ISO 27001_Guide

Embed Size (px)

Citation preview

  • 8/6/2019 ISO 27001_Guide

    1/12

    BSI Information Security

    A guide to ISO 27001

    + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + +

    BSIInforma

    tionSecurityManagementS

    ystems

  • 8/6/2019 ISO 27001_Guide

    2/12

    Information is the lifeblood of allorganizations and can exist in manyforms. It can be printed or written onpaper, stored electronically, transmittedby mail or by electronic means, shown infilms, or spoken in conversation.

    In today's competitive businessenvironment, such information isconstantly under threat from many

    sources. These can be internal, external,accidental, or malicious. With theincreased use of new technology to store,transmit, and retrieve information, therehas been a subsequent increase in thenumbers and types of threats.

    Furthermore, there has been a markedincrease in pressure from legal andregulatory authorities. Informationsecurity is more than a simple matter oftechnology; its a major governance issueand can directly affect an organization'sreputation and ultimately its survival. It istherefore vital that an organization takessteps to protect its information assets.

    A proven solution is the adoption of anInformation Security Management System(ISMS), which meets the requirements ofISO/IEC 27001.

    > The security of information assets is crucial

    to all organizations and requires effective

    management.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    Information assetsManaging information is vital to an organization's future.

    02 | BSI Information Security

    BSIIntroduction

  • 8/6/2019 ISO 27001_Guide

    3/12

    In order to effectively manage yourorganization's information risks and

    threats, you should establish an InformationSecurity Management Systems (ISMS). AnISMS, based on ISO 27001, will help youmanage these issues while continuallyimproving the security of your information.

    ISO 27001 (previously BS 7799) is theinternationally recognized standard forsetting out the requirements for an ISMS. Ithelps identify, manage and minimize the

    range of threats to which information isregularly subjected.

    The standard is designed to ensure theselection of adequate and proportionatesecurity controls that protect informationassets and give confidence to interestedparties including an organizationscustomers and suppliers.

    It uses a risk-based approach to managinginformation security, which ensures thatresults are both appropriate andaffordable for your organization.

    It also incorporates the proven Plan-Do-Check-Act (PDCA) cycle, which enables

    your organization to continually improveits information security management andmeet the changing legal and regulatory

    requirements for information security.

    me

    > Establishing an ISMS based on ISO 27001

    enables your organization to protect its

    information assets.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    BSIISO 27001 model

    BSI Information Security | 03

    Informationsecurity

    requirementsand

    expectations(eg: legal, regulatory

    and commercial)

    Interestedparties

    (eg: seniormanagement,customers and

    partners)

    Informationsecurity

    managed asexpected

    Interestedparties

    (eg: customers)

    Plan

    CheckDo

    Establish thedocumented ISMS

    Implement andoperate the ISMS

    Monitor and reviewthe ISMS

    Maintain & improvethe effectiveness of

    the ISMS

    An international standard that

    provides guidance on information

    security management based onindustry best practice. It aligns with,

    and expands on, the controls of ISO

    27001 but it is not an auditable

    standard. ISO 17799 is due to become

    ISO 27002 in 2007.

    ISO/IEC 17799 CODE OF PRACTICE FOR

    INFORMATION SECURITY MANAGEMENT

    Act

  • 8/6/2019 ISO 27001_Guide

    4/12

    Establishing an ISMS, which meets therequirements of ISO 27001, is an idealplatform for building effective security foryour business information. This processcan be complex and is made much easierby grouping it into a number of steps.

    Steps 1 and 2 involve establishing thescope, boundaries and policy of the ISMS.These should be defined on the basis ofthe organizations specific characteristics

    such as size, assets and types ofinformation systems while legal,regulatory and contractual requirementsmust also be taken into account. Thesesteps require management direction andsupport while being crucial to the overallsuccess of implementing an ISMS.

    Steps 3 to 5 involve assessing the securityrisks to the organization's information.

    A risk assessment approach andmethodology need to be defined tofacilitate these steps. The key outputs arethe identification of the risks along withthe undertaking of a risk assessment.

    > Expenditure on controls to protect

    information and information systems

    needs to be balanced against the

    business harm likely to result from

    security failures.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    04 | BSI Information Security

    BSIGetting Started

    Establishing an ISMSThe steps you should follow.

    Step 1

    Define the scopeand boundaries of

    the ISMS

    ISMSScope

    Statement

    Step 2

    Define an ISMSpolicy

    An ISMSpolicy

    Step 3

    Define the riskassessment approach

    Documentedrisk

    assessmentapproach

    Step 4

    Identify risks

    List ofthreats,

    vulnerabilitiesand impacts

    Step 5

    Undertake a risk

    assessment

    Report onbusiness

    impacts andlikelihoods

  • 8/6/2019 ISO 27001_Guide

    5/12

    Steps 6 and 7 involve evaluating thetreatment options for business risks andselecting the relevant control objectivesand controls. Where risks are deemed to beunacceptable, an organization needs tochoose how to manage them as part of arisk treatment plan. This plan will involveapplying appropriate controls, accepting ortransferring the risks to other parties.Alternatively, avoiding action can be taken.In line with the decision on how risks are

    treated, appropriate control objectives andcontrols need to be selected from Annex Aof the standard. Additional controls can beintroduced to address an organization'sspecific risks.

    Steps 8 and 9 require management toapprove the proposed residual risks andauthorize the implementation the ISMS.The residual risks are those that

    management accept on behalf of thebusiness as not being treated. Examplesinclude risks which would be very costly totreat, but have a low impact to the business.

    Step 10 involves the preparation of aStatement of Applicability. This describesand documents the selected controlobjectives, controls and the reasons for theirselection or exclusion.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    BSI Information Security | 05

    BSIGetting Started

    Step 7

    Select controlobjectives & controls

    List ofcontrol

    objectivesand controls

    Step 6

    Evaluate risktreatment options

    Risktreatment

    plan

    Step 8

    Obtain managementapproval of proposed

    residual risks

    Record ofapprovedresidual

    risks

    Step 9

    Obtain managementapproval to

    implement the ISMS

    Managementauthorization

    toimplementthe ISMS

    Step 10

    Prepare statement

    of applicability

    Statementof

    applicability

  • 8/6/2019 ISO 27001_Guide

    6/12

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    The Security Control AreasControl objectives and controls to help protect yourorganizations information.

    Within the ISO 27001 standard, thereare numerous control objectives andcontrols, which are categorized in thefollowing sections:

    1. Security Policy

    The documented policy helpscommunicate an organizationsinformation security goals. It should beclearly written and understandable to itsreaders. The policy helps managementprovide direction and support forinformation security throughout theorganization.

    2. Organization of Information Security

    This security control outlines howmanagement ensures implementation ofinformation security within anorganization. It provides a forum for

    reviewing and approving security policiesand assigning security roles andresponsibilities.

    3. Asset Management

    Managing both physical and intellectualassets are important to maintainingappropriate protection. It determinesownership, accountability and protectionof information assets.

    4. Human Resources Security

    The assessing and assigning of employeesecurity responsibilities and awarenessenables more effective human resource

    management. Security responsibilitiesshould be determined during therecruitment of all personnel andthroughout their employment.

    5. Physical and Environmental Security

    Securing physical areas and workenvironments within the organizationcontributes significantly towardinformation security management.

    Anyone who deals with your physicalpremises, whether they are employees,suppliers or customers, play a key role indetermining organizational securityprotection.

    06 | BSI Information Security

    BSISecurity Controls

  • 8/6/2019 ISO 27001_Guide

    7/12

    6. Communications and OperationsManagement

    Covers the secure delivery andmanagement of the daily operations ofinformation processing facilities andnetworks.

    7. Access Control

    Managing access levels of all employeeshelps to control information security inan organization. Controlling levels of

    systems and network access can become acritical success factor when protectingdata or information network systems.

    8. Information Systems Acquisition,Development and MaintenanceInvolves the secure development,maintenance and acceptance of businessapplications, products and services intothe operational environment.

    9. Incident Management

    Facilitates the identification andmanagement of information securityevents and weaknesses and allows fortheir appropriate and timely resolutionand communication.

    10. Business Continuity Management

    Using controls against natural disasters,operational disruptions and potentialsecurity failures helps the continuity ofbusiness functions.

    11. Compliance

    To assist organizations with theidentification and compliance withcontractual obligations, legal andregulatory requirements.

    > Control objectives and controls are

    selected as part of the ISMS risk process.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    BSI Information Security | 07

    BSISecurity Controls

  • 8/6/2019 ISO 27001_Guide

    8/12

    Adopting ISO 27001 can bring significant

    benefits including:

    Providing a common frameworkenabling organizations to develop,implement, and effectively measureinformation security managementpractices

    Providing a risk-based approach that isstructured and proactive to help plan

    and implement an ISMS resulting in alevel of organizational security that isappropriate and affordable

    Ensuring the right people, processes,procedures and technologies are inplace to protect information assets

    Protecting information in terms ofconfidentiality, integrity and availability

    Aligns with other managementstandards such as ISO 9001

    However, accredited certification to ISO27001 is a powerful independentdemonstration of an organizationscommitment to managing informationsecurity.

    Being certified will provide a number ofspecific benefits which are described:

    >The above benefits are not realized by

    organizations who simply comply withISO 27001 or the recommendations in the

    Code of Practice standard, ISO 17799.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    The benefits of an ISO 27001 based ISMSImplementing an ISMS certified to ISO 27001 is the clearest demonstrationof commitment to good information security governance.

    08 | BSI Information Security

    BSIBenefits

    + Demonstrates independent assuranceof an organizations internal controlstherefore meeting corporategovernance and business continuityrequirements.

    + Provides third-party assurance thatapplicable laws and regulations areobserved.

    + Provides a competitive edge, e.g.,

    by meeting contractual requirementsand demonstrating to customers thatthe security of their information isparamount.

    + Independently verifies thatorganizational risks are properlyidentified, assessed and managedwhile formalizing information securityprocesses, procedures anddocumentation.

    + Proves senior managementscommitment to the security of anorganizations information.

    + The regular assessment process helpsan organization continually monitorand improve.

    BENEFITS OF CERTIFICATION

  • 8/6/2019 ISO 27001_Guide

    9/12

    Contact BSI Management Systems.

    We will consider your business

    requirements, then arrange the

    services that best suit your needs.

    Upon contacting BSI, we will

    provide an estimate of costs and

    timescales for formal assessment.

    On return of your completed

    application form, we will assign you

    to a Lead Assessor. They will be your

    principal contact throughout the

    registration process and beyond,

    have knowledge concerning the

    nature of your business, and will

    offer support while you develop

    your systems.

    BSI will undertake a desk top

    review of the Risk Assessment,

    Policy, Scope, Statement of

    Applicability and Procedures. This

    will then identify any weaknesses

    and omissions in your management

    system that need to be resolved.

    On successful completion of the

    audit, a certificate of registration is

    issued which clearly identifies the

    scope of the ISMS. It remains valid

    for three years and is supported by

    routine assessment visits.

    After registration your assessor will

    visit your organization at regular

    intervals each year to facilitate

    improvement and ensure that you

    continue to meet the requirements

    of ISO 27001.

    Submit a formal application for

    registration services to BSI.

    BSI will then conduct an on-site

    assessment and make

    recommendations.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    The BSI Route to RegistrationThere are eight steps to achieving and maintaining yourISO 27001 certificate.

    Step 5

    Undertakea review

    Step 6

    Undertake afull audit

    Step 7

    Registration

    Step 8

    Continualassessment

    Step 1

    Initialenquiry

    Step 2

    Quotationprovided

    Step 3

    Applicationsubmitted

    Step 4

    Assessmentteam

    appointed

    BSI Information Security | 09

    BSIRoute to Registration

  • 8/6/2019 ISO 27001_Guide

    10/12

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    ISO 27001 Services and Tools from BSIEverything you need from one convenient and reputable source.

    The standards

    Before you can begin preparing for thecertification process, you will require acopy of the ISO 27001 standard.You should read this and make yourselffamiliar with it. Other related standardsare also available from BSI.Purchase standards from:www.bsi-global.com/bsonline

    Free guidance documents,publications and software

    There is a wide range of freeguidance documents on the BSI websitewww.bsi-emea.com. You can alsopurchase support publications andsoftware tools designed to help youunderstand, implement and becomecertified to an ISO 27001 basedInformation Security Management

    System. These are available from:www.bsi-global.com/ict/security

    Implementation and improvement tools

    Various BSI tools are available to helpyou implement and improve your ISMS.They cover subjects such as RiskAssessments, Risk Methodologies, GapAnalysis and Benchmarking.

    Training

    There is a wide range of ISO 27001 andinformation security management relatedtraining courses to suit variousrequirements. These include: ISO 27001Introduction; Implementation; Internalauditor and Lead auditor courses. Coursescan be delivered in-company, at publicvenues or online via e-learning. Thesecourses are highly regarded and wellattended.

    > Implementing an ISO 27001 ISMS can

    be complex but BSI tools and services can

    simplify and reduce the process cost.

    TRAINING COURSES

    INFORMATION SECURITY COURSES:www.bsi-emea.com/isms-training

    ALL BSI COURSES:www.bsi-emea.com/training

    10 | BSI Information Security

    BSIServices and tools

  • 8/6/2019 ISO 27001_Guide

    11/12

    BSI has over 40,000 registered clients,making BSI one of the largest and mostexperienced certification bodies in theworld. This places BSI in an unrivalledposition of experience and knowledgeabout companies' needs, irrespective ofsize and industry sector. Furthermore,BSI is the clear global market leader inISO 27001 certification and pioneered thedevelopment of BS 7799, its BritishStandard predecessor.

    Independent accreditation

    BSI's ISO 27001 certification service isaccredited by the United KingdomAccreditation Service (UKAS).Accreditation is a valuable indicator foryou to use to verify that your certificationbody is competent to be carrying outassessment services at your facility. Itprovides assurances to you that BSI

    continues to operate according tointernationally accepted criteria.

    Added value auditing

    BSI is one of the few certification bodiesto employ full-time auditors withinformation security expertise. BSIemploys very strict auditor qualificationcriteria and auditors are regularlyassessed. BSI carefully matches theauditor's industry experience with anorganizations activities enabling theassessment to add real value withminimum disruption and cost to youroperation.

    Global network of delivery

    When you choose BSI as your businesspartner, you are also choosing ourinternational reputation for excellenceand delivery. BSI operates in over 90countries and we have the flexibility andcapability to provide a first class serviceanywhere around the world.

    To find your nearest office, please visit:www.bsi-emea.com/locations

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    BSI Information Security | 11

    BSIYour ISO 27001 partner

    Partner with the global ISO 27001 leaderKey reasons for choosing BSI as your partner.

    THE ISO 27000 FAMILY OF STANDARDS

    ISO 27000 Vocabulary

    and Definitions

    ISO/IEC 27001:2005

    Specification

    Document

    ISO 27002 (ISO17799)Code of Practice

    ISO 27003,

    Implementation

    Guidance

    ISO 27004, Metrics

    and Measurement

    ISO 27005, (BS 7799-3)

    Risk Management

    Planned Release

    2008/2009

    Released

    October 2005

    Planned ReleaseApril 2007

    (number change only)

    Planned Release

    2008/2009

    Planned Release

    2008/2009

    Planned Release

    2008/2009

  • 8/6/2019 ISO 27001_Guide

    12/12

    BSI Management Systems

    389 Chiswick High Road

    London

    W4 4AL

    Tel: +44 (0) 20 8996 6325

    Fax: +44 (0) 20 8996 7852

    [email protected]

    www.bsi-emea.com

    BSI Group: Standards Information Training Inspection Testing Assessment Certification

    raising standards worldwide