logging in or signing up ISO 27001 March Training martin.dion Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 2710 Category: Science & Tech.. License: All Rights Reserved Like it (4) Dislike it (0) Added: April 05, 2010 This Presentation is Public Favorites: 0 Presentation Description Third training for 2010 available on martindion.blogspot.com. This presentation is part 1 of 2 focusing on ISO 27001 Clause 4. It covers important element such has the ISMS perimeter definintion, risk management requirements and the statement of applicability documentation. Comments Posting comment... By: xmxl (16 month(s) ago) Hi Martin I have visited your 3 presentations and I found them really excellent. I wonder if I can get a copy of them. Best Regards xmxl Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript ISO 27001 TrainingClause 4 – Information Security Management System (part 1 of 2) : ISO 27001 TrainingClause 4 – Information Security Management System (part 1 of 2) Training #3 - March 2010 http://martindion.blogspot.com Your Host : Your Host April 5, 2010 2 Copyright Martin Dion 2010 Martin Dion (CISSP/CISM) ISO:27 001/20 000 Lead Auditor & Trainer Chief Technology Officer at Above Security Located in Switzerland 15 years of information security experience Built « certified » information security management systems Management consultant specialized in compliance for international companies, private and offshore banks, lotteries and governments. Introduction : Introduction April 5, 2010 Copyright Martin Dion 2010 3 This third training is the first part of two training on ISO:27001 Clause 4 – Information Security Management System This clause is the foundation upon which an ISO 27001 security management system is built Purpose of this training is to provide you with an overview of: The general requirements What is needed to establish and manage the ISMS Documentation management Topics for today : Topics for today April 5, 2010 4 Copyright Martin Dion 2010 Overview of the Clause 4 The Plan/Do/Check/Act The general requirements Deming PDCA Cycle ISMS Scoping Risk Assessment & Management Statement of Applicability Overview of Clause 4 : Overview of Clause 4 April 5, 2010 Copyright Martin Dion 2010 5 General requirements : General requirements April 5, 2010 Copyright Martin Dion 2010 6 Clause 4.1 defines the key actions required for the implementation of a certifiable ISMS: Establishing Implementing Operating Monitoring Reviewing Maintaining Improving Within a controlled and documented system based on the PDCA Deming’s PDCA Cycle : Deming’s PDCA Cycle April 5, 2010 Copyright Martin Dion 2010 7 Deming Cycle Model focusing on continuous improvement Core to all ISO based management systems Plan the objectives Do the implementation Check against objective Act and improve upon non-compliances and opportunities Scoping Overview : Scoping Overview April 5, 2010 Copyright Martin Dion 2010 8 Clause 4.2.1 defines the steps required to establish the ISMS Steps we must go through to determine the scope of the ISMS: Define the scope, extent and exclusion of the ISMS Define the ISMS Management Policy Define the risk management parameters Excute the risk assessment and recommend treatment Select the applicables controls Accept residual risks Generate the Statement of Applicability Scoping – Perimeter of the ISMS : Scoping – Perimeter of the ISMS April 5, 2010 Copyright Martin Dion 2010 9 You must clearly establish the corporate boundaries within which the ISMS will intervene To do so, an organization should: Define the characteristics of the business and of the organization in terms of location, assets and technology Define and justify any exclusion to the certification scope Write a clear statement to declare the previously defined elements Example of a certification scope statements: Company XYZ activities to developed, sell and market software and associated services. Company ABC European Datacenters used to deliver managed services to its financial sector customers. Thoughts on limiting the ISMS perimeter : Thoughts on limiting the ISMS perimeter April 5, 2010 Copyright Martin Dion 2010 10 It is difficult, without a full understanding of control dependencies and organization ramification, to limit the scope to a single department or group of individuals. (aka. Scoping Down) Although I prefer not to, it might be needed to do so; I see three good ways of scoping down a perimeter: All the activities of a specific office, region, geographical location or country within a large set of such elements A shared service unit such as “information technology” and its datacenters (but must include HR/Hiring for example) A self sustained business process (i.e.: an off location call centers with their own servers, IT staff and purpose in life, in short, a business within the business) ISMS Management Policy : ISMS Management Policy April 5, 2010 Copyright Martin Dion 2010 11 To ease the project workflow, you will have to define a management approved policy outlining the roles and responsibilities for managing the ISMS itself. Such policy will include: Your certification scope as previously discussed The framework for setting objectives and to establish an overall sense of direction with regard to information security management Business, legal and regulatory requirements, and contractual security obligations Organization’s strategic risk management context Criteria against which risk will be evaluated Risk Assessment Approach : Risk Assessment Approach April 5, 2010 Copyright Martin Dion 2010 12 Organization should define a risk assessment approach to be use Such approach should be compatible with ISO requirements which are: Reproducible and comparable results Vulnerability & threats oriented Qualitative or quantitative but should consider impact and probability Consider not only the technical aspects but also the business, legal and regulatory aspects Other factor that can be considered: Language, maintainability, supported by a software… Risk Management Standards : April 5, 2010 Copyright Martin Dion 2010 13 Available risk management frameworks: ISO 27005 ISO 31000 / 31010 RiscIT from the ISACA/IT Governance Institute Available risk assessment method Octave from Carnegie Mellon University EBIOS from the French Government Microsoft Self Assessment Tool Before making a choice, I invite you to have a look at the ENISA’s (European Network and Information Security Agency) directory of Risk Management and Risk Analysis Tools (www.enisa.europa.eu/act/rm/cr/risk-management-inventory) Risk Management Standards Risk Identification : April 5, 2010 Copyright Martin Dion 2010 14 To conduct a complete risk assessment, which includes an evaluation of the risk posture, you first need to identify what I refer to as the “Raw Risks” To do so, you need to go through the following steps: Identify the assets within the scope of the ISMS Determine the owners of these assets. Identify the threats to those assets. Identify the vulnerabilities that might be exploited by the threats. Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. Risk Identification Risk Analysis : April 5, 2010 Copyright Martin Dion 2010 15 The second step, is the risk analysis & evaluation To do so, you need to go through the following steps: Assess the business impacts upon the organization that might result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of the assets. Assess the realistic likelihood that threats exploit vulnerabilities Determine the efficiency of currently implement controls efficiency Estimate the levels of risk Determine whether the risks are acceptable in accordance to previously established risk acceptance level or not Risk Analysis Risk Treatment : April 5, 2010 Copyright Martin Dion 2010 16 Third step: for all the risks that are not within the “comfort zone”, you will have to select risk treatment options. The possible risk treatment options are the following: Applying appropriate controls (ISO or others); Knowingly and objectively accepting risks, providing they clearly satisfy the organization’s policies and the criteria for accepting risks; Avoiding the risks, as an example, by changing an service delivery approach or stopping a risky business activity; and Transferring the associated business risks to other parties, such as insurers or suppliers. Risk Treatment Control Selection : Control Selection April 5, 2010 Copyright Martin Dion 2010 17 Most of the time, discovered risks “comes with the territory” but the materiality of such risks justifies supplemental control implementation. When the organization selects controls, it must be done in accordance to the following: They shall be selected in accordance to risk acceptance criteria as well as legal/regulatory/contractual requirements. They shall come from Annex A and be suitably selected as part of this process to cover the identified requirements. Although not exhaustive, Annex A is an important starting point not be overlooked. But you must keep in mind that you might need to complete your control framework with other controls when relevant to business needs. Residual Risks and endorsement : Residual Risks and endorsement April 5, 2010 Copyright Martin Dion 2010 18 The final step of this initial risk assessment is the residual risks approval It is necessary to obtain management approval of the proposed residual risks. Residual risks exists because: Controls are still not implemented The risk cost too much to mitigate, so we accept it Although controlled to a certain level, the risks do not disappear, what's left of them need to be understood. Once the residual risks are accepted, management should formally endorse the ISMS project and provide sufficient resources for implementation Statement of Applicability : Statement of Applicability April 5, 2010 Copyright Martin Dion 2010 19 The Statement of Applicability provides a summary of decisions concerning risk treatment. It is a list detailing the selected the control objectives and controls and the reasons for their selection; Any exclusion of any control objectives and controls from Annex A must be justified Exclusions are subject to rejection from the registration body if the materiality of the risk is critical and/or seem to be greater than the implementation cost Exclusion can also be rejected if it goes against widely accepted industry best practice (no anti-virus, justification, we never had a virus… Statement of Applicability : Statement of Applicability April 5, 2010 Copyright Martin Dion 2010 20 Normative controls from clause 4 to 8 do not have to be included in the SOA. Since they are mandatory, you can’t exclude any of them anyway. Here are some potentially valid reasons for excluding some Annex A controls: Your business do not develop in-house software enables you to exclude relevant controls You do not use any third party in delivering your service to your customers base, therefore, controls for contracting 3rd parties or risk related to 3rd party identification are not applicable. Security and employee monitoring related controls might be against your country privacy protection law. Conclusion : Conclusion This concludes our training for today Next time, we will cover: The implementation and operation of the ISMS Monitoring and reviewing the ISMS Maintenance of the ISMS Documentation control Records control Elements covered in today’s training are critical to your ISMS project success They are the foundation of your ISMS, it is better to get them right the first time April 5, 2010 Copyright Martin Dion 2010 21 Closing remarks : Closing remarks I hope you enjoyed this training session If you have question, comment or suggestion, please do not hesitate to comment on the blog It is really important to me that you transmit them so I can improve the content and delivery for future video training. Remember that the only stupid question is the one we do not ask ! The current presentation will be published on the blog when the next training becomes available and the next slide titled “further reading” will be stored on the BLOG right away in case you want to dig for yourself April 5, 2010 Copyright Martin Dion 2010 22 Further Readings : Further Readings My company : www.abovesecurity.com My blog: martindion.blogspot.com ISACA RISK IT: www.isaca.org/Template.cfm?Section=Risk_IT7&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=79&ContentID=48749 ENISA Risk Management Frameworks and Tools: www.enisa.europa.eu/act/rm/cr/risk-management-inventory Microsoft Security Self Assessment Tool (MSAT): technet.microsoft.com/en-us/security/cc185712.aspx?ppud=4 OCTAVE from the CERT/CC: http://www.cert.org/octave/ EBIOS from the French Government: http://rm-inv.enisa.europa.eu/methods_tools/t_ebios.html April 5, 2010 Copyright Martin Dion 2010 23 Thank you !!! You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
ISO 27001 March Training martin.dion Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 2710 Category: Science & Tech.. License: All Rights Reserved Like it (4) Dislike it (0) Added: April 05, 2010 This Presentation is Public Favorites: 0 Presentation Description Third training for 2010 available on martindion.blogspot.com. This presentation is part 1 of 2 focusing on ISO 27001 Clause 4. It covers important element such has the ISMS perimeter definintion, risk management requirements and the statement of applicability documentation. Comments Posting comment... By: xmxl (16 month(s) ago) Hi Martin I have visited your 3 presentations and I found them really excellent. I wonder if I can get a copy of them. Best Regards xmxl Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript ISO 27001 TrainingClause 4 – Information Security Management System (part 1 of 2) : ISO 27001 TrainingClause 4 – Information Security Management System (part 1 of 2) Training #3 - March 2010 http://martindion.blogspot.com Your Host : Your Host April 5, 2010 2 Copyright Martin Dion 2010 Martin Dion (CISSP/CISM) ISO:27 001/20 000 Lead Auditor & Trainer Chief Technology Officer at Above Security Located in Switzerland 15 years of information security experience Built « certified » information security management systems Management consultant specialized in compliance for international companies, private and offshore banks, lotteries and governments. Introduction : Introduction April 5, 2010 Copyright Martin Dion 2010 3 This third training is the first part of two training on ISO:27001 Clause 4 – Information Security Management System This clause is the foundation upon which an ISO 27001 security management system is built Purpose of this training is to provide you with an overview of: The general requirements What is needed to establish and manage the ISMS Documentation management Topics for today : Topics for today April 5, 2010 4 Copyright Martin Dion 2010 Overview of the Clause 4 The Plan/Do/Check/Act The general requirements Deming PDCA Cycle ISMS Scoping Risk Assessment & Management Statement of Applicability Overview of Clause 4 : Overview of Clause 4 April 5, 2010 Copyright Martin Dion 2010 5 General requirements : General requirements April 5, 2010 Copyright Martin Dion 2010 6 Clause 4.1 defines the key actions required for the implementation of a certifiable ISMS: Establishing Implementing Operating Monitoring Reviewing Maintaining Improving Within a controlled and documented system based on the PDCA Deming’s PDCA Cycle : Deming’s PDCA Cycle April 5, 2010 Copyright Martin Dion 2010 7 Deming Cycle Model focusing on continuous improvement Core to all ISO based management systems Plan the objectives Do the implementation Check against objective Act and improve upon non-compliances and opportunities Scoping Overview : Scoping Overview April 5, 2010 Copyright Martin Dion 2010 8 Clause 4.2.1 defines the steps required to establish the ISMS Steps we must go through to determine the scope of the ISMS: Define the scope, extent and exclusion of the ISMS Define the ISMS Management Policy Define the risk management parameters Excute the risk assessment and recommend treatment Select the applicables controls Accept residual risks Generate the Statement of Applicability Scoping – Perimeter of the ISMS : Scoping – Perimeter of the ISMS April 5, 2010 Copyright Martin Dion 2010 9 You must clearly establish the corporate boundaries within which the ISMS will intervene To do so, an organization should: Define the characteristics of the business and of the organization in terms of location, assets and technology Define and justify any exclusion to the certification scope Write a clear statement to declare the previously defined elements Example of a certification scope statements: Company XYZ activities to developed, sell and market software and associated services. Company ABC European Datacenters used to deliver managed services to its financial sector customers. Thoughts on limiting the ISMS perimeter : Thoughts on limiting the ISMS perimeter April 5, 2010 Copyright Martin Dion 2010 10 It is difficult, without a full understanding of control dependencies and organization ramification, to limit the scope to a single department or group of individuals. (aka. Scoping Down) Although I prefer not to, it might be needed to do so; I see three good ways of scoping down a perimeter: All the activities of a specific office, region, geographical location or country within a large set of such elements A shared service unit such as “information technology” and its datacenters (but must include HR/Hiring for example) A self sustained business process (i.e.: an off location call centers with their own servers, IT staff and purpose in life, in short, a business within the business) ISMS Management Policy : ISMS Management Policy April 5, 2010 Copyright Martin Dion 2010 11 To ease the project workflow, you will have to define a management approved policy outlining the roles and responsibilities for managing the ISMS itself. Such policy will include: Your certification scope as previously discussed The framework for setting objectives and to establish an overall sense of direction with regard to information security management Business, legal and regulatory requirements, and contractual security obligations Organization’s strategic risk management context Criteria against which risk will be evaluated Risk Assessment Approach : Risk Assessment Approach April 5, 2010 Copyright Martin Dion 2010 12 Organization should define a risk assessment approach to be use Such approach should be compatible with ISO requirements which are: Reproducible and comparable results Vulnerability & threats oriented Qualitative or quantitative but should consider impact and probability Consider not only the technical aspects but also the business, legal and regulatory aspects Other factor that can be considered: Language, maintainability, supported by a software… Risk Management Standards : April 5, 2010 Copyright Martin Dion 2010 13 Available risk management frameworks: ISO 27005 ISO 31000 / 31010 RiscIT from the ISACA/IT Governance Institute Available risk assessment method Octave from Carnegie Mellon University EBIOS from the French Government Microsoft Self Assessment Tool Before making a choice, I invite you to have a look at the ENISA’s (European Network and Information Security Agency) directory of Risk Management and Risk Analysis Tools (www.enisa.europa.eu/act/rm/cr/risk-management-inventory) Risk Management Standards Risk Identification : April 5, 2010 Copyright Martin Dion 2010 14 To conduct a complete risk assessment, which includes an evaluation of the risk posture, you first need to identify what I refer to as the “Raw Risks” To do so, you need to go through the following steps: Identify the assets within the scope of the ISMS Determine the owners of these assets. Identify the threats to those assets. Identify the vulnerabilities that might be exploited by the threats. Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. Risk Identification Risk Analysis : April 5, 2010 Copyright Martin Dion 2010 15 The second step, is the risk analysis & evaluation To do so, you need to go through the following steps: Assess the business impacts upon the organization that might result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of the assets. Assess the realistic likelihood that threats exploit vulnerabilities Determine the efficiency of currently implement controls efficiency Estimate the levels of risk Determine whether the risks are acceptable in accordance to previously established risk acceptance level or not Risk Analysis Risk Treatment : April 5, 2010 Copyright Martin Dion 2010 16 Third step: for all the risks that are not within the “comfort zone”, you will have to select risk treatment options. The possible risk treatment options are the following: Applying appropriate controls (ISO or others); Knowingly and objectively accepting risks, providing they clearly satisfy the organization’s policies and the criteria for accepting risks; Avoiding the risks, as an example, by changing an service delivery approach or stopping a risky business activity; and Transferring the associated business risks to other parties, such as insurers or suppliers. Risk Treatment Control Selection : Control Selection April 5, 2010 Copyright Martin Dion 2010 17 Most of the time, discovered risks “comes with the territory” but the materiality of such risks justifies supplemental control implementation. When the organization selects controls, it must be done in accordance to the following: They shall be selected in accordance to risk acceptance criteria as well as legal/regulatory/contractual requirements. They shall come from Annex A and be suitably selected as part of this process to cover the identified requirements. Although not exhaustive, Annex A is an important starting point not be overlooked. But you must keep in mind that you might need to complete your control framework with other controls when relevant to business needs. Residual Risks and endorsement : Residual Risks and endorsement April 5, 2010 Copyright Martin Dion 2010 18 The final step of this initial risk assessment is the residual risks approval It is necessary to obtain management approval of the proposed residual risks. Residual risks exists because: Controls are still not implemented The risk cost too much to mitigate, so we accept it Although controlled to a certain level, the risks do not disappear, what's left of them need to be understood. Once the residual risks are accepted, management should formally endorse the ISMS project and provide sufficient resources for implementation Statement of Applicability : Statement of Applicability April 5, 2010 Copyright Martin Dion 2010 19 The Statement of Applicability provides a summary of decisions concerning risk treatment. It is a list detailing the selected the control objectives and controls and the reasons for their selection; Any exclusion of any control objectives and controls from Annex A must be justified Exclusions are subject to rejection from the registration body if the materiality of the risk is critical and/or seem to be greater than the implementation cost Exclusion can also be rejected if it goes against widely accepted industry best practice (no anti-virus, justification, we never had a virus… Statement of Applicability : Statement of Applicability April 5, 2010 Copyright Martin Dion 2010 20 Normative controls from clause 4 to 8 do not have to be included in the SOA. Since they are mandatory, you can’t exclude any of them anyway. Here are some potentially valid reasons for excluding some Annex A controls: Your business do not develop in-house software enables you to exclude relevant controls You do not use any third party in delivering your service to your customers base, therefore, controls for contracting 3rd parties or risk related to 3rd party identification are not applicable. Security and employee monitoring related controls might be against your country privacy protection law. Conclusion : Conclusion This concludes our training for today Next time, we will cover: The implementation and operation of the ISMS Monitoring and reviewing the ISMS Maintenance of the ISMS Documentation control Records control Elements covered in today’s training are critical to your ISMS project success They are the foundation of your ISMS, it is better to get them right the first time April 5, 2010 Copyright Martin Dion 2010 21 Closing remarks : Closing remarks I hope you enjoyed this training session If you have question, comment or suggestion, please do not hesitate to comment on the blog It is really important to me that you transmit them so I can improve the content and delivery for future video training. Remember that the only stupid question is the one we do not ask ! The current presentation will be published on the blog when the next training becomes available and the next slide titled “further reading” will be stored on the BLOG right away in case you want to dig for yourself April 5, 2010 Copyright Martin Dion 2010 22 Further Readings : Further Readings My company : www.abovesecurity.com My blog: martindion.blogspot.com ISACA RISK IT: www.isaca.org/Template.cfm?Section=Risk_IT7&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=79&ContentID=48749 ENISA Risk Management Frameworks and Tools: www.enisa.europa.eu/act/rm/cr/risk-management-inventory Microsoft Security Self Assessment Tool (MSAT): technet.microsoft.com/en-us/security/cc185712.aspx?ppud=4 OCTAVE from the CERT/CC: http://www.cert.org/octave/ EBIOS from the French Government: http://rm-inv.enisa.europa.eu/methods_tools/t_ebios.html April 5, 2010 Copyright Martin Dion 2010 23 Thank you !!!