ISO/IEC 27001:2005

A brief introduction

Dimitris Petropoulos
Managing Director
ENCODE Middle East
September 2006
Information
“Information is an asset which, like other
important business assets, has value to an
organization and consequently needs to be
suitably protected.”

Ø Printed or written on paper

Ø Stored electronically
Ø Transmitted by mail or electronic means
Ø Spoken in conversations
Ø…
 What is Information Security
Ø ISO 27001 defines this as the preservation of:

security Ensuring that

information is
Threats Information
accessible only to
those authorized to
have access
security

security
Safeguarding the
accuracy and Integrity Confidentiality
completeness of Risks
information and
processing methods Availability
Ensuring that
authorized users have
Vulnerabilities access to information
security and associated assets
when required
Achieving Information Security

4 Ps of Information Security
Policy
&
Procedures

People Products
Drivers & Benefits of compliance with the standard
 ISO27001 Drivers

Ø Internal Business Drivers

– Corporate Governance
– Increased Risk Awareness
– Competition
– Customer Expectation
– Market Expectation
– Market Image

Ø Regulators
9%

18% 38%

Ø Reasons for seeking

Certification according to
a BSI-DISC survey 35%

Best Practice
Business Security
Competitive Advantage
Market Demand
Benefits of compliance [1]
Ø Improved effectiveness of
Information Security
Ø Market Differentiation
Ø Provides confidence to trading
partners, stakeholders, and
customers (certification
demonstrates 'due diligence')
Ø The only standard with global
acceptance
Ø Potential lower rates on
insurance premiums
Ø Compliance with mandates and
laws (e.g., Data Protection Act,
Communications Protection Act)
Ø Reduced liability due to un-
implemented or enforced
policies and procedures
Benefits of compliance [2]
Ø Senior Management takes
ownership of Information Security
Ø Standard covers IT as well as
organization, personnel, and
facilities
Ø Focused staff responsibilities
Ø Independent review of the
Information Security Management
System
Ø Better awareness of security
Ø Combined resources with other
Management Systems (eg. QMS)
Ø Mechanism for measuring the
success of the security controls
ISO27001 Evolution
 ISO27001/ISO17799/BS7799:
History
1995 BS 7799 Part 1

1998
BS 7799 Part 2

1999
New issue of BS 7799 Part 1 & 2

Dec 2000
ISO 17799:2000

2002
New BS 7799-2

2005 New ISO 17799:2005 released

ISO 27001:2005 released
ISO 27001, ISO17799 & BS7799
Standards
Ø ISO/IEC 17799 = BS 7799-Part 1
Code of Practice for Information Security
Management
– Provides a comprehensive set of security controls
– Based on best information security practices
– It cannot be used for assessment and registration

Ø ISO 27001 = BS 7799-Part 2

Specification for Information Security Management
Systems
– Specifies requirements for establishing, implementing,
and documenting Information Security Management
Systems (ISMS)
– Specifies requirements for security controls to be
implemented
– Can be used for assessment and registration
Why BS7799 moved to ISO27001

Ø Elevation to international standard status

Ø More organizations are expected to adopt it

Ø Clarifications and Improvements made by the

International Organization for Standardization

Ø Definition alignment with other ISO standards

(such as ISO/IEC 13335-1:2004 and ISO/IEC TR
18044:2004)
 The ISO 27000 series

Ø ISO 27000 – principles and vocabulary (in development)

Ø ISO 27001 – ISMS requirements (BS7799 – Part 2)
Ø ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards)
Ø ISO 27003 – ISMS Implementation guidelines (due 2007)
Ø ISO 27004 – ISMS Metrics and measurement (due 2007)
Ø ISO 27005 – ISMS Risk Management
Ø ISO 27006 – 27010 – allocation for future use
ISO 27001 Overview
What is ISO27001?

þ An internationally recognized structured

methodology dedicated to information security
þ A management process to evaluate, implement
and maintain an Information Security Management
System (ISMS)
þ A comprehensive set of controls comprised of best
practices in information security
þ Applicable to all industry sectors
þ Emphasis on prevention
ISO27001 Is Not…

ý A technical standard
ý Product or technology driven
ý An equipment evaluation methodology such as the
Common Criteria/ISO 15408
– But may require utilization of a Common Criteria
Equipment Assurance Level (EAL)
Holistic Approach

Ø ISO 27001 defines best practices for information

security management

Ø A management system should balance physical,

technical, procedural, and personnel
security

Ø Without a formal Information Security

Management System, such as a BS 7799-2 based
system, there is a greater risk to your security
being breached

Ø Information security is a management process, not

a technological process
 ISO 27001:2005 - PDCA
4. Maintain and improve the ISMS

• Take corrective and preventive actions, based on the

results of the management review, to achieve continual
improvement of the ISMS.

1. Establish the ISMS 3. Monitor and review the ISMS

• Establish security policy, objectives, • Assess and, where applicable, measure

targets, processes and procedures process performance against security
relevant to managing risk and improving policy, objectives and practical experience
information security to deliver results in and report the results to management for
accordance with an organization’s overall review.
policies and objectives.

2. Implement and operate the ISMS

• Implement and operate the

security policy, controls, processes
and procedures.
ISO 27001:2005 Structure

Five Mandatory requirements of the standard:

Ø Information Security Management System
• General requirements
• Establishing and managing the ISMS (e.g. Risk Assessment)
• Documentation Requirements
Ø Management Responsibility
• Management Commitment
• Resource Management (e.g. Training, Awareness)
Ø Internal ISMS Audits
Ø Management Review of the ISMS
• Review Input (e.g. Audits, Measurement, Recommendations)
• Review Output (e.g. Update Risk Treatment Plan, New Recourses)
Ø ISMS Improvement
• Continual Improvement
• Corrective Action
• Preventive Action
 The 11 Domains of Information
Management
Overall the standard can be put in :
Security
Policy
• Domain Areas – 11,
Organization of
Information
Asset • Control Objectives – 39,
Management
Security and
Human
Resources
• Controls – 133
Security
Physical & Communications
Environmental & Operations
Security Management
Information
Access Security
Control Incident
Information management
Systems
Business
acquisition,
development Continuity
and Management
maintenance
Compliance
ISO27001 vs BS7799
 ISO27001 vs BS7799 [1]
BS7799
Security Policy
Security Organisation
Asset Classification & Control
Personnel Security
Physical & Environmental Security
Communications & Operations
Management
Access Control
Systems Development & Maintenance
Business Continuity Management
Compliance
ISO 27001
Security Policy
Organising Information Security *
Asset Management *
Human Resources Security *
Physical & Environmental Security *
Communications & Operations
Management *
Access Control
Information Systems Acquisition, *
Development and Maintenance
Information Security Incident
Management
Business Continuity Management
Compliance
* - new control/s added
ISO 27001 Implementation
 Implementation Process

Assemble a Team Review

and Agree to Define Scope Consultancy
Your Strategy Options

Determination Identification of
Identification of
of Value of Legal, regulatory & Determination
Information
Information contractual of Risk
Assets
Assets requirements

Determination of Identification of Definition of

Policy(ies) and the Degree Control Security
of Assurance Required Objectives and Strategy &
from the Controls Controls Organisation
Statement of Applicability

Definition of Policies,
Completion of
Standards, and Implementation of
ISMS
Procedures to Policies, Standards,
Documentation
Implement the and Procedures
Requirements
Controls
Update Statement of Applicability
Defining Scope and Participants

Contracts and agreements

 ISMS Documentation

Management framework
policies relating to
ISO 27001 Level 1 Security Manual
Policy,
Organisation,
risk assessment,
statement of applicability

Level 2 Describes processes – who, Procedure

what, when, where

Work Instructions,
Level 3 Describes how tasks and specific checklists,
activities are done forms, etc.

Level 4 Provides objective evidence of compliance to

ISMS requirements Records
 Implementation Issues

Develop Documentation Educate

Personnel
Develop Security
Select External
Disseminate Policy Newsletter
Consultant
Approval by
Conduct Awareness Continue Awareness
CEO Acquire
Policy Tool
Sec Awareness Enforce Policy
Material ISO27001 ISO27001
Internal Assessment External Assessment

Monitor & Measure Compliance

Develop other missing controls (Physical, BCP etc.)

Update Security Technologies (if needed)

Security Awareness Program is a very important issue.

A Tool is essential to make security policies visible across the organization and
to translate policy objectives into actual compliance.
Registration Process

Audit and Review of

Choose a Initial
Information Security
Registrar Inquiry
Management System

Optional
Client
Quotation Application Pre-
Manager
Provided Submitted Assessment
Appointed

Phase 1
Phase 2
Undertake a Registration Continual
Undertake a
Desktop Confirmed Assessment
Full Audit
Review
Upon Successful Internal
Completion External
Continuing (every 6 months)
Re-Assessment (every 3 years)
Critical Success Factors

Ø Security policy that reflects business objectives

Ø Implementation approach consistent with company culture
Ø Visible support and commitment from management
Ø Good understanding of security requirements, risk assessment
and risk management
Ø Effective marketing of security to all managers and employees
Ø Providing appropriate training and education
Ø A comprehensive and balanced system of measurement which is
used to evaluate performance in information security
management and feedback suggestions for improvement
Ø Use of automated Security Policy Management tool.
Closing Remarks
ISO27001 can be…

Ø Without genuine support from the top – a failure

Ø Without proper implementation – a burden

Ø With full support, proper implementation and

ongoing commitment – a major benefit
Thank you for your time…

For more information please contact:

ENCODE Middle East

P.O. Box 500328

Dubai Internet City
Dubai – UAE
Tel.: +971-4-3608430
http://www.encodegroup.com
info_me@encodegroup.com
www.encodegroup.com_