A Standardization by ISO (International Organization for Standardization).
Provides requirements for establishing, Implementing, maintaining and continuous improvement of an Information Security Management System.
It Applies to the High-Level Structure
Our focus is on the standard 27001
8. Operation
9. Performance Evaluation
1. ISO 27001
Information Technology – Security Techniques
Information Security Management Systems - Requirements
Udugahapattuwa D.M.R.
2. What is ISO 27001?
▶ A Standardization by ISO (International Organization for Standardization).
▶ Provides requirements for establishing, Implementing, maintaining and continuous
improvement of an Information Security Management System.
▶ It Applies to the High-Level Structure
▶ Our focus is on the standard 27001
▶ 8. Operation
▶ 9. Performance Evaluation
3. 8.Operation
8.1 Operational Planning and Control
▶ An organisation shall plan, implement and control the processes needed to
meet information security requirements
▶ To ensure the above were carried out efficiently the documentation of
information is necessary.
▶ Control of the planned changes and reviewing consequences of unintended
changes taking action to mitigate the adverse effects.
▶ If the any of above or any other process are outsourced. The organisation
must ensure that they are controlled and determined.
4. 8.2 Information Security Risk Assessment
▶ The security risk assessments on the organisation should be carried out at
planned intervals.
▶ When Significant changes are proposed or occur revision of it’s security risk
assessment is required.
▶ All the information document in the assessment should be retained.
5. 8.3 Information Security Risk Treatment
▶ In this area we focus on the implementation of the security risk treatment
plan
▶ Risk Treatment should have a plan, ISMS Risk Assessment Report and a
Statement of Applicability.
▶ Some areas of Risk Treatment Implementation
▶ Information Security Policies
▶ Access Control
6. Continued Risk Treatment Implementation Methods
RetainRisk
Share Risk
AvoidRisk
Dicrease the risk
7. 9.Performance Evaluation
9.1 Monitoring, Measurement, Analysis and
Evaluation
▶ The key is to evaluate the company information security performance and the
effectiveness of ISMS (Information Security Management System)
▶ Determining what to be monitored and measured is a another key area that a
company should consider on.
▶ You will need to
▶ What needs to be monitored
▶ Agree on the methods you will use for monitoring and analysing
▶ When you will conduct the monitoring and measuring
▶ Decide who will conduct the measurement
▶ Decide when you will analyse the results of the measurement
▶ Who will be responsible for evaluating the results.
8. 9.2 Internal Audit
▶ Conducting internal audits in derived intervals of time by the company which
will determine to
▶ Conform to own organisational requirements for information Security Management
System and to this Standard
▶ More effective implementation and Maintenance of the controls
▶ The need of comparison between the previous and current audits for more
efficient improvements.
▶ Define audit criteria and scope for each audit.
▶ Reporting Authority
9. 9.3 Management Review
▶ Review of the Organisational Information Security Management System at
planned intervals is a highly significant task.
▶ By conducting thorough reviews to ensure continuing suitability, effectiveness
and adequacy of the ISMS
▶ Things to be Considered
▶ Status if actions taken after previous management reviews
▶ Changes occurred internally and externally in related to ISMS.
▶ Feedback on the Information Security Performance