1. BSI Management System Beata Tang BSI Product Manager Introduction ofan International Practise to Enhance Information Security

2. Hacker Process Failure Contractor Problem Employee Error Incidents SystemFailure Service Interruption Information Leakage 3. How many controlsdo we need? Security Controls 4. Introduction of Information Security Management Standards ISO 27001:2005 5. How ISMS Evolves BS 7799-2:1999developed to support certification BS 7799-1:1995Guidance Document Obtain ISO status ISMS 1995 BS 7799-1 1998 BS 7799-2 1999 BS 7799:1999 2000 ISO 17799:2000 (BS 7799-1) 2002 BS 7799-2:2002 2005 ISO27001:2005 6. Aim of ISMS Safeguarding theConfidentiality ,IntegrityandAvailabilityofwritten ,spokenandelectronic information . Confidentiality Availability Integrity 7. What is the ISMS Standard about? DO Implement & Operate ISMS ACT Maintain & Improve ISMS Annex A 133Controls Management Clause 4 ~ 8

• Establish ISMS framework

• Set upsecurity policy & objectives

• Risk Assessment & Treatment

• Risk Treatment

• Implement measures

• Resources allocation

• Routine checking

• Self-policing procedures

• Management review

• Audit

• Trend analysis

• Improvement Plan

• Non-conformity

• Corrective & preventive actions

CHECK Monitor & Review ISMS PLAN Establish ISMS 8. What is the Risk Assessment about ? Risk Threat RiskTreatment Vulnerabilities Asset Acceptable Level 9. WhyISO27001 ISO17799 & ISO27001 10.

First International Standard addressing infosec

A best practise promotes infosec within and beyond the organisation

Internationally recognised standard,providingqualification for individuals&accreditation for corporations

Benefits of implementing ISO27001 11. ISO 27001 & ISO 27002

Adopted by many countries for domestic use and translated in different languages

Australia Brazil Canada Denmark Germany Iceland India Ireland Malaysia Netherlands New Zealand Czech Republic Taiwan Japan Korea Norway Poland Singapore South Africa Sweden Switzerland UK UAE 12. Benefits ofImplementing ISO27001 ISO17799 & ISO27001 13.

Adoption of Business Risk Approach

Systematic review and identify risk exposure & potential risk

Risk AssessmentandTreatment Planidentify risk and applicable control

Manage Risk in effective & efficient manner

Benefits of implementation 14.

Cost-effective ,through the effective & efficient use of resources

Facilitate Resource Management

Performance measurable

Benefits of implementation(cont) 15. How ISO27001 help and improve Infosec at workplace ISO17799 & ISO27001 16.

Enhance Employees involvement and awareness to a structured ISMS

Formal recognition of legal requirements

ISO 27001 helps to improve infosec 17.

Introduction of 133 best practice security controls

Provide a good reference point how to implement security control

So to reduce incident rate or impact of incident

ISO 27001 helps to improve infosec 18. Security Controls

Security policy

Organizational security

Asset Management

Human Resources Policy

Physical and environmental security

Communications and operations management

Access control

Information systems acquisition, development & maintenance

Information security incident management

Business continuity management

Compliance

11 Control Areas 39 Control Objectives(Security Categories) 133 Controls 19. Why ISO 27001Certified ISO17799 & ISO27001 20.

Fulfilment of Contractual / Statutory Requirements

Business Enabler integral part of the organizations operating and business culture

Reduced riskminimised financial loss / reputation loss, operation loss etc

Benefits of certifying ISO27001 21. Benefits of certifying ISO27001 IncreasingConfidence- externally (customers / interest parties) &- internally(management & staff) Increase competitive edge Demonstrate commitment to information security 22.

Easy certification route of a well recognised international Standard

It becomes a norm in the market or tendering advantage

Benefits of certifying ISO27001 23. Introduction ofISO 27001Certification Scheme ISO17799 & ISO27001 24. BSI Route to Certification Next Verification visit decided by Verfier. Max 3 year audit cycle. Max possible interim 12 monthsPre-Application Questionnaire Quotation Application Stage 1: Assessment Certification 3-Year cycle SurveillanceAssessment 3 rdYear Re-assessment Optional Pre-assessment Gap Analysis & / or Stage 2: Assessment 25. CUSTOMER PROFILE WITH BS 7799 / ISO 27001 CERTIFICATIONS Over 45% market share in the world 26. For moreISO17799 & ISO27001 Pease contact our: Sales, Marketing & Training DepartmentTel: +852 3149-3300 / 3149-3320 Fax: +852 2743-8727 / 8343-7336 Email mkt. [email_address] 27. More about ISO 27000:2005 International Standard Series

BS ISO/IEC 27000 Fundamentals and vocabulary

BS ISO/IEC 27001 Information security management systems Requirements

BS ISO/IEC 27002 Code of practice for Information securityManagement

BS ISO/IEC 27003 Implementation guidance

BS ISO/IEC 27004 Metrics and measurement

BS ISO/IEC 27005 Information security risk management

27006...27011 Reserved for future development (products drivenby both BSI and potentially ISO TC)

Still in Development Available now / soon Future new product development