Escolar Documentos
Profissional Documentos
Cultura Documentos
A brief introduction
Dimitris Petropoulos
Managing Director
ENCODE Middle East
September 2006
Information
“Information is an asset which, like other
important business assets, has value to an
organization and consequently needs to be
suitably protected.”
security
Safeguarding the
accuracy and Integrity Confidentiality
completeness of Risks
information and
processing methods Availability
Ensuring that
authorized users have
Vulnerabilities access to information
security and associated assets
when required
Achieving Information Security
4 Ps of Information Security
Policy
&
Procedures
People Products
Drivers & Benefits of compliance with the standard
ISO27001 Drivers
Ø Regulators
9%
18% 38%
Best Practice
Business Security
Competitive Advantage
Market Demand
Benefits of compliance [1]
Ø Improved effectiveness of
Information Security
Ø Market Differentiation
Ø Provides confidence to trading
partners, stakeholders, and
customers (certification
demonstrates 'due diligence')
Ø The only standard with global
acceptance
Ø Potential lower rates on
insurance premiums
Ø Compliance with mandates and
laws (e.g., Data Protection Act,
Communications Protection Act)
Ø Reduced liability due to un-
implemented or enforced
policies and procedures
Benefits of compliance [2]
Ø Senior Management takes
ownership of Information Security
Ø Standard covers IT as well as
organization, personnel, and
facilities
Ø Focused staff responsibilities
Ø Independent review of the
Information Security Management
System
Ø Better awareness of security
Ø Combined resources with other
Management Systems (eg. QMS)
Ø Mechanism for measuring the
success of the security controls
ISO27001 Evolution
ISO27001/ISO17799/BS7799:
History
1995 BS 7799 Part 1
1998
BS 7799 Part 2
1999
New issue of BS 7799 Part 1 & 2
Dec 2000
ISO 17799:2000
2002
New BS 7799-2
ý A technical standard
ý Product or technology driven
ý An equipment evaluation methodology such as the
Common Criteria/ISO 15408
– But may require utilization of a Common Criteria
Equipment Assurance Level (EAL)
Holistic Approach
Compliance Compliance
Determination Identification of
Identification of
of Value of Legal, regulatory & Determination
Information
Information contractual of Risk
Assets
Assets requirements
Definition of Policies,
Completion of
Standards, and Implementation of
ISMS
Procedures to Policies, Standards,
Documentation
Implement the and Procedures
Requirements
Controls
Update Statement of Applicability
Defining Scope and Participants
Management framework
policies relating to
ISO 27001 Level 1 Security Manual
Policy,
Organisation,
risk assessment,
statement of applicability
Work Instructions,
Level 3 Describes how tasks and specific checklists,
activities are done forms, etc.
Optional
Client
Quotation Application Pre-
Manager
Provided Submitted Assessment
Appointed
Phase 1
Phase 2
Undertake a Registration Continual
Undertake a
Desktop Confirmed Assessment
Full Audit
Review
Upon Successful Internal
Completion External
Continuing (every 6 months)
Re-Assessment (every 3 years)
Critical Success Factors