Você está na página 1de 40

Information Security Training

t
rin
Certified ISO/IEC 27001

ep
Lead Implementer

r R
fo
ot
N
l-
ia
er
at
M
e
pl
m

Participant Handbook
Sa
Copyright

t
rin
ISO 27001 Lead Implementer, Classroom course, release 5.0.0

ep
Copyright and Trademark Information for Partners/Stakeholders.

ITpreneurs Nederland B.V. is affiliated to Veridion.

R
Copyright 2013 ITpreneurs. All rights reserved.

r
fo
Please note that the information contained in this material is subject to change

ot
without notice. Furthermore, this material contains proprietary information that is
protected by copyright. No part of this material may be photocopied, reproduced,
or translated to another language without the prior consent of
ITpreneurs Nederland B.V.
N
The language used in this course is US English. Our sources of reference for
l-
grammar, syntax, and mechanics are from The Chicago Manual of Style, The
American Heritage Dictionary, and the Microsoft Manual of Style for Technical
ia

Publications.
er
at
M
e
pl
m
Sa
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Follow Us

t
rin
Before you start the course, please take a moment to:

ep
Like us on Facebook

R
http://www.facebook.com/ITpreneurs

r
fo
Follow us on Twitter

http://twitter.com/ITpreneurs

ot
N
"Add us in your circle" on Google Plus

http://gplus.to/ITpreneurs
l-
ia

"Link with us" on Linkedin


er

http://www.linkedin.com/company/ITpreneurs
at

"Watch us" on YouTube


M

http://www.youtube.com/user/ITpreneurs
e
pl
m
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 1


Sa
m
Th p
is le
pa M
ge
haat
seb
reiea
nl l
-efNt b
lan
n
ot k i
fo tent
r R ion
all
e y
pr
in
t
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Contents

t
rin
Certified ISO/IEC 27001 Lead Implementer

ep
R
Day 1 ------------------------------------------------------------ 5

Day 2 ------------------------------------------------------------ 65

r
fo
Day 3 ------------------------------------------------------------ 133

ot
Day 4 ------------------------------------------------------------ 201

Appendix A: Case Study


N
------------------------------------ 263
l-
Appendix B: Exercises List ---------------------------------- 271
ia

Appendix C: Correction Key ---------------------------------- 289


er

Appendix D: Release Notes ---------------------------------- 305



at

3DUWLFLSDQW)HHGEDFN)RUP
M
e
pl
m
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 3


Sa
m
Th p
is le
pa M
ge
haat
seb
reiea
nl l
-efNt b
lan
n
ot k i
fo tent
r R ion
all
e y
pr
in
t
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Day 1

t
rin
ISO 27001 Lead Implementer

ep
r R
fo
ot
N
l-
ia
er
at
M
e
pl
m
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 5


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

t
rin
1

ep
DAY

r R
Certified ISO 27001

fo
Lead Implementer

ot
N
Certified ISO 27001
l-
Lead Implementer Training
Section 1
ia

Course objectives and structure


er

a. Meet and greet


at

b. General points
c. Training objectives
M

d. Educational approach
e. Examination and certification

f. PECB
e

g. Schedule for the training


pl
m

2
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 6


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Activity
Meet and greet

t
rin
ep
r R
fo
ot
3

N
General Information
l-
ia
er
at

Use of mobile phones Use of a computer and Smoking area


and recording devices access to the Internet
M
e
pl

Timetable and breaks Meals Absences


m

4
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 7


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Training Objectives
Acquiring knowledge

t
rin
Understand the components and the operation of an
1 Information Security Management System based on ISO
27001 and its principal processes

ep
Understand the goal, content and correlation between ISO
2

R
27001 and ISO 27002 as well as with other standards and
regulatory frameworks

r
Master the concepts, approaches, standards, methods and

fo
3 techniques for the implementation and effective management
of an ISMS

ot
5

N
Training Objectives
l-

Development of competencies
ia
er

Interpret the ISO 27001 requirements in the specific context of


1 an organization
at

Develop the expertise to support an organization to plan,


2 implement, manage, monitor and maintain an ISMS as
specified in ISO 27001
M

Acquire the expertise to advise an organization on information


3 security management best practices
e
pl

S
Strengthen the personal qualities necessary to act with due
4 pr
professional care when conducting a compliance project
m

6
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 8


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Educational Approach
Students at the center

t
rin
ep
r R
fo
ot
7

N
Examination
l-

Competency domains
ia

1 Fundamental principles of information security


er

2 Information security control best practice based on ISO 27002


at

3 Planning an ISMS based on ISO 27001


M

4 Implementing an ISMS based on ISO 27001

Performance evaluation, monitoring and measurement of an ISMS


5 based on ISO 27001
e

6 Continual improvement of an ISMS based on ISO 27001


pl

7 Preparing for an ISMS certification audit


m

8
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 9


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Certified ISO 27001 Lead Implementer


Prerequisites for certification

t
rin
Pass the exam
1
2 Adhere to the PECB Code of Ethics
3

ep
4 5 years professional experience
5
6 2 years information security
experience

R
300 hours activity

Professional references

r
fo
Certified ISO 27001
Lead Implementer

ot
9

N
Certificate
l-

Candidates who met all the prerequisites for


ia

certification will receive a certificate:


er
at
M
e
pl
m

10
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 10


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

What is PECB?
Professional Evaluation and Certification Board

t
rin
Main services:
1. Certification of personnel
(Auditor and Implementer)

ep
2. Certification of training organizations
3. Certification of trainers

r R
fo
ot
11

N
Personnel Certification Bodies
l-

ISO 17024
ia

z ISO 17024 specifies the criteria for an organization that


er

conducts certification of persons in relation to specific


requirements, including developing and maintaining a
certification scheme for persons
at

z PECB is accredited by ANSI under ISO/IEC 17024


M

z Most of the organizations proposing certifications of


professionals are not accredited certification bodies
e
pl
m

12
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 11


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Why becoming Certified Implementer?


Advantages

t
rin
Qualifying oneself to manage an ISMS project

ep
Formal and independent recognition of personal
competencies

r R
Certified professionals usually earn

fo
salaries higher than those of non-certified
professionals

ot
13

N
Customer Service
l-

Comments, questions and complaints


ia
er

1. Submit a
complaint
at

Training
Participant
Provider
2. Answer in
M

writing
e

4. Final
3. Appeal
arbitration
pl

PECB
m

14
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 12


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Schedule for the Week

t
rin
ep
r R
fo
ot
15

N
Questions?
l-
ia
er
at
M
e
pl
m

16
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 13


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Certified ISO 27001


Lead Implementer Training
Section 2

t
Standard and regulatory framework

rin
a. ISO structure

ep
b. Fundamental ISO principles
c. Information Security Standards

R
d. ISO 27000 family
e. Integrated normative framework

f. Project Management Standards

r
fo
ot
17

N
What is ISO?
l-

ISO is a network of national standardization bodies


ia

z
from over 160 countries
er

z The final results of ISO works are published as


international standards
at

Over 19 000 standards have been published since


M

z
1947
e
pl
m

18
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 14


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Basic Principles ISO Standards

t
rin
1. Equ
Equal representation: 1 vote per country

2. V
Voluntary membership: ISO does not have the

ep
authority to force adoption of its standards
auth
Basic
principles of 3. Business orientation: ISO only develops
sta
standards for which a market demand exists
ISO

R
standards 4. C
Consensus approach: looking for a large
consensus among the different stakeholders
con

r
5. International
Inter cooperation: over 160 member

fo
countri
countries plus liaison bodies

ot
19

N
Eight ISO Management Principles
l-
ia
er
at
M
e
pl
m

20
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 15


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Management System Standards


Primary standards against which an organization can be
certified

t
rin
ISO 9001 ISO 14001 OHSAS 18001 ISO 20000
Quality Environment Health and Safety IT Service

ep
at work

R
ISO 22000 ISO 22301 ISO 27001 ISO 28000

r
Food Safety Business Information Supply Chain

fo
continuity security Security

ot
21

N
Integrated Management System
l-

Common structure of ISO standards


ia

ISO ISO ISO ISO ISO


er

Requirements
9001:2008 14001:2004 20000:2011 22301:2012 27001:2005
Objectives of the
5.4.1 4.3.3 4.5.2 6.2 4.2.1
management system
at

Policy of the
5.3 4. 2 4.1.2 5.3 4.2.1
management system

Management
5.1 4.4.1 4.1 5.2 5
M

commitment

Documentation
4.2 4.4 4.3 7.5 4.3
requirements
e

Internal audit 8.2.2 4.5.5 4.5.4.2 9.2 6

Continual
pl

8.5.1 4.5.3 4.5.5 10 8


improvement
Management review 5.6 4.6 4.5.4.3 9.3 7
m

22
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 16


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Other Information Security Standards


Examples

t
rin
ep
r R
fo
ot
23

N
History of the ISO 27001 Series
l-

Important dates
ia
er

2008+
2007
at

2005
2000
1998
1995
1990 Publication of
M

ISO 27006 other standards


New Version of Certification of the
ISO 17799 ISO 17799 27000 family
organization
BS7799-2 ISO 27001
Best practices requirements
BS7799-1 ISMS publication
code Revision to
Code of best certification
Code of best schema ISO 27001 &
practises practices
e

(Published by a ISO 27002


group of in progress
companies)
pl
m

24
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 17


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

ISO 27000 Family

t
Vocabulary

rin
ISO 27000
Vocabulary
Requirements

ISO 27001 ISO 27006

ep
ISMS Certification
requirements organization
requirements
General

R
guides

ISO 27002 ISO 27003 ISO 27004 ISO 27005 ISO 27007-27008
Code of Implementation Metrics Risk Audit guides
practices guide management

r
Industry
guides

ISO 27011 ISO 27799 ISO 270XX


Telecommunications Health others

fo
ot
25

N
ISO 27001
l-

Specifies requirements for


ia

z
ISMS management
er

(Clause 4 to 8)
z Requirements (clauses) are
at

written using the imperative


verb shall
M

z Annex A: 11 clauses containing


39 control objectives and 133
controls
e

z Organization can obtain


pl

certification against this


standard
m

26
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 18


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

ISO 27002
z Guide for code of practice for

t
information security

rin
management (Reference
document)
z Clause written using the verb

ep
should
z Composed of 11 clauses, 39
control objectives and 133

R
controls
z Organization can not obtain

r
certification against this

fo
standard
z A.k.a. ISO 17799

ot
27

N
ISO 27003
l-

z Code of practice for the


ia

implementation of an ISMS
er

z Reference document to be
used with the ISO 27001
and ISO 27002 standards
at

z Consisting of 9 clauses
which define 28 stages to
M

implement an ISMS
z Certification against this
e

standard is not possible


pl
m

28
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 19


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

ISO 27009+

Within the 27000 series, ISO 27009 and the

t
subsequent numbers are reserved for the creation of

rin
domain-specific standards:
For industries:

ep
Telecommunication
Health
Finance and insurance

R
For specific sectors related to
information security:

r
Application security

fo
Cyber security
Security incident management
Privacy protection...

ot
29

N
Questions?
l-
ia
er
at
M
e
pl
m

30
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 20


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Certified ISO 27001


Lead Implementer Training
Section 3

t
Information Security Management System (ISMS)

rin
a. Definition of an ISMS

ep
b. Process approach
c. Overview Clauses 4 to 8

R
d. Annex A

r
fo
ot
31

N
Definition of ISMS
l-

ISO 27001, clause 3.7


ia

The part of the overall management system, based


er

on a risk-based approach, to establish, implement,


operate, monitor, review, maintain and improve
at

information security
M

Note: The management system includes organizational


e

structure, policies, planning activities, responsibilities,


pl

practices, procedures, processes and resources


m

32
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 21


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Process Approach
ISO 27001, clause 0.2

t
rin
Interested Interested
Parties Plan Parties

ep
Establish an ISMS

Act Do

R
Maintain and Implement
lementt the
Impl th
Improve the ISMS ISMS
Information
security Monitor and

r
requirements review the ISMS Managed

fo
and information
expectations Check security

ot
33

N
Process Approach
l-

z The application of the process approach will


ia

vary from one organization to the next


er

depending on its size, complexity and activities


z Organizations often identify too many processes
at
M

Control
e

Input Activities Output


pl
m

34
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 22


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Structure of the ISO 27001 Standard


Clause 5 Clause 6

t
Management Internal ISMS

rin
responsibility Clause 4.2.1 audits
Establish
the ISMS

ep
Clause 4.2.4 Clause 4.2.2
Maintain and Implement and
improve the ISMS operate the ISMS

R
Clause 4.2.3
Monitor and

r
review the ISMS
Clause 8 Clause 7

fo
ISMS Management
improvement review
Annex A
Control objectives and controls

ot
35

N
Establish the ISMS
l-

ISO 27001, clauses 4.2.1 a-j


ia

a) Define scope c) Define the


er

b) Define an ISMS
and boundaries risk assessment d) Identify the risks
policy
of the ISMS approach
at

e) Analyze and f) Identify and g) Select control


h) Approve
evaluate evaluate risk objectives
M

residual risks
the risks treatment options and controls
e

i) Have management j) Prepare the


approve the ISMS statement
pl

of applicability
m

36
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 23


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Implementation of the ISMS


ISO 27001, clause 4.2.2

t
rin
Define the plan Set in place a training Set in place an
(actions, resources, and awareness incident management
responsibilities, programme process to detect and
priorities, objectives) treat them rapidly
and put it in place

ep
RiskTreatment Implementation Training & ISMS Incident

R
Plan of controls Awareness Management Management

Implement the controls and

r
define how to measure the Manage ISMS
effectiveness of the operations daily

fo
selected controls

ot
37

N
ISMS Monitoring and Review
l-

ISO 27001, clause 4.2.3


ia
er

1. Monitoring and review of detection 2. Regular review of the


and security event prevention effectiveness of the ISMS taking
procedures into account the feedback and
suggestions of the stakeholders
at

ISMS
6. Management review monitoring 3. Measurement of the
M

and update of security and review effectiveness of controls


plans
e

5. Conducting the internal audits 4. Review of risk assessments


pl

Note: Each of these actions must be documented and recorded


m

38
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 24


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Documentation Requirements
ISO 27001, clause 4.3

t
rin
ISO 27001, clause 4.3.1

Documentation shall include


ISMS Policy and Objectives records of management
decisions, ensure that actions

ep
are traceable to management
decisions and policies, and
ensure that the recorded
results are reproducible
It is important to be able to

R
demonstrate the relationship
from the selected controls
back to the results of the risk
assessment and risk treatment

r
process, and subsequently
back to the ISMS policy and

fo
objectives

ot
39

N
Management Responsibility
l-

ISO 27001, clause 5


ia

5.1. Management commitment


er

Management shall provide evidence of its


commitment to the ISMS
at

5.2.1 Make resources available


M

Management shall determine and provide the


necessary resources for the ISMS
e

5.2.2 Training, awareness & competency


Management shall ensure that personnel who
pl

have been assigned responsibilities defined in


the ISMS have the necessary competencies to
perform the required tasks
m

40
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 25


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

ISMS Internal Audits


ISO 27001, clause 6

t
rin
z The organization shall conduct ISMS internal
audits at regular intervals

ep
z An audit programme must be planned taking into
account the importance of processes and

R
scopes to audit, as well as previous audit results

r
fo
ot
41

N
ISMS Management Review
l-

ISO 27001, clause 7


ia

Management review input elements Management review output elements


er

1. Results of ISMS audits and reviews


1. Improvement of the
2. Feedback from stakeholders
effectiveness of the ISMS
3. Techniques, products or procedures, which
at

could be used in the organization to 2. Update of the risk assessment


improve the ISMS performance and and the risk treatment plan
effectiveness
3. Modification of information
M

4. Status of preventive and corrective actions


5. Vulnerabilities or threats that have not security procedures and
been adequately assigned during the controls
previous risk assessment
4. Resource needs
6. Results from effectiveness measurements
e

7. follow-up actions from previous 5. Improvement in the way


management reviews efficiency of controls is
pl

8. Any change that can affect the ISMS measured


9. Recommendations for improvement
m

42
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 26


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

ISMS Improvement
ISO 27001, clause 8.1

t
The organization shall continually improve the

rin
effectiveness of the ISMS using the information
security policy, information security objectives,

ep
audit results, event analysis, corrective and
preventive actions, and the management

R
review

r
fo
ot
43

N
Security Objectives and Controls
l-

ISO 27001, Annex A


ia

ISO 27002
er

Objectives and controls

ISO 27001
at

Annex A Recommendations
(List of the security for implementation
M

objectives and controls)


Supplementary
Information
e
pl

Important note: in theory, taking into account the 27002 best practices is not a
m

requirement to obtain a 27001 certification


44
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 27


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

ISO 27002 Clauses


ISO 27001, Annex A

t
rin
A5 Security policy
A6 Organization of information security
A7 Asset management

ep
A8 Human resources security
A9 Physical and environmental security
A 10 Communications and operations management

R
A 11 Access control
A 12 Information systems acquisition, development and maintenance
A 13 Information security incident management

r
fo
A 14 Business continuity management
A 15 Compliance

ot
45

N
Exercise 1
l-

Reasons to adopt ISO 27001


ia
er
at
M
e
pl
m

46
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 28


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

ISO 27001 Advantages

t
rin
1. Improvement
Imp of security

2. Good
G governance

ep
ADVANTAGES 3. Conformity

R
4. C
Cost reduction

r
fo
5. Marketing
Ma

ot
47

N
Questions?
l-
ia
er
at
M
e
pl
m

48
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 29


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Certified ISO 27001


Lead Implementer Training
Section 4

t
Fundamental Principles of Information Security

rin
a. Asset and information asset

ep
b. Information security
c. Confidentiality, integrity and availability

R
d. Vulnerability, threat and impact
e. Information security risk

f. Security objectives and controls

r
fo
g. Classification of security controls

ot
49

N
Asset and Information Asset
l-

ISO 9000, clause 7.3.1; ISO 27000, clause 2.3 & 2.8
ia

z Information: meaningful data


er

z Asset: All elements having value for the


organization
at

z Information asset: Knowledge or data that has


M

value to the organization


e
pl
m

50
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 30


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Document Specification Record


ISO 9000, clause 3.7

t
rin
Document
Information and its supporting medium

ep
Specification
Document stating requirements

R
Record

r
fo
Document stating results achieved or providing evidence of activities
performed

ot
51

N
Information Security
l-

ISO 27002, clause 0.1


ia

Information security is the protection of information


er

from a wide range of threats in order to ensure


at

business continuity, minimize business risk, and


maximize return on investments and business
M

opportunities
e
pl
m

52
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 31


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Information Security
ISO 27000, clause 2.19

t
rin
z Preservation of confidentiality, integrity and
availability of information

ep
z Note: In addition, other properties, such as
authenticity, accountability, non-repudiation, and

R
reliability can also be involved

r
fo
ot
53

N
Information Security
l-

Covers information of all kinds


ia

z Printed or hand written


er

z Recorded using technical support


at

z Transmitted by email or electronically


z Included in a website
M

z Shown on corporate videos


z Mentioned during conversations
e

z Etc.
pl
m

54
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 32


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Confidentiality
ISO 27000, clause 2.9

t
Property that information is not made

rin
available or disclosed to unauthorized
individuals, entities, or processes

ep
r R
fo
ot
55

N
Integrity
l-

ISO 27000, clause 2.25


ia

Property of protecting the accuracy and


er

completeness of assets
at
M
e
pl
m

56
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 33


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Availability
ISO 27000, clause 2.7

t
Property of being accessible and usable

rin
upon demand by an authorized entity

ep
r R
fo
ot
57

N
Vulnerability
l-

ISO 27000, clause 2.46


ia

Weakness of an asset or a security control


er

that can be exploited by a threat


at
M
e
pl
m

58
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 34


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Types of Vulnerabilities
ISO 27005, Annex D

t
rin
Type of vulnerability Examples
Insufficient maintenance
1 Hardware
Portability

ep
No registration logs
2 Software
Complicated interfaces
Lack of encryption transfers
3 Network
Single Point of Access

R
Insufficient training
4 Personnel
Lack of supervision
Unstable electrical system
5 Site

r
Site in an area susceptible to flood

fo
Lack of segregation of duties
6 Organization's structure
No job descriptions

ot
59

N
Threats
l-

ISO 27000, clause 2.45


ia

Potential cause of an unwanted incident


er

which may result in harm to a system or an


organization
at
M
e
pl
m

60
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 35


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Types of Threats
ISO 27005, Annex C

t
Threat type Example

rin
Fire
1 Physical damage
Water damage
Earthquake

ep
2 Natural disaster
Flooding
Failure of air conditioning
3 Loss of essential service
Power outage

R
Electromagnetic radiation
4 Disruption caused by radiation
Thermal radiation
Wiretaps
5 Information compromised

r
Theft of documents
Equipment failure

fo
6 Technical failure
Network overload
Unauthorized access
7 Unauthorized action
Use of pirated software

ot
61

N
Relationship: Vulnerability and Threat
l-

Examples
ia

Vulnerabilities Threats
er

Warehouse unprotected and without Theft


surveillance
Complicated data processing
at

Data input error by personnel


procedures

No segregation of duties Fraud, unauthorized use of a system


M

Unencrypted data Information theft


Use of pirated software Lawsuit, virus
e

Unauthorized access by persons


No review of access rights
who have left the organization
pl

No backup procedures Loss of information


m

62
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 36


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Impact
ISO 27000, clause 2.17

t
Adverse change to the level of business

rin
objectives achieved

ep
Examples of impacts Examples of impacts Examples of impacts
on confidentiality on integrity on availability

Invasion of privacy of Accidental change Performance

R
users or customers Deliberate change degradation
Invasion of privacy of Incorrect results Service interruption
employees Unavailability of
Incomplete results

r
Confidential service
Loss of data

fo
information leakage Disruption of
operations

ot
63

N
Information Security Risk
l-

ISO 27000, clause 2.24


ia

Potential that a given threat will exploit


er

vulnerabilities of an asset or group of assets and


thereby cause harm to the organization
at

Note: It is measured in terms of a combination of the likelihood of an


event and its consequence
M
e
pl
m

64
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 37


Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Risk Scenario
Example

t
United Kingdom

rin
Corruption of several websites of the Conservative Party
(Vital Security 01/03/2010)

The text of the corruption encourages Web site visitors to vote for the Labour

ep
Party. Messages left by the attackers include security evaluation of the site and
political slogans.

R
Information asset Content of the Conservative party website
Other asset Server hosting the Conservative party website
Security aspect Integrity

r
Vulnerability Security holes in the Web server

fo
Threat Hackers
Impact Image of the Conservative party

ot
65

N
Control Objective and Control
l-

ISO 27000, clause 2.10-11


ia

Control Objective
er

Statement describing what is to


Technical be achieved as a result of
control implementing controls
at
M

Legal
Managerial Control
control
control
Methods to manage a risk
Include policies, procedures,
e

guidelines and practices or


Administrative organizational structures
control
pl

Synonym: measure, counter-


measure, security device
m

66
Sa

Copyright 2013, ITpreneurs Nederland B.V. All rights reserved. 38