Академический Документы
Профессиональный Документы
Культура Документы
ALOKE
AuditorTraining on ISO
27001:2013
Prepared
By
Aloke Ganguly
2
ALOKE
Information Assets
▫ Asset is something that has “value to the organization”
▫ Information assets of an organization can be:
business data
E-mail data
Employee information
Research records
Price lists
Tender documents
Spoken in conversations over the telephone
Organization must determine which assets can materially affect the delivery of product/service by
their absence or degradation
Information Security Management relates to all types of information, be it paper-based, electronic
or other. It determines how information is processed, stored, transferred, archived and destroyed.
A secure information is one which ensures Confidentiality, Integrity, and Availability.
It is all about protecting information assets from potential security breaches.
3
ALOKE
• Integrity
• Has my communication been altered?
• Protection of data against unauthorized modification or substitution
• If integrity is compromised, no point in protecting data
• A transparent envelope that is tamper evident
• Availability
• Are the systems responsible for delivering, storing and processing
information accessible when needed
• Are the above systems accessible to only those who need them
4
ALOKE
ALOKE
Structure Structure
The specification is spread The specification is spread
across 5 clauses, which across 7 clauses, which do
approach the ISMS from a not have to be followed in
managerial perspective. the order they are listed.
4.Information security 4.Context of the organization
management system 5.Leadership
5.Management responsibility 6.Planning
6.Internal ISMS audits 7.Support
7.Management review of the 8.Operation
ISMS 9.Performance evaluation
8.ISMS improvement 10.Improvement
6
ALOKE
Process Process
The standard clearly states that it follows The standard does not specify any particular
the PDCA (Plan-Do-Check-Act) model process model.
The standard requires that a process of
continual improvement is used
ALOKE
ALOKE
Controls Controls
Annex A contains 133 controls across 11 Annex A contains 114 controls across 14
control categories. control categories
Controls from other sources are used to ‘plug Controls (from any source) are identified
gaps’ not covered by Annex A controls before referring to Annex A
Documentation Documentation
The standard recognizes two forms: documents The standard makes no distinction between
and records. documents and records.
Documents include policies, procedures, process Documents and records are subject to the
diagrams, etc. same control requirements.
Records track work completed, audit schedules,
etc.
9
ALOKE
ISO27001 Structure
ISO27001
9.Performance Evaluation
10.ISMS Improvement
10
ALOKE
ALOKE
ISMS Scope
Key Objective 3: Continual improvement of services to our internal & external customers.
Key Objective 4: To secure its information assets and of its customers, NST shall deploy procedures to maintain
confidentiality, integrity and availability of all information assets.
Key Objective 5: To have year on year revenue increase while maintaining profitability.
15
ALOKE
ISMS Documentation
Management framework
policies
Level 1 Policy, ISMS Manual
scope (Apex document)
Risk Assessment,
statement of applicability
ALOKE
ALOKE
ALOKE
A.5 Information security policies – controls on how the policies are written and
reviewed
A.6 Organization of information security – controls on how the responsibilities are
assigned; also includes the controls for mobile devices and teleworking
A.7 Human resources security – controls prior to employment, during, and after the
employment
A.8 Asset management – controls related to inventory of assets and acceptable use,
also for information classification and media handling
A.9 Access control – controls for Access control policy, user access management,
system and application access control, and user Responsibilities
A.10 Cryptography – controls related to encryption and key management
A.11 Physical and environmental security – controls defining secure areas, entry
controls, protection against threats, equipment security, secure disposal, clear desk
and clear screen policy, etc.
A.12 Operational security – lots of controls related to management of IT production:
change management, capacity management, malware, backup, logging, monitoring,
installation, vulnerabilities, etc.
A.13 Communications security – controls related to network security, segregation,
Network services, transfer of information, messaging, etc.
19
ALOKE
A.17 Information security aspects of business continuity management – controls requiring the
planning of business continuity, procedures, verification and reviewing, and IT redundancy
A.18 Compliance – controls requiring the identification of applicable laws and regulations,
intellectual property protection, personal data protection, and reviews of information security
Guidelines for using the Risk Register Sheet-13
Risk analysis is an evaluation of the identified risk events to determine the likelihood of the events occurring and their impact,
to assign a risk rating based on the project criteria and to prioritize the risks. For each risk event, the following risk analysis
guidelines can be used:
1 2
Probability Vulnerability (Impact)value Risk Value = (probability of event) + ( Vulnerability) +(CIA
The likelihood of occurrence can The vulnerability of each risk are attributed to a Value)
be categorized as: characterization value as follows: Probability (P) Vulnerability CIA Risk Values
Rating Description Rating Description Levels (V) Values Value (P+I+C)
Score Score
(C)
Near Event that has a Showstopp The effect is catastrophic; the
certaint greater than 75% er organization may face
1- Low 3 to 5 -
y chance of significant loss and impact. The 1 - (R)emote 1 - (N)egligible Normal/Trivial
occurring 5 project will fail. 4 2-
Highly Event that has Critical The impact is serious and the 2 - (U)nlikely 2 - (M)arginal Medium 6 to 7 – Low
likely between a 51 – project may be largely affected 3 - (L)ikely 3 - (C)ritical 3- High 8 to 10 – Medium
75% chance of due to the risk. There could be 3
4 - (H)ighly 4-
occurring huge delays and the project likely
Risk Level Value (S)howstopper
definition 11 to 12 - High
4 could be postponed due to it. 3 5 3- to
(N)ear
Likely Event that has Marginal The risks could affect in small
5: No action required
certainty
6 to 7: To be reviewed
regularly and Organization will
between a 20 – delays in schedule .
50% chance of accept risk up to this level
occurring 3 2 8 to 10: Medium level risk, mitigation to be planned in a
Unlikely Event that has Negligible The impact of these risks on the period of six months
between a 10 – project could be minimal.
20% chance of
11 to 12: High Level risk, Mitigation immediately
occurring 2 1 required
Remote Event that has a 0
– 10% chance of 04/17/20
occurring 1
21
ALOKE
ALOKE
Communication
Processes by
With whom
which
What to When to to Who shall
• Communications provide the communicate communicate communicat communicate
communication
shall be
e
statement to the Organization of the To seek clarification,
effected.
ALOKE
Statement of Applicability
Document describing the control objectives and controls that are relevant
and applicable to the organization’s ISMS, based on the results of risk
assessment and risk treatment processes.
ALOKE
Exercise
Given below are examples of various risks that may faced
by an organization. Go through the list of clauses and
map them against each risk.
Impact Probability of
Threat / Concern Threat impact Rating Happening Probability Rating
Unauthorised It will/may change the Can happen
Access functionality of s/w High Occasionaly Medium
Loss of Source Sytem breakdown /
code Competitive access High Occasionally Medium
Maintenance Lack of customer
support' satisfaction, High Frequently High
Training and Wrong / errorneous
awareness operation Meium frequently High
25
ALOKE
ALOKE
ALOKE
New controls
14.2.1 Secure development policy – rules for development of software and
information systems
Communication There are explicit requirements for both internal and external
communications
Information security objectives Information security objectives are now to be set at relevant
functions and levels
Risk assessment Identification of assets, threats and vulnerabilities is no longer
a prerequisite for the identification of information security
risks.(6.1.2 d) – Now emphasis is on impact and Probability
Risk owner Replaces asset owner
Risk treatment plan The effectiveness of the risk treatment plan is now regarded as
being more important than the effectiveness of controls
Controls Now determined during the process of risk treatment.
Performance evaluation Covers the measurement of ISMS and risk treatment plan
effectiveness
Continual improvement Methodologies other than Plan-Do-Check-Act (PDCA) may be
29
ALOKE
ALOKE
ALOKE
ALOKE
A.7.2.1 A.8.2.1
Management Management
None
responsibilities responsibilities
A.7.2.2 A.8.2.2
Information security Information security None
awareness, education awareness, education
and training and training
A.7.2.3 A.8.2.3
Disciplinary process Disciplinary process
None
33
ALOKE
ALOKE
ALOKE
ALOKE
ALOKE