Implementation Guidance of Information Security …safebridge.pt/Whitepapers/ISO27003/Implementation Guidance of...Implementation Guidance of Information Security Management System

Implementation Guidance of Information Security Management System

based on ISO/IEC 27003:2010

By:

HALIZA IBRAHIM

Getting your ISMS right

My primary focus is to constantly increase shareholder value

Depend on:Customer retention & acquisition

Depends on:TRUST

Depends on:Continuous availability of services

Depends on:Continuous availability of information and information systems

Information security

influences the way

your customers TRUSTyour customers TRUST

and buy your brand

Purpose of the standard

1. Provide Practical guidance in

developing the implementation plan

for an ISMS project

2. Applicable to all type of

organizations of all sizesorganizations of all sizes

FIVE (5) PHASES

Phase 1: Obtaining management approval for initiating an ISMS project

Phase 2: Defining ISMS Scope and ISMS Policy

Phase 3: Conducting information security requirement analysis security requirement analysis

Phase 4: Conducting Risk Assessment and planning Risk Treatment

Phase 5: Designing the ISMS

Phase 1: Obtaining management approval for

initiating an ISMS project

Objectives:To obtain management approval to start the ISMS project by defining a business case and the project plan.

ActivitiesActivities

2. Develop the preliminary ISMS

scope

4. Create the business case and

the project plan for management

approval

1. Clarify the organization’s

priorities to develop an ISMS

3. Define roles & responsibilities

for the preliminary ISMS scope

INPUT

* Strategic objectives

* Existing management systems

* A list of legal, regulatory, and contractual information security requirements

Clarify the organization’s priorities to

PHASE 1 ACTIVITIES 1

Clarify the organization’s priorities to develop an ISMS

OUTPUT

*Objectives, priorities, and requirements for an ISMS.

*A list of regulatory, contractual, and industry requirements

*Outlined characteristics of the business, the organization, its location, assets, and technology.

Factors to Consider:

• critical businesses and organization areas

• sensitive or valuable information

• laws which mandate information security measures

• contractual or organizational agreements relating to • contractual or organizational agreements relating to

information security

• industry requirements which specify particular

information security controls or measures

• The threat environment

• Competitive Drivers

• Business continuity requirements

INPUT

* Output from Clarify the organization’s priorities to develop an ISMS.


Define the preliminary ISMS scope

OUTPUT

*The deliverable is a document which describes the preliminary scope of the ISMS.

Define the preliminary ISMS scope

• The preliminary scope usually covered:

– a summary of mandates for ISMS established by the management

– description of how the area (s) in scope interact with other management systemsmanagement systems

– a list of business objectives of ISMS

– a list of critical business processes , systems, information assets, organizational structures and geographic locations

– the relationship of existing management systems, regulatory, compliance, and organization objectives;

– the characteristics of the business, the organization, its location, assets and technology.

INPUT

* output from Develop the preliminary ISMS scope

* list of stakeholders who will benefit from results of the ISMS project.

Define Roles & responsibilities for


Define Roles & responsibilities for the preliminary ISMS scope

OUTPUT

*a document describing the roles and responsibilities

• Overall responsibility for the tasks remains at the

management level

• One person is appointed to promote and co-ordinate the

information security process

Roles & responsibilities for the preliminary

ISMS scope

• Each employee is equally responsible for his or her

original task and for maintaining information security in

the workplace.

• Information Security forum could facilitate collaboration

within roles for managing information security

INPUT

* output from Clarify the organization’s priorities to develop an ISMS

*output from Define the preliminary ISMS scope


Create the business case and the project plan for management approval

OUTPUT

*a documented approval by management

*a documented business case

*an initial ISMS Project Proposal

The business case should cover the following

subjects:

� Goals and specific objectives

� Benefit to the organization

� Preliminary scope of ISMS

� Critical processes & factors for� Critical processes & factors for

reaching the ISMS objectives

� High-level project overview

� Initial implementation plan

The business case should cover the following

subjects:

� Defined roles and responsibilities

� Required resources (both technology and people)

� Implementation considerations including existing information securityinformation security

� Timeline with key milestones

� Expected costs

� Critical success factors

� Quantify the benefits to the organization

Phase 2: Defining ISMS scope, boundaries

and ISMS policy (Clause:4.2.1a),4.2.1b))

Objectives:To define the detailed scope and boundaries of the ISMS and develop the ISMS policy, and obtain endorsement from management


2. Define information

communication technology (ICT)

scope and boundaries

4. Integrate each scope and

boundaries to obtain the ISMS

scope and boundaries

1. Define organizational scope

and boundaries

3. Define physical scope and

boundaries

5. Develop the ISMS policy and

obtain approval from

management

INPUT

* output from Clarify the organization’s priorities to develop an ISMS


Define organizational scope and boundaries

Phase 2 Activity 1

OUTPUT

*description of organizational boundaries

*functions and structure of the organization

*identification of information exchanged

*organization processes and the responsibilities

*process for the hierarchy of decision making

Define organizational scope and boundaries

• The amount of effort required to implement an ISMS

is dependent on the magnitude of the scope to which

it is to be applied.

• To ensure that all relevant assets are taken into• To ensure that all relevant assets are taken into

account in the risk assessment, and to address the

risks that might arise through these boundaries.

• If some processes within the scope are outsourced to

the third parties those dependencies should be clearly

documented.

INPUT


*output from Define organizational scope and boundaries

Define information communication technology (ICT)

PHASE 2 ACTIVITY 2

Define information communication technology (ICT) scope and boundaries

OUTPUT

*information exchanged

*ICT boundaries for the ISMS

*the information systems and telecommunication networks

ICT boundaries should include a description of

the following when applicable:

� Communications infrastructure

� Software within the organizational boundaries

� ICT hardware required by the network ornetworks, applications or production systems

� Roles and responsibilities regarding ICThardware, network and software

INPUT



* output from Define information communication technology (ICT) scope and boundaries


Define physical scope and boundaries

OUTPUT

*description of physical boundaries for the ISMS

*description of the organization and their geographical characteristics

Physical boundaries should include a

description of the following:

� Functions or process description taking intoaccount their physical location and extent theorganization controls them

� Special facilities used for storing/containing ICT� Special facilities used for storing/containing ICThardware or in-scope data (e.g. on back-up tapes)based upon the coverage of the ICT boundaries

� Any third party dependencies should bedocumented

INPUT



* output from Define information communication technology (ICT) scope and boundaries

*output from Define physical scope and boundaries

PHASE 2 ACTIVITY 4

Integrate each scope and boundaries to obtain the ISMS scope and boundaries

OUTPUT

*document describing the scope and boundaries of the ISMS

� Key characteristics of the organization

� In-scope organizational processes

� Configuration of in-scope equipment and networks

� Preliminary list of in-scope information assets

The scope and boundaries of the ISMS,

containing the following information:

� List of in-scope ICT assets

� Map of in-scope sites, indicating the physical boundaries

� Roles and responsibilities descriptions

� Details of and justification for any exclusions from theISMS scope

INPUT

*output from Integrate each scope and boundaries to obtain the ISMS scope and boundaries

*output from Clarify the organization’s priorities to develop an ISMS

*output from Create the business case and the project plan for management approval


Develop the ISMS policy and obtain approval from management

OUTPUT

*the documented management-approved ISMS policy.

While defining the ISMS policy, the following

aspects should be considered:

• establish the ISMS objectives

• establish the general focus and guide to action to

achieve the ISMS objectives

• consider the organization’s requirements, legal or • consider the organization’s requirements, legal or

regulatory and contractual obligations

• Risk management context within the organization

• establish the criteria for evaluating risks and defining a

risk assessment structure

• clarify high-level management responsibilities with

regard to the ISMS

• obtain management approval.

Phase 3: Conducting information security

requirements analysis (4.2.1c)1),4.2.1d),4.2.1e)

Objectives:To define the relevant requirements to be supported by the ISMS, identify the information assets, and obtain the current information security status within scope


2. Identify assets within the ISMS scope

1. Define information security

requirements for the ISMS process

3. Conduct an information security assessment

INPUT



*output from Develop the ISMS policy and obtain approval from management

PHASE 3 ACTIVITY

Define information security requirements for the ISMS process

OUTPUT

*identification of the main processes, functions, locations, information systems, communication networks, information assets

*information security requirements

*list of publicly known vulnerabilities

*organization information security training and education requirements

The following should be addressed:

• Preliminary identification of important information

assets and their current information security

protection.

• Identify visions of the organization and determine the

effect of identified visions on future informationeffect of identified visions on future information

processing requirements.

• Analyze the current forms of information processing,

system applications, communication networks

• Identify all essential requirements

• Identify the level of information security awareness

INPUT



*output from Define information security requirements for the ISMS process

PHASE 3 ACTIVITY 2

Identify assets within the ISMS scope

OUTPUT

*identified information assets of the main processes of the organization within the ISMS scope

*Information security classification of critical processes and information assets

To identify the assets within the ISMS scope

the following information should be identified

and listed:

• Unique name of the process

• Process description and associated activities

• Criticality of the process to the organization (critical,• Criticality of the process to the organization (critical,

important, supporting)

• Process owner (organization unit)

• Processes providing input and outputs from this

process

• IT applications supporting the process

• Information classification

INPUT




* output from Identify assets within the ISMS scope

PHASE 3 ACTIVITY 3

* output from Identify assets within the ISMS scope

Conduct an information security assessment

OUTPUT

*a document summarizing the assessed security status of the organization, and evaluated vulnerabilities.

Information security assessment

• Activity for identifying the existing level of


• Purpose: To provide information supporting

the description required for the

management system in the form of policymanagement system in the form of policy

and guidelines.

The following actions are important for

successful information security assessment:

• Identify and list the relevant standards of the

organization

• Identify known control requirements that arise from

policies, legal and regulatory requirements,policies, legal and regulatory requirements,

contractual obligations, findings from past audits, or

findings from risk assessments done in the past.

• Use these as reference documents in order for a

rough estimation to be made of the organization's

current requirements concerning its level of

information security.

• Select the important organizational business

processes and process steps

• Create a comprehensive flow chart covering the

organization’s main processes including infrastructure

(logical and technical).

The approach for conducting the information

security assessment is as follows:

(logical and technical).

• Discuss with suitable key personnel and analyze the

organization’s current situation in relation to the

information security requirements.

• Determine control deficiencies by comparing existing

controls with previously identified control

requirements.

• Complete and document the current status.

Phase 4: Conducting risk assessment and

planning risk treatment (4.2.1c) to 4.2.1j))

Objectives:To define the risk assessment methodology, identify, analyze and evaluate the information security risks for selecting risk treatment options and selecting control objectives and controls

Activities

2. Select the control objectives

and controls1. Conduct risk assessment

3. Obtain management

authorization for implementing and operating an ISMS

INPUT

*ISO/IEC 27005:2008 Guidelines for Information Security Risk Management

*output from Defining ISMS scope, boundaries and ISMS policy

* outputs from Conducting information security requirements analysis

PHASE 4 ACTIVITY 1

Conduct risk assessment

OUTPUT

*the description of risk assessment methodologies

*the results of the risk assessment

The risk assessment should:

• Identify threats and their sources

• Identify existing and planned controls

• Identify vulnerabilities that can be exploited by threats, to

cause harm to assets or to the organization

• Identify the consequences that losses of confidentiality,• Identify the consequences that losses of confidentiality,

integrity, availability, non-repudiation, and other security

requirements may have on the assets

• Assess the business impact that might result from

anticipated or actual information security incidents

• Assess the likelihood of the incident scenarios

• Estimate the level of risk

• Compare levels of risk against risk evaluation criteria and

risk acceptance criteria

INPUT

*output from Conduct risk assessment

*ISO/IEC 27005:2008 Information Security Risk Management

*ISO/IEC 27002:2005 Code of practise for information security management

PHASE 4 ACTIVITY 2

Select the control objectives and controls

OUTPUT

*a list with selected controls and control objectives

*the Risk Treatment Plan

Select the control objectives and controls

• It is important to specify the relation between the risks

and the selected options for treating them, as this will

provide a summary of risk treatment.

• The ISO/IEC 27001:2005 Annex A (normative) “Control

objectives and controls" is used to select control objectives and controls" is used to select control

objectives and controls for risk treatment.

• It is important to demonstrate how the selected controls

will mitigate risks as required by the risk treatment plan.

INPUT


*outputs from Defining ISMS scope, boundaries and ISMS policy


*output from Select the control objectives and controls

PHASE 4 ACTIVITY 3

Obtain management authorization for implementing and operating an ISMS

OUTPUT

*written notice of management approval

*management acceptance of residual risks.

*statement of applicability

Phase 5: Designing the ISMS (4.2.2a)-e),h)

Objectives:Designing organizational security based on the selected risk treatment options, as well as requirements regarding recording and documents Designing the controls integrating security provisions for ICT, physical and organizational processes, Designing the ISMS-specific requirements

Activities

2. Design ICT and physical


4. Produce the final ISMS project plan

1. Design organizational


3. Design ISMS specific information security

INPUT

*output from Define roles & responsibilities

*output from Integrate each scope and boundaries

*output from Develop the ISMS policy


*output from Identify assets within the ISMS scope

*output from Conduct an information security assessment


PHASE 5 ACTIVITY 1-1



*ISO/IEC 27002:2005

Design of the final organizational structure for information security

OUTPUT

*a document summarizing:

organization structure, and its roles and responsibilities

INPUT

*output from Integrate each scope and boundaries

*ISMS Scope and boundary definition

*output from Develop the ISMS policy

*output from Obtain management authorization for implementing and operating an ISMS

*output from Design of the final organizational structure for information security

*ISO/IEC 27002:2005


*ISO/IEC 27002:2005

Design a framework for documentation of the ISMS

OUTPUT

*a document summarizing:

- the requirements for ISMS records and documentation control

- repositories and templates for records

Design a framework for documentation of the

ISMS

• The ISMS documentation should include records of

management decisions; ensure that actions are

traceable to management decisions and policies, and

that the recorded results are reproducible.

• ISMS documents should provide the evidence that • ISMS documents should provide the evidence that

controls are selected based on the results of risk

assessment and risk treatment, and that such

processes are implemented along with the ISMS policy

and objectives.

Design a framework for documentation of the

ISMS

• Records should be created, maintained and controlled

as evidence that the ISMS of the organization conforms

to ISO/IEC 27001:2005, and to show the effectiveness

of operations.

• It is also required to keep records of implementation • It is also required to keep records of implementation

status for the entire PDCA phase, as well as records of

information security incidents and events, records of

education, training, skills, experience and qualifications,

internal ISMS audits, corrective and preventive actions,

and organizational records.

INPUT












*output from Design a framework for documentation of the ISMS

*ISO/IEC 27002:2005 reference 5.1.1

Design the information security policy

OUTPUT

a document of the information security policy.

The information security policy

• Documents the organization’s strategic position with

respect to the information security objectives throughout

the organization.

• Established within the organization by the operational

manager. manager.

• Approved

• Communicated to everyone in the organization in such a

way that it is relevant, accessible and understandable

for its readers.

INPUT








security

*output from Design a framework for documentation of the ISMS

*output from Design the information security policy

*ISO/IEC 27002:2005

Develop information security standards and procedures

OUTPUT

*a detailed implementation plan for controls

*Information security standards and procedures

Develop information security standards and

procedures

• Information security standards as well as the set of

applicable legal and regulatory requirements should be

available to those who need to know

• Representatives of different parts of the organization

covered by the scope of the ISMS should participate in covered by the scope of the ISMS should participate in

the process of developing standards and procedures.

• Those participating should have authority and be

representative of the organization.

INPUT









*ISO/IEC 27002:2005

Design ICT and physical information security

OUTPUT

*a detailed implementation plan for controls relating to ICT and physical security

In this activity the following should be

documented for each control, which should be

a part of the ISMS project plan:

• Person responsible for implementation of a control

• Priority of the control to be implemented

• Tasks or activities to implement controls• Tasks or activities to implement controls

• Statement of the time by which the control should have

been implemented

• Person to whom implementation of the control should be

reported, once complete

• Resources for implementation (manpower, resource

requirements, space requirements, costs)

INPUT





*ISO/IEC 27004:2009: Information Security Mgmt Measurements


Plan for management reviews

OUTPUT

*a document which summarizes the plan needed for the management review addressing:

- inputs required to perform an ISMS management review

- procedures for the management review covering the auditing and monitoring and measuring aspects

Plan for management reviews

• A plan should be developed to ensure management

involvement and the commitment to review of the

ISMS operation and ongoing improvement.

• Planning of management reviews includes

establishing when and how Management reviews

should be based upon results from ISMSshould be based upon results from ISMS

measurements and other information collected

during the operation of the ISMS.

• Results of the internal ISMS audit are important

inputs of ISMS management review.

INPUT









*output from Develop information security standards and procedures

*overview of the organization s general education and training program

Design information security awareness, training and education program

OUTPUT

*plans for information security awareness, education and training

*actual records

Design information security awareness,

training and education program

• Management is responsible for carrying out education

and training to ensure that all personnel who are

allocated a clearly defined role have the competence to

perform the operations required.

• Ideally, the content of the education and training • Ideally, the content of the education and training

performed should help all personnel be aware of and

understand the meaning and importance of the

information security activities they are involved in, and

how they can contribute to achieving the goals of the

ISMS.

• It is important to ensure at this point that every

employee within the ISMS scope receives the

necessary security training and/or education

INPUT



*output from Design Organizational Information Security

*output from Design ICT and Physical Information Security

*output from Design ISMS specific Information Security

PHASE 5 ACTIVITY 4

*output from Design ISMS specific Information Security

ISO/IEC 27002:2005

Produce the final ISMS project plan

OUTPUT

*the final ISMS project implementation plan.

Produce the final ISMS project plan

• The activities required to implement selected controls

and carry out other ISMS related activities should be

formalized in a detailed implementation plan as part of

the final ISMS project.

• The detailed implementation plan may also be

supported by descriptions of proposed implementation supported by descriptions of proposed implementation

tools and methods.

• As an ISMS Project involves many different roles in the

organization, it is important that the activities are clearly

assigned to responsible parties, and that the plan is

communicated both early in the project, and throughout

the organization.

Implementation Roadmap

Information Security

Implementation

Continual improvement

Allocation of Responsibilities

Risk Assessment

ISMS Policy

Identification of Scope

Implementation

CERTIFICATION

Risk Treatment

Implementation

Security Education & Training

Controls Incident Handling

Monitoring,

Review and Maintenance

THANK YOUTHANK YOU

SIRIM QAS International Sdn. Bhd.

Building 8, No. 1, Persiaran Dato’ Menteri

Section 2, P.O. Box 7035

40911 Shah Alam

Selangor Darul Ehsan