The essence of the ISMS (ISO-27001) is the protection / security of information. This webinar attempts to show the shift in the focus of the standard between the two editions 2005 & 2013 and how the 2013 edition can be more effective in Information Security, where the management system prescribes a risk based approach. The approach in the risk management process can and would vary from implementer to implementer or organization to organization.
Main points covered:
• The erstwhile focus of the 2005 edition on Vulnerabilities
• The current focus of 2013 edition on risk management
• The significance of the shift for Security implementer's / Risk practitioners
Presenter:
This webinar was presented by Sesha Prakash. Ms. Prakash is Vice President of PromaSecure – consultants for Information Security & Risk management. She has an overall experience of 35 years with the past 8 years devoted to the domains of Information Assurance and Information Security.
Link of the recorded session published on YouTube: https://youtu.be/hZ94-oelnUE
The significance of the Shift to Risk Management from Threat & Vulnerability Assessment in ISMS
1.
2. Sesha Prakash S Kusuma
Vice President of PromaSecure
Sesha Prakash is Vice President of PromaSecure – consultants for Information Security & Risk
management. He has an overall experience of 35 years with the past 8 years devoted to the domains of
Information Assurance and Information Security.
(968)-9387 2036
seshaprakash@promasecure.com
www.promasecure.com
https://in.linkedin.com/in/seshaprakash-kusuma-sreenivasa-b863108
3. Introduction
I am named Sesha Prakash S Kusuma.
Vice President-Consulting with PromaSecure Consulting,
which is a strategic business unit of a larger organization –
M/s. Project Management Technology & Services LLC, based
out of Muscat, Oman.
Provide consultancy & Implementation services in several
Management Systems aligned to the ISO standards, like the
ISMS & BCMS, including internal audits.
www.promasecure.com3www.pecb.org
4. Certifications
I hold the following PECB certifications, besides being certified trainer for PECB
ISO-27001 Lead Auditor (Information Security)
ISO-31000 Lead Risk Manager,
ISO-38500 IT Governance Manager,
ISO-55000 Lead Auditor (Asset Management)
ISO-27019 Prov. SCADA Security Professional
Besides the ISO certifications, the certifications are
From ISACA – CISA, CISM, CGEIT, CRISC, COBIT5(F)
From Axelos – ITIL, PRINCE2
From ISC2 – CISSP
From EC-Council – C|CISO
www.promasecure.comwww.pecb.org 3
5. Disclaimer
My presentation is the opinion or conclusions drawn by me based on my work
with my clients.
Others Information Security practitioners or ISMS implementers may differ
with my view and may have a good reason for it. I do not claim to be subject
matter expert, nor are my observations sacrosanct.
Acknowledgements
Source for the GIF images is generally taken from the internet, I do not claim any ownership or copyright
Much of the information is distillation of the information based on the standards itself, articles from magazines or newsletters or public
information available on various website and not able to attribute to a specific source. My acknowledgement and thanks for all the anonymous
authors and writers.
www.promasecure.comwww.pecb.org 4
6. Coverage
The webinar covers ISMS-ISO:27001 basics of:
• The erstwhile focus of the 2005 edition on Assets, its Vulnerabilities & Treats
• The current focus of 2013 edition on risk based approach to information risk
• The significance of the shift for Security implementer's / Risk practitioners
www.promasecure.comwww.pecb.org 5
7. Introduction
Dive into Evolution of today’s ISMS
The building blocks of Information security – the well known triad -
‘Confidentiality’, ‘Integrity’ & ‘Availability’ was probably born
The checklist covered above aspects of the information systems
Recognition by the UK government in 1990’s
New BS Standard is born, on popular acceptance, adapted globally as ISO
standard
www.promasecure.comwww.pecb.org 6
8. Erstwhile Focus of 27001:2005 Edition
On Assets, its Vulnerabilities & threats
The ISO: 27001:2005 clause 4.2.d emphasizes on:
Identification of an asset and its owner
Vulnerabilities within the assets & its
identification
Threats to such assets thro’ Threat Agents
The Confidentiality, Integrity & Availability
linked to these assets.
www.promasecure.comwww.pecb.org 7
10. Asset
Vulnerabilities
Threats
Impact / Severity Probability/Likelihood
Risk Assessment
Asset / Asset Group Owner
Multiple
Assets
Ownership
Overlap
or multiple
ownership
Need to cover all asset in
Scope
Limitation on overall
view of risks
associated
Flow of the risk assessment derived from 27001:2005 Edition
ISMS SCOPE – discovery of the assets in the scope
www.promasecure.comwww.pecb.org 9
11. Asset
v
• Thief
Threat
v
v
v
v
v
v
v
• hacking
Threat
• Floods
Threat
• Fire
Threat
Asset Owner
May not know all the vulnerabilities
OR vulnerabilities limited to the asset
May not be able to identify all Threats
OR
May not be able to identify cascading
threats
Flow of the risk assessment Cont…..
www.promasecure.comwww.pecb.org 10
12. The ISO: 27002:2005
Flow of the risk assessment Cont…..
ISO: 27002:2005, The code of practice,
emphasizes on risk management
www.promasecure.comwww.pecb.org 11
13. The ISO: 27005:2011 clause 8.2
Flow of the risk assessment Cont…..
Clause 8.2.2: Identification of asset
Clause 8.2.3: Identification of threats
Clause 8.2.5: Identification of Vulnerabilities
www.promasecure.comwww.pecb.org 12
14. Erstwhile Focus of 27001:2005 Edition
On Assets, its Vulnerabilities & threats
The downside, in my opinion, of the asset focus and thereby the threat and
vulnerability assessment upon these assets, lacked emphasize on several aspects such
as:
• Business processes beyond the assets within the process
• Growth of the physical perimeters
• Virtual growth & porosity of network perimeters
• Growing dependency on the internet based networking
• Advancement in social engineering aspects
• Effect of Moore’s law on hardware technology
• Advent of new attacks vectors like BYOD / Internet penetration / reduced technology cost /
downloadable tools
www.promasecure.comwww.pecb.org 13
The degree of Information security based on 2005 Edition, depended upon the
experience & competence of the implementer or consultant.
It was not explicit or pervasive as is the current 2013 edition
15. The Current Focus Of The 27001:2013 Edition
On Risk Management
The very first important clause of ISO 27001:2013 edition, it starts with a requirement
to understand the organization, its context and setting the expectations of interested
parties:
Clause 4.1 – understanding the organization and its
context (external & Internal)
Clause 4.2 – Understanding the needs and
expectations of interested parties (external & Internal)
www.promasecure.comwww.pecb.org 14
16. Assets that
are impacted
Impact / Severity Probability/Likelihood
Risk Identification
Business Objective
Risk Analysis
Accountable for
objectives
Risk Owner – Broad
View of the process
The Current Focus Of The 27001:2013 Edition
On Risk Management
www.promasecure.comwww.pecb.org 15
Assets that
are impacted
Assets that
are impacted
Assets that
are impacted
Assets that
are impacted
Assets that
are impacted
ISMS Objective
Risk Treatment
& Control
Identification
Risk
acceptance
criteria
17. The Current Focus Of The 27001:2013 Edition
On Risk Management
Reference to generic Risk frameworks like
• ISO 31000
• Clusif’s Mehari – 2010 revised for ISO:27001 – 2013
• Other methodologies (next slide)
www.promasecure.comwww.pecb.org 17
18. The Current Focus Of The 27001:2013 Edition
On Risk Management
www.promasecure.comwww.pecb.org 16
19. The Significance Of This Shift For Security
Implementers And Risk Practitioners
• Potential for integrated management systems enlarged
• Simplified language commonality between various verticals
within the organization
• Security implementers can take a wholesome and
organization wide view of the controls
• Periodic risk assessments by risk practitioners with
possibilities to relate to enterprise as a whole, where possible
• Broader adaptation of ISMS with seamless Risk Management
19 www.promasecure.comwww.pecb.org
20. The Significance Of This Shift For Security
Implementers And Risk Practitioners
Allowing integration of management systems all-encompassing risk
assessment or risk management framework
www.promasecure.comwww.pecb.org 19
21. Conclusion
www.promasecure.comwww.pecb.org 20
2005 Edition 2013 Edition
Commences with Asset discovery and
inventory
Business process & its
objective
Valuation of the Asset ISMS Objective and process
Asset vulnerabilities
& associated threats
Issues affecting the
objectives – Risks A & T
Assessment Stage
concludes with
Risk assessment &
treatment
Assets impacted
Control identification
and implementation
Control identification and
implementation
22. Conclusion
A Risk based assessment approach would be more inclusive of all
the required assets (as is the intention of the 2013 edition)
as against an
Asset based approach to risk assessment which may not
emphasize or not actively consider other prevalent risks within the
system.
www.promasecure.comwww.pecb.org 20