 114 controls across 14
control categories
Controls (from any source) are identified
before referring to Annex A

Documentation Documentation
The standard recognizes two forms: documents The standard makes no distinction between
and records. documents and records.
Documents include policies, procedures, process Documents and records are subject to the
diagrams, etc. same control requirements.
Records track work completed, audit schedules,
etc.
 9

ALOKE

ISO27001 Structure
ISO27001

ISO/IEC 27001:2013 Auditable Standard

Clauses: Mandatory Processes Annex A: Control Objectives

4 Context of the organisation

14 Domains
5 Leadership
35 Control Objectives
6 Planning
114 controls
7 Support
8 Operation

9.Performance Evaluation

10.ISMS Improvement
 10

Number of Domains and Controls ALOKE

Domains Control Obj. Controls

A5. Information Security policies 1 2
A6. Organization of information security 2 7
A7. Human resources security 3 6
A8. Asset management 3 10
A.9 Access control 4 14
A.10 Cryptography 1 2
A.11 Physical and environmental security 2 15
A.12. Operations Security 7 14
A.13 Communications Security 2 7
A.14 Systems acquisition, development & Maint. 3 13
A.15 Supplier Relationship 2 5
A.16 Information security incident management 1 7
A.17 Information Security aspect of Business continuity
management 2 4
A.18 Compliance 2 8
 11

ISO 27001 Main Clauses ALOKE

• Clause 4: Context of the organization

▫ Understanding the organization and its context
▫ Understanding the needs and expectation of interested parties.
▫ Determining the scope of the information security management system
▫ Information security management system
• Clause 5: Leadership
▫ Leadership and Commitment
▫ Policy
▫ Organization, roles, responsibilities and authorties
• Clause 6: Planning
▫ Action to address Risk and Opportunities
▫ Information security objectives and Planning to achieve them
• Clause 7: Support
▫ Resource
▫ Competence
▫ Awareness
▫ Communication
▫ Documented Information
 12

ALOKE

ISO 27001 Main Clauses

• Clause 8: Operation
▫ Operation planning and control
▫ Information security Risk assessment
▫ Information security Risk Treatment
• Clause 9: Performance evaluation
▫ Monitoring, measurement, analysis and evaluation
▫ Internal Audit
▫ Management Review
• Clause 10: Improvement
▫ Non conformity and corrective action
▫ Continual improvement
 13

ALOKE

ISMS Scope

The Information Security Management

Systems covering all business functions
and processes associated with information
assets to provide customers, employees
and business partners benefits and
services in the organization.
 14

ISMS Policy & Business Objectives ALOKE

Quality & Security Policy :

We are committed to maintain high quality standards in delivering timely
and cost effective solutions to our customers by continual improvement of
our processes, instilling quality consciousness amongst all employees and
recognizing the confidentiality, integrity and availability of information
assets to relevant stakeholders including our customers.
Business Objectives
Key Objective 1: Provide high quality services to our clients.
Key Objective 2: Continuous focus on employee satisfaction and competency development so as to reduce and
stabilize employee attrition.

Key Objective 3: Continual improvement of services to our internal & external customers.
Key Objective 4: To secure its information assets and of its customers, NST shall deploy procedures to maintain
confidentiality, integrity and availability of all information assets.
Key Objective 5: To have year on year revenue increase while maintaining profitability.
 15

ALOKE

ISMS Documentation
Management framework
policies
Level 1 Policy, ISMS Manual
scope (Apex document)
Risk Assessment,
statement of applicability

Level 2 Describes processes Procedure

who, what, when, where

Level 3 Describes how tasks and specific Work Instructions,

activities are done checklists, forms, etc.

Provides objective evidence of compliance

Level 4 to ISMS requirements Records
 16

ALOKE

Risk Assessment and Management

• Risk Assessment
▫ Identify all Stakeholders
▫ Identify Business Process
▫ Identify Operation Process
▫ Identify Assets
▫ Identify Risk on the basis of all Stakeholders
▫ Identify Threats and Vulnerabilities
▫ Evaluate Probability and Impact
▫ Calculate Risk Value
• Risk treatment
▫ Mitigate/Reduce risk
▫ Avoid risk
▫ Transfer risk
▫ Accept risk
• Risk Management
▫ Mitigate the risk by appropriate controls
▫ Evaluate controls periodically
 17

ALOKE

ISO 27001:2013 Main Clauses-10

• Clause 4: Context of the Organization
• Clause 5: Leadership
• Clause 6: Planning
• Clause 7: Support
• Clause 8: Operation
• Clause 9: Performance Evaluation
• Clause 10: Improvement
• Clause 11: Domain, Control Objective & Controls

• There are 14 domains 35 control objectives and 114 detail controls

• Note: Clause 1-3 are nonauditable.
 18

ALOKE

Structure of ISO 27001:2013 Controls

14 Domains comprising 35 Control Objectives and 114 Controls

A.5 Information security policies – controls on how the policies are written and
reviewed
A.6 Organization of information security – controls on how the responsibilities are
assigned; also includes the controls for mobile devices and teleworking
A.7 Human resources security – controls prior to employment, during, and after the
employment
A.8 Asset management – controls related to inventory of assets and acceptable use,
also for information classification and media handling
A.9 Access control – controls for Access control policy, user access management,
system and application access control, and user Responsibilities
A.10 Cryptography – controls related to encryption and key management
A.11 Physical and environmental security – controls defining secure areas, entry
controls, protection against threats, equipment security, secure disposal, clear desk
and clear screen policy, etc.
A.12 Operational security – lots of controls related to management of IT production:
change management, capacity management, malware, backup, logging, monitoring,
installation, vulnerabilities, etc.
A.13 Communications security – controls related to network security, segregation,
Network services, transfer of information, messaging, etc.
 19

ALOKE

Structure of ISO 27001:2013 Controls

A.14 System acquisition, development and maintenance – controls defining security

requirements and security in development and support processes
A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the
suppliers
A.16 Information security incident management – controls for reporting events and weaknesses,
defining responsibilities, response procedures, and collection of evidence

A.17 Information security aspects of business continuity management – controls requiring the
planning of business continuity, procedures, verification and reviewing, and IT redundancy

A.18 Compliance – controls requiring the identification of applicable laws and regulations,
intellectual property protection, personal data protection, and reviews of information security
 Guidelines for using the Risk Register Sheet-13

Risk analysis is an evaluation of the identified risk events to determine the likelihood of the events occurring and their impact,
to assign a risk rating based on the project criteria and to prioritize the risks. For each risk event, the following risk analysis
guidelines can be used:
1 2
Probability Vulnerability (Impact)value Risk Value = (probability of event) + ( Vulnerability) +(CIA
The likelihood of occurrence can The vulnerability of each risk are attributed to a Value)
be categorized as: characterization value as follows: Probability (P) Vulnerability CIA Risk Values
Rating Description Rating Description Levels (V) Values Value (P+I+C)
Score Score
(C)
Near Event that has a Showstopp The effect is catastrophic; the
certaint greater than 75% er organization may face
1- Low 3 to 5 -
y chance of significant loss and impact. The 1 - (R)emote 1 - (N)egligible Normal/Trivial
occurring 5 project will fail. 4 2-
Highly Event that has Critical The impact is serious and the 2 - (U)nlikely 2 - (M)arginal Medium 6 to 7 – Low
likely between a 51 – project may be largely affected 3 - (L)ikely 3 - (C)ritical 3- High 8 to 10 – Medium
75% chance of due to the risk. There could be 3
4 - (H)ighly 4-  
occurring huge delays and the project likely
Risk Level Value (S)howstopper
definition 11 to 12 - High
4 could be postponed due to it. 3 5 3- to
(N)ear  
Likely Event that has Marginal The risks could affect in small
5: No action required
certainty  
6 to 7: To be reviewed  
regularly and Organization will
between a 20 – delays in schedule .
50% chance of accept risk up to this level
occurring 3 2 8 to 10: Medium level risk, mitigation to be planned in a
Unlikely Event that has Negligible The impact of these risks on the period of six months
between a 10 – project could be minimal.
20% chance of
11 to 12: High Level risk, Mitigation immediately
occurring 2 1 required
Remote Event that has a 0
– 10% chance of 04/17/20
occurring 1
 21

ALOKE

Understanding the Needs and Expectation from Interested Parties

Stake
  holders Issues External Customers Service delivery
Governance, Resource availability, organization structure,
roles and accountabilities, Policies, objectives, and the Supply of goods and services to enable the
Internal Management strategies organization to meet the requirement of the
Fulfillment of commitments, adherence to organization   Vendors customer
policies, processes and guidelines and to ensure seamless /
uninterrupted operations. Expectation of employees in
terms of commitment made by the organization need to be Information technology related requirements to the
  Employees fulfilled. organization such as access right, IT infra
Fulfillment of commitments, adherence to organization   Users / Public availability to internal users and other departments.
policies, processes and guidelines and to ensure seamless /
uninterrupted operations. Expectation of employees in
terms of commitment made by the organization need to be
  Employees fulfilled. Submission of desired reports and statements and
approvals to carry out the business. Fulfilling the
Relationship with, and perceptions and values of, internal   Government legal, and regulatory requirement.
  Shareholders stakeholder’s
 Maintaining commitment to customers, goodwill and repute
Board of of the organization, and maintaining return on investment Natural and competitive environment, Key drives
  Directors committed on the business, in totality and trends having impact on the objectives of the
Corporate Society and organization, Political, financial status of the
requirement Standards, guidelines and models adopted by the   environment country.
  s organization
Users / Information technology related requirements to the
Other organization such as access right, IT infra availability to
  departments internal users and other departments.

Resource availability, resource competence, training,

  HR background verification etc.,

  Finance Approval of financial commitments

Vetting of Legal contracts and protecting the organization
from non-compliance of legal, regulatory and contractual
  Legal requirements
 22

ALOKE

Communication
Processes by
With whom
which
What to When to to Who shall
• Communications provide the communicate communicate communicat communicate
communication
shall be
e
statement to the Organization of the To seek clarification,
effected.

Information Security of the business Technical matters

communicate
execution and Customer
Delivery
Manager /
Email / Hard
copy/Phone
that highlighting the importance of discussing options of
delivery
Technical Lead

information s protection. Non-Technical when communicating

Business upgrades / updates Customer
Account Email / Hard
Manager copy/Phone
Development and offers of NST
Financial
Information such
• Users shall be made aware about the as Invoices,
As and when the Accounts Email / Hard
Payment Customer
risk of Information Security while reminder,
event takes place Manager copy/Phone
Proposal, upgrade
exchanging information through Voice, offer etc.
To get the action Accounts
Email, Fax, and Video Communication Technical matters
initiated on Manager /
Delivery
Manager /
Email / Hard
completion of Business copy/Phone
facility delivery Head
Technical Lead
Account
PPT / Word /
Performance Business Manager and
Monthly / quarterly Excel  -
report Head Delivery
Email/Phone
Manager
PPT / Word /
As and when the Project Developer/Test
Technical Matters Excel  -
event takes place Manager er
Email/Phone
 23

ALOKE

Statement of Applicability
Document describing the control objectives and controls that are relevant
and applicable to the organization’s ISMS, based on the results of risk
assessment and risk treatment processes.

NST PVT. LTD. – An Arbitrary Co.

 24

ALOKE

Exercise
Given below are examples of various risks that may faced
by an organization. Go through the list of clauses and
map them against each risk.

Impact Probability of
Threat / Concern Threat impact Rating Happening Probability Rating
         
Unauthorised It will/may change the Can happen
Access functionality of s/w High Occasionaly Medium
         
Loss of Source Sytem breakdown /
code Competitive access High Occasionally Medium
         
Maintenance Lack of customer
support' satisfaction, High Frequently High
         
Training and Wrong / errorneous
awareness operation Meium frequently High
 25

ALOKE

Generic Changes from ISO 27001:2005 standard

• Puts more emphasis on measuring and evaluating how well an organization's

ISMS is performing
• New section on Outsourcing
• Does not emphasize the Plan-Do-Check-Act cycle.
• More attention is paid to the organizational context of information security.
• Risk assessment has changed.
• Management commitment requirements have a focus on “leadership”
• Preventive action has been replaced with “actions to address, risks and
opportunities”
• SOA requirements are similar, with more clarity on the need to determine
controls by the risk treatment process
• Controls in Annex A have been modified to reflect changing threats, remove
duplication and have a more logical grouping.
• Stress on maintaining documented information, rather than information record
• Greater emphasis is on setting objectives, monitoring performance and metric
 26

ALOKE

Risk assessment and risk treatment

▫ Risk management is the activities to make clear what kind of information

security risks may occur, determine the risk treatment and manage the risks.
 The activities to make the risks clear are referred to as "risk assessment".
 Identify the risk owners
 The actions taken for the risks, which are made clear, are referred to as "risk
treatment".
 Avoiding: Withdrawal of business, etc.
 Taking or increasing risk in order to pursue an opportunity: Additional investment,
etc.
 Changing the likelihood of risks: Performing preventive measures, etc.
 Removing the risk sources: Performing preventive measures, etc.
 Changing the consequences of risks: Preparing the actions taken for the possible s
ituations, etc.
 Sharing the risks with another parties: Insuring the risks, etc.
 Retaining the risk as they are: Accepting the risks upon recognition
 This is the same as the "management judgment" conventionally conducted by Man
agement.
 27

ALOKE

New controls
14.2.1 Secure development policy – rules for development of software and
information systems

14.2.5 Secure system engineering principles – principles for system

engineering

14.2.6 Secure development environment – establishing and protecting

development environment

14.2.8 System security testing – tests of security functionality

16.1.4 Assessment of and decision on information security events – this is

part of incident management

17.2.1 Availability of information processing facilities – achieving

redundancy
 28
Conceptual changes ALOKE

New/Updated Concepts Explanation

Context of the organization The environment in which the organization operates

Issues, risks and opportunities Replaces preventive action

Interested parties Replaces stakeholders

Leadership Requirements specific to top management

Communication There are explicit requirements for both internal and external
communications
Information security objectives Information security objectives are now to be set at relevant
functions and levels
Risk assessment Identification of assets, threats and vulnerabilities is no longer
a prerequisite for the identification of information security
risks.(6.1.2 d) – Now emphasis is on impact and Probability
Risk owner Replaces asset owner

Risk treatment plan The effectiveness of the risk treatment plan is now regarded as
being more important than the effectiveness of controls
Controls Now determined during the process of risk treatment.

Documented information Replaces documents and records

Performance evaluation Covers the measurement of ISMS and risk treatment plan
effectiveness
Continual improvement Methodologies other than Plan-Do-Check-Act (PDCA) may be
 29

ALOKE

A.6.1 Internal Organization

ISO 27001:2013 ISO 27001:2005 Changes

A.6.1.1  A.6.1.3 None

Information security roles
and responsibilities
A.6.1.2
Segregation of
responsibilities and duties
A.6.1.3
Contact with authorities
A.6.1.4
Contact with special
interest groups
A.6.1.5
Information security in
project management
Allocation of information
security responsibilities
A.10.1.3 Moved from
Segregation of duties Communications and
operations management
section
A.6.1.6 None
Contact with authorities
A.6.1.7 None
Contact with special
interest groups
  To be integrated into
project management
 30

ALOKE

A.6.2 Mobile devices and teleworking

ISO 27001:2013 ISO 27001:2005 Changes

A.6.2.1 A.11.7.1 Moved from the

Mobile device policy Mobile computing access control
and communications section

A.6.2.2 A.11.7.2 Moved from the

Teleworking Teleworking access control
section
 31

ALOKE

A.7.1 Prior to employment

ISO 27001:2013 ISO 27001:2005 Changes

A.7.1.1 A.8.1.2 None

Screening Screening

A.7.1.2 A.8.1.3 None

Terms and conditions of Terms and conditions of
employment employment
 32

ALOKE

A.7.1 During employment

ISO 27001:2013 ISO 27001:2005 Changes

A.7.2.1 A.8.2.1
Management Management
None
responsibilities responsibilities

A.7.2.2 A.8.2.2
Information security Information security None
awareness, education awareness, education
and training and training

A.7.2.3 A.8.2.3
Disciplinary process Disciplinary process
None
 33

ALOKE

A.7.3 Termination and change of

employment

ISO 27001:2013 ISO 27001:2005 Changes

A.7.3.1 A.8.3.1 Covers contractors and

Termination or change Termination third parties.  
of employment responsibilities Clearly define security
responsibilities responsibilities that are
still valid after
termination of
employment.
 34

ALOKE

A.8.1 Responsibility for Assets

ISO 27001:2013 ISO 27001:2005 Changes

A.8.1.1 A.7.1.1 None

Inventory of assets Inventory of assets
A.8.1.2 A.7.1.2 None
Ownership of assets Ownership of assets
A.8.1.3 A.7.1.3 None
Acceptable use of Acceptable use of
assets assets

A.8.1.4 A.8.3.2 Moved from the human

Return of assets Return of assets resources security
section
 35

ALOKE

A.8.2 Information classification

ISO 27001:2013 ISO 27001:2005 Changes

A.8.2.1 A.7.2.1 Even though the title of

Classification of Classification the control has
information guidelines changed, the actual
control has not.
A.8.2.2 A.7.2.2 • Split into A.8.2.2 and
Labeling of information Information labeling A.8.2.3.
and handling • Addresses information
labeling
A.8.2.3 A.7.2.2 Addresses assets
Handling of assets Information labeling handling procedures.
and handling
 36

ALOKE

A.8.3 Media handling

ISO 27001:2013 ISO 27001:2005 Changes

A.8.3.1 A.10.7.1 Moved from

Management of Management of communications and
removable media removable media operations
management section
A.8.3.2 A.10.7.2 Moved from
Disposal of media Disposal of media communications and
operations
management section 
A.8.3.3 A.10.8.3 Moved from
Physical media transfer Physical media in communications and
transit operations
management section 
 37

ALOKE

A.9.1Business requirements of access control

ISO 27001:2013 ISO 27001:2005 Changes

A.9.1.1 A.11.1.1 None

Access control Access control
policy policy

A.9.1.2 A.11.4.1 None 

Policy on the use of Policy on use of
network services network services