Upload
vuthuy
View
227
Download
2
Embed Size (px)
Citation preview
Implementation Guidance of Information Security Management System
based on ISO/IEC 27003:2010
By:
HALIZA IBRAHIM
Getting your ISMS right
My primary focus is to constantly increase shareholder value
Depend on:Customer retention & acquisition
Depends on:TRUST
Depends on:Continuous availability of services
Depends on:Continuous availability of information and information systems
Information security
influences the way
your customers TRUSTyour customers TRUST
and buy your brand
Purpose of the standard
1. Provide Practical guidance in
developing the implementation plan
for an ISMS project
2. Applicable to all type of
organizations of all sizesorganizations of all sizes
FIVE (5) PHASES
Phase 1: Obtaining management approval for initiating an ISMS project
Phase 2: Defining ISMS Scope and ISMS Policy
Phase 3: Conducting information security requirement analysis security requirement analysis
Phase 4: Conducting Risk Assessment and planning Risk Treatment
Phase 5: Designing the ISMS
Phase 1: Obtaining management approval for
initiating an ISMS project
Objectives:To obtain management approval to start the ISMS project by defining a business case and the project plan.
ActivitiesActivities
2. Develop the preliminary ISMS
scope
4. Create the business case and
the project plan for management
approval
1. Clarify the organization’s
priorities to develop an ISMS
3. Define roles & responsibilities
for the preliminary ISMS scope
INPUT
* Strategic objectives
* Existing management systems
* A list of legal, regulatory, and contractual information security requirements
Clarify the organization’s priorities to
PHASE 1 ACTIVITIES 1
Clarify the organization’s priorities to develop an ISMS
OUTPUT
*Objectives, priorities, and requirements for an ISMS.
*A list of regulatory, contractual, and industry requirements
*Outlined characteristics of the business, the organization, its location, assets, and technology.
Factors to Consider:
• critical businesses and organization areas
• sensitive or valuable information
• laws which mandate information security measures
• contractual or organizational agreements relating to • contractual or organizational agreements relating to
information security
• industry requirements which specify particular
information security controls or measures
• The threat environment
• Competitive Drivers
• Business continuity requirements
INPUT
* Output from Clarify the organization’s priorities to develop an ISMS.
PHASE 1 ACTIVITIES 2
Define the preliminary ISMS scope
OUTPUT
*The deliverable is a document which describes the preliminary scope of the ISMS.
Define the preliminary ISMS scope
• The preliminary scope usually covered:
– a summary of mandates for ISMS established by the management
– description of how the area (s) in scope interact with other management systemsmanagement systems
– a list of business objectives of ISMS
– a list of critical business processes , systems, information assets, organizational structures and geographic locations
– the relationship of existing management systems, regulatory, compliance, and organization objectives;
– the characteristics of the business, the organization, its location, assets and technology.
INPUT
* output from Develop the preliminary ISMS scope
* list of stakeholders who will benefit from results of the ISMS project.
Define Roles & responsibilities for
PHASE 1 ACTIVITIES 3
Define Roles & responsibilities for the preliminary ISMS scope
OUTPUT
*a document describing the roles and responsibilities
• Overall responsibility for the tasks remains at the
management level
• One person is appointed to promote and co-ordinate the
information security process
Roles & responsibilities for the preliminary
ISMS scope
• Each employee is equally responsible for his or her
original task and for maintaining information security in
the workplace.
• Information Security forum could facilitate collaboration
within roles for managing information security
INPUT
* output from Clarify the organization’s priorities to develop an ISMS
*output from Define the preliminary ISMS scope
PHASE 1 ACTIVITIES 4
Create the business case and the project plan for management approval
OUTPUT
*a documented approval by management
*a documented business case
*an initial ISMS Project Proposal
The business case should cover the following
subjects:
� Goals and specific objectives
� Benefit to the organization
� Preliminary scope of ISMS
� Critical processes & factors for� Critical processes & factors for
reaching the ISMS objectives
� High-level project overview
� Initial implementation plan
The business case should cover the following
subjects:
� Defined roles and responsibilities
� Required resources (both technology and people)
� Implementation considerations including existing information securityinformation security
� Timeline with key milestones
� Expected costs
� Critical success factors
� Quantify the benefits to the organization
Phase 2: Defining ISMS scope, boundaries
and ISMS policy (Clause:4.2.1a),4.2.1b))
Objectives:To define the detailed scope and boundaries of the ISMS and develop the ISMS policy, and obtain endorsement from management
ActivitiesActivities
2. Define information
communication technology (ICT)
scope and boundaries
4. Integrate each scope and
boundaries to obtain the ISMS
scope and boundaries
1. Define organizational scope
and boundaries
3. Define physical scope and
boundaries
5. Develop the ISMS policy and
obtain approval from
management
INPUT
* output from Clarify the organization’s priorities to develop an ISMS
*output from Define the preliminary ISMS scope
Define organizational scope and boundaries
Phase 2 Activity 1
OUTPUT
*description of organizational boundaries
*functions and structure of the organization
*identification of information exchanged
*organization processes and the responsibilities
*process for the hierarchy of decision making
Define organizational scope and boundaries
• The amount of effort required to implement an ISMS
is dependent on the magnitude of the scope to which
it is to be applied.
• To ensure that all relevant assets are taken into• To ensure that all relevant assets are taken into
account in the risk assessment, and to address the
risks that might arise through these boundaries.
• If some processes within the scope are outsourced to
the third parties those dependencies should be clearly
documented.
INPUT
*output from Define the preliminary ISMS scope
*output from Define organizational scope and boundaries
Define information communication technology (ICT)
PHASE 2 ACTIVITY 2
Define information communication technology (ICT) scope and boundaries
OUTPUT
*information exchanged
*ICT boundaries for the ISMS
*the information systems and telecommunication networks
ICT boundaries should include a description of
the following when applicable:
� Communications infrastructure
� Software within the organizational boundaries
� ICT hardware required by the network ornetworks, applications or production systems
� Roles and responsibilities regarding ICThardware, network and software
INPUT
*output from Define the preliminary ISMS scope
*output from Define organizational scope and boundaries
* output from Define information communication technology (ICT) scope and boundaries
PHASE 2 ACTIVITIES 3
Define physical scope and boundaries
OUTPUT
*description of physical boundaries for the ISMS
*description of the organization and their geographical characteristics
Physical boundaries should include a
description of the following:
� Functions or process description taking intoaccount their physical location and extent theorganization controls them
� Special facilities used for storing/containing ICT� Special facilities used for storing/containing ICThardware or in-scope data (e.g. on back-up tapes)based upon the coverage of the ICT boundaries
� Any third party dependencies should bedocumented
INPUT
*output from Define the preliminary ISMS scope
*output from Define organizational scope and boundaries
* output from Define information communication technology (ICT) scope and boundaries
*output from Define physical scope and boundaries
PHASE 2 ACTIVITY 4
Integrate each scope and boundaries to obtain the ISMS scope and boundaries
OUTPUT
*document describing the scope and boundaries of the ISMS
� Key characteristics of the organization
� In-scope organizational processes
� Configuration of in-scope equipment and networks
� Preliminary list of in-scope information assets
The scope and boundaries of the ISMS,
containing the following information:
� List of in-scope ICT assets
� Map of in-scope sites, indicating the physical boundaries
� Roles and responsibilities descriptions
� Details of and justification for any exclusions from theISMS scope
INPUT
*output from Integrate each scope and boundaries to obtain the ISMS scope and boundaries
*output from Clarify the organization’s priorities to develop an ISMS
*output from Create the business case and the project plan for management approval
PHASE 2 ACTIVITIES 5
Develop the ISMS policy and obtain approval from management
OUTPUT
*the documented management-approved ISMS policy.
While defining the ISMS policy, the following
aspects should be considered:
• establish the ISMS objectives
• establish the general focus and guide to action to
achieve the ISMS objectives
• consider the organization’s requirements, legal or • consider the organization’s requirements, legal or
regulatory and contractual obligations
• Risk management context within the organization
• establish the criteria for evaluating risks and defining a
risk assessment structure
• clarify high-level management responsibilities with
regard to the ISMS
• obtain management approval.
Phase 3: Conducting information security
requirements analysis (4.2.1c)1),4.2.1d),4.2.1e)
Objectives:To define the relevant requirements to be supported by the ISMS, identify the information assets, and obtain the current information security status within scope
ActivitiesActivities
2. Identify assets within the ISMS scope
1. Define information security
requirements for the ISMS process
3. Conduct an information security assessment
INPUT
*output from Clarify the organization’s priorities to develop an ISMS
*output from Integrate each scope and boundaries to obtain the ISMS scope and boundaries
*output from Develop the ISMS policy and obtain approval from management
PHASE 3 ACTIVITY
Define information security requirements for the ISMS process
OUTPUT
*identification of the main processes, functions, locations, information systems, communication networks, information assets
*information security requirements
*list of publicly known vulnerabilities
*organization information security training and education requirements
The following should be addressed:
• Preliminary identification of important information
assets and their current information security
protection.
• Identify visions of the organization and determine the
effect of identified visions on future informationeffect of identified visions on future information
processing requirements.
• Analyze the current forms of information processing,
system applications, communication networks
• Identify all essential requirements
• Identify the level of information security awareness
INPUT
*output from Integrate each scope and boundaries to obtain the ISMS scope and boundaries
*output from Develop the ISMS policy and obtain approval from management
*output from Define information security requirements for the ISMS process
PHASE 3 ACTIVITY 2
Identify assets within the ISMS scope
OUTPUT
*identified information assets of the main processes of the organization within the ISMS scope
*Information security classification of critical processes and information assets
To identify the assets within the ISMS scope
the following information should be identified
and listed:
• Unique name of the process
• Process description and associated activities
• Criticality of the process to the organization (critical,• Criticality of the process to the organization (critical,
important, supporting)
• Process owner (organization unit)
• Processes providing input and outputs from this
process
• IT applications supporting the process
• Information classification
INPUT
*output from Integrate each scope and boundaries to obtain the ISMS scope and boundaries
*output from Develop the ISMS policy and obtain approval from management
*output from Define information security requirements for the ISMS process
* output from Identify assets within the ISMS scope
PHASE 3 ACTIVITY 3
* output from Identify assets within the ISMS scope
Conduct an information security assessment
OUTPUT
*a document summarizing the assessed security status of the organization, and evaluated vulnerabilities.
Information security assessment
• Activity for identifying the existing level of
information security
• Purpose: To provide information supporting
the description required for the
management system in the form of policymanagement system in the form of policy
and guidelines.
The following actions are important for
successful information security assessment:
• Identify and list the relevant standards of the
organization
• Identify known control requirements that arise from
policies, legal and regulatory requirements,policies, legal and regulatory requirements,
contractual obligations, findings from past audits, or
findings from risk assessments done in the past.
• Use these as reference documents in order for a
rough estimation to be made of the organization's
current requirements concerning its level of
information security.
• Select the important organizational business
processes and process steps
• Create a comprehensive flow chart covering the
organization’s main processes including infrastructure
(logical and technical).
The approach for conducting the information
security assessment is as follows:
(logical and technical).
• Discuss with suitable key personnel and analyze the
organization’s current situation in relation to the
information security requirements.
• Determine control deficiencies by comparing existing
controls with previously identified control
requirements.
• Complete and document the current status.
Phase 4: Conducting risk assessment and
planning risk treatment (4.2.1c) to 4.2.1j))
Objectives:To define the risk assessment methodology, identify, analyze and evaluate the information security risks for selecting risk treatment options and selecting control objectives and controls
Activities
2. Select the control objectives
and controls1. Conduct risk assessment
3. Obtain management
authorization for implementing and operating an ISMS
INPUT
*ISO/IEC 27005:2008 Guidelines for Information Security Risk Management
*output from Defining ISMS scope, boundaries and ISMS policy
* outputs from Conducting information security requirements analysis
PHASE 4 ACTIVITY 1
Conduct risk assessment
OUTPUT
*the description of risk assessment methodologies
*the results of the risk assessment
The risk assessment should:
• Identify threats and their sources
• Identify existing and planned controls
• Identify vulnerabilities that can be exploited by threats, to
cause harm to assets or to the organization
• Identify the consequences that losses of confidentiality,• Identify the consequences that losses of confidentiality,
integrity, availability, non-repudiation, and other security
requirements may have on the assets
• Assess the business impact that might result from
anticipated or actual information security incidents
• Assess the likelihood of the incident scenarios
• Estimate the level of risk
• Compare levels of risk against risk evaluation criteria and
risk acceptance criteria
INPUT
*output from Conduct risk assessment
*ISO/IEC 27005:2008 Information Security Risk Management
*ISO/IEC 27002:2005 Code of practise for information security management
PHASE 4 ACTIVITY 2
Select the control objectives and controls
OUTPUT
*a list with selected controls and control objectives
*the Risk Treatment Plan
Select the control objectives and controls
• It is important to specify the relation between the risks
and the selected options for treating them, as this will
provide a summary of risk treatment.
• The ISO/IEC 27001:2005 Annex A (normative) “Control
objectives and controls" is used to select control objectives and controls" is used to select control
objectives and controls for risk treatment.
• It is important to demonstrate how the selected controls
will mitigate risks as required by the risk treatment plan.
INPUT
*output from Create the business case and the project plan for management approval
*outputs from Defining ISMS scope, boundaries and ISMS policy
*output from Conduct risk assessment
*output from Select the control objectives and controls
PHASE 4 ACTIVITY 3
Obtain management authorization for implementing and operating an ISMS
OUTPUT
*written notice of management approval
*management acceptance of residual risks.
*statement of applicability
Phase 5: Designing the ISMS (4.2.2a)-e),h)
Objectives:Designing organizational security based on the selected risk treatment options, as well as requirements regarding recording and documents Designing the controls integrating security provisions for ICT, physical and organizational processes, Designing the ISMS-specific requirements
Activities
2. Design ICT and physical
information security
4. Produce the final ISMS project plan
1. Design organizational
information security
3. Design ISMS specific information security
INPUT
*output from Define roles & responsibilities
*output from Integrate each scope and boundaries
*output from Develop the ISMS policy
*output from Define information security requirements for the ISMS process
*output from Identify assets within the ISMS scope
*output from Conduct an information security assessment
*output from Conduct risk assessment
PHASE 5 ACTIVITY 1-1
*output from Conduct risk assessment
*output from Select the control objectives and controls
*ISO/IEC 27002:2005
Design of the final organizational structure for information security
OUTPUT
*a document summarizing:
organization structure, and its roles and responsibilities
INPUT
*output from Integrate each scope and boundaries
*ISMS Scope and boundary definition
*output from Develop the ISMS policy
*output from Obtain management authorization for implementing and operating an ISMS
*output from Design of the final organizational structure for information security
*ISO/IEC 27002:2005
PHASE 5 ACTIVITY 1-2
*ISO/IEC 27002:2005
Design a framework for documentation of the ISMS
OUTPUT
*a document summarizing:
- the requirements for ISMS records and documentation control
- repositories and templates for records
Design a framework for documentation of the
ISMS
• The ISMS documentation should include records of
management decisions; ensure that actions are
traceable to management decisions and policies, and
that the recorded results are reproducible.
• ISMS documents should provide the evidence that • ISMS documents should provide the evidence that
controls are selected based on the results of risk
assessment and risk treatment, and that such
processes are implemented along with the ISMS policy
and objectives.
Design a framework for documentation of the
ISMS
• Records should be created, maintained and controlled
as evidence that the ISMS of the organization conforms
to ISO/IEC 27001:2005, and to show the effectiveness
of operations.
• It is also required to keep records of implementation • It is also required to keep records of implementation
status for the entire PDCA phase, as well as records of
information security incidents and events, records of
education, training, skills, experience and qualifications,
internal ISMS audits, corrective and preventive actions,
and organizational records.
INPUT
*output from Clarify the organization’s priorities to develop an ISMS
*output from Create the business case and the project plan for management approval
*output from Integrate each scope and boundaries to obtain the ISMS scope and boundaries
*output from Develop the ISMS policy and obtain approval from management
*output from Define information security requirements for the ISMS process
*output from Identify assets within the ISMS scope
*output from Conduct an information security assessment
PHASE 5 ACTIVITY 1-3
*output from Conduct an information security assessment
*output from Conduct risk assessment
*output from Design of the final organizational structure for information security
*output from Design a framework for documentation of the ISMS
*ISO/IEC 27002:2005 reference 5.1.1
Design the information security policy
OUTPUT
a document of the information security policy.
The information security policy
• Documents the organization’s strategic position with
respect to the information security objectives throughout
the organization.
• Established within the organization by the operational
manager. manager.
• Approved
• Communicated to everyone in the organization in such a
way that it is relevant, accessible and understandable
for its readers.
INPUT
*output from Integrate each scope and boundaries to obtain the ISMS scope and boundaries
*output from Develop the ISMS policy and obtain approval from management
*output from Conduct risk assessment
*output from Select the control objectives and controls
*output from Obtain management authorization for implementing and operating an ISMS
*output from Design of the final organizational structure for information security
PHASE 5 ACTIVITY 1-4
security
*output from Design a framework for documentation of the ISMS
*output from Design the information security policy
*ISO/IEC 27002:2005
Develop information security standards and procedures
OUTPUT
*a detailed implementation plan for controls
*Information security standards and procedures
Develop information security standards and
procedures
• Information security standards as well as the set of
applicable legal and regulatory requirements should be
available to those who need to know
• Representatives of different parts of the organization
covered by the scope of the ISMS should participate in covered by the scope of the ISMS should participate in
the process of developing standards and procedures.
• Those participating should have authority and be
representative of the organization.
INPUT
*output from Integrate each scope and boundaries to obtain the ISMS scope and boundaries
*output from Develop the ISMS policy and obtain approval from management
*output from Define information security requirements for the ISMS process
*output from Identify assets within the ISMS scope
*output from Conduct an information security assessment
PHASE 5 ACTIVITY 2-1
*output from Select the control objectives and controls
*output from Obtain management authorization for implementing and operating an ISMS
*ISO/IEC 27002:2005
Design ICT and physical information security
OUTPUT
*a detailed implementation plan for controls relating to ICT and physical security
In this activity the following should be
documented for each control, which should be
a part of the ISMS project plan:
• Person responsible for implementation of a control
• Priority of the control to be implemented
• Tasks or activities to implement controls• Tasks or activities to implement controls
• Statement of the time by which the control should have
been implemented
• Person to whom implementation of the control should be
reported, once complete
• Resources for implementation (manpower, resource
requirements, space requirements, costs)
INPUT
*output from Integrate each scope and boundaries to obtain the ISMS scope and boundaries
*output from Develop the ISMS policy and obtain approval from management
*output from Obtain management authorization for implementing and operating an ISMS
*output from Design the information security policy
*ISO/IEC 27004:2009: Information Security Mgmt Measurements
PHASE 5 ACTIVITY 2-2
Plan for management reviews
OUTPUT
*a document which summarizes the plan needed for the management review addressing:
- inputs required to perform an ISMS management review
- procedures for the management review covering the auditing and monitoring and measuring aspects
Plan for management reviews
• A plan should be developed to ensure management
involvement and the commitment to review of the
ISMS operation and ongoing improvement.
• Planning of management reviews includes
establishing when and how Management reviews
should be based upon results from ISMSshould be based upon results from ISMS
measurements and other information collected
during the operation of the ISMS.
• Results of the internal ISMS audit are important
inputs of ISMS management review.
INPUT
*output from Integrate each scope and boundaries to obtain the ISMS scope and boundaries
*output from Develop the ISMS policy and obtain approval from management
*output from Define information security requirements for the ISMS process
*output from Obtain management authorization for implementing and operating an ISMS
*output from Select the control objectives and controls
*output from Design the information security policy
PHASE 5 ACTIVITY 2-3
*output from Design the information security policy
*output from Develop information security standards and procedures
*overview of the organization s general education and training program
Design information security awareness, training and education program
OUTPUT
*plans for information security awareness, education and training
*actual records
Design information security awareness,
training and education program
• Management is responsible for carrying out education
and training to ensure that all personnel who are
allocated a clearly defined role have the competence to
perform the operations required.
• Ideally, the content of the education and training • Ideally, the content of the education and training
performed should help all personnel be aware of and
understand the meaning and importance of the
information security activities they are involved in, and
how they can contribute to achieving the goals of the
ISMS.
• It is important to ensure at this point that every
employee within the ISMS scope receives the
necessary security training and/or education
INPUT
*output from Integrate each scope and boundaries to obtain the ISMS scope and boundaries
*output from Develop the ISMS policy and obtain approval from management
*output from Design Organizational Information Security
*output from Design ICT and Physical Information Security
*output from Design ISMS specific Information Security
PHASE 5 ACTIVITY 4
*output from Design ISMS specific Information Security
ISO/IEC 27002:2005
Produce the final ISMS project plan
OUTPUT
*the final ISMS project implementation plan.
Produce the final ISMS project plan
• The activities required to implement selected controls
and carry out other ISMS related activities should be
formalized in a detailed implementation plan as part of
the final ISMS project.
• The detailed implementation plan may also be
supported by descriptions of proposed implementation supported by descriptions of proposed implementation
tools and methods.
• As an ISMS Project involves many different roles in the
organization, it is important that the activities are clearly
assigned to responsible parties, and that the plan is
communicated both early in the project, and throughout
the organization.
Implementation Roadmap
Information Security
Implementation
Continual improvement
Allocation of Responsibilities
Risk Assessment
ISMS Policy
Identification of Scope
Implementation
CERTIFICATION
Risk Treatment
Implementation
Security Education & Training
Controls Incident Handling
Monitoring,
Review and Maintenance
THANK YOUTHANK YOU
SIRIM QAS International Sdn. Bhd.
Building 8, No. 1, Persiaran Dato’ Menteri
Section 2, P.O. Box 7035
40911 Shah Alam
Selangor Darul Ehsan