SlideShare a Scribd company logo

541728869-Introduction-to-ISO-27001.pdf

S
SharudinBoriak1

Introduction to ISO 27001:2013

Presentations & Public Speaking
1 of 32
Download to read offline
Introduction to ISO 27001:2013 June 2016
PwC Agenda • Client drivers • Why use the ISO 27001 framework? • Background on ISO/IEC and ISO/IEC 27001 Certified Organizations • Information Security Management from the ISO/IEC 27001 perspective • Plan Do Check Act Model • ISO/IEC 27001 Information Security Management Systems Requirements • ISO/IEC 27002 Code of Practice for Information Security Controls • Documentation Requirements • ISO/IEC 27001 Certification • Implementation Steps • Advantages and Disadvantages Slide 2 June 2016 Introduction to ISO 27001:2013
PwC Client drivers for implementing ISO/IEC 27001 Our clients face a number of challenges in managing information security and the ISO 27001 Information Security Management System (ISMS) is one way to holistically address all these issues. Protecting business critical information Enabling the business to succeed Effectively protecting sensitive data Managing external and internal threats Implementing security controls Quantifying threat and vulnerability impact Ensuring information availability Regulatory compliance Managing third-party compliance Responding to security events Slide 3 June 2016 Introduction to ISO 27001:2013
PwC Why use the ISO 27000 framework? Source: Implementing Information Security based on ISO 27001/ ISO 17799 Reasons for implementing the ISO 27001 ISMS and associated ISO 27002 controls include: Strategic Customer Confidence Internal Effectiveness Regulatory Requirements ISMS Strategic – Better manage security within the broader external risk environment Customer Confidence – Show customers that their data will be reasonably protected by the organization, or to differentiate the organization from competitors Regulatory Requirements – Introduce a framework to integrate and manage widely varying regulations Internal Effectiveness – Manage information effectively as a good practice Slide 4 June 2016 Introduction to ISO 27001:2013
PwC Background on ISO and IEC • International Organization for Standardization officially began operations on February 1947 (from the International Federation of National Standardizing Associations and United Nations Standards Coordinating Committee) • World’s leading developer of international standards • Comprised of a network of standards institutes in 165 countries • Over 19,500 International Standards published • International Electrotechnical Commission founded in June 1906 • ISO and IEC created the Joint Technical Committee 1 (JTC1) for information technology which then created subcommittee 27 in charge of IT security techniques Slide 5 June 2016 Introduction to ISO 27001:2013
PwC ISO/IEC 27000 Family Slide 6 June 2016 Introduction to ISO 27001:2013
PwC Information Security Management from the ISO/IEC 27001 perspective • “Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected.” • IT facilitates: Creation -> Processing -> Storing -> Transmitting -> Protection -> Destruction • Stored and processed: Digital, Material, Unrepresented • Transmitted: Courier, Electronic or Verbal communication • “Information security includes three main dimensions: Confidentiality, Availability and Integrity.” - ISO 27000:2013 ISO 27001 aims to protect: • Information Assets • Technology • Physical Assets • Services • People • Unrepresented (Intangibles) Slide 7 June 2016 Introduction to ISO 27001:2013
PwC Information Security Management from the ISO/IEC 27001 perspective • Management involves activities to direct, control and continually improve the organization within appropriate structures, including making necessary decisions to achieve business objectives through the protection of information assets. • A management system uses a framework of resources to achieve the organization’s objectives and includes: • Organizational structure • Policies • Planning activities • Responsibilities • Practices • Procedures and processes • Resources - ISO 27000:2013 Slide 8 June 2016 Introduction to ISO 27001:2013
PwC Plan Do Check Act* William Edwards Deming updated Walter Andrew Shewhart’s cycle *Note: Taken out in 27001:2013, organizations can now identify the best continual improvement process for their business Plan – set objectives and establish expectations Do – implement the plan, execute the process and collect the data for analysis Check – compare collected data or actual results with objectives Act – analyse differences, determine root cause and perform corrective actions I m p r o v e m e n t Time (Iterations) Continual Improvement Slide 9 June 2016 Introduction to ISO 27001:2013
PwC ISO/IEC 27001:2013 – Information Security Management System Requirements ISO/IEC 27001:2013 is referred to as a “specification” for the design and operation of an Information Security Management System • This specification is what is being referred to when “ISO certification” is discussed • The specification uses phrasing such as “must” and “shall”, indicating that elements presented within the specification are not optional • The specification requires implementation of a number of elements, such as: Understanding Context Leadership Commitment Asset Identification Risk Assessment Risk Treatment Incident Monitoring Performance Evaluation Improvement 4 6,8 6,8 9 6,8 9 10 5 Slide 10 June 2016 Introduction to ISO 27001:2013
PwC ISO/IEC 27001:2013 – Information Security Management System Requirements Leadership Improvement Planning Support Operation Performance evaluation Nonconformity and corrective action Continual improvement 10 Improvement Monitoring, measurement, analysis and evaluation Internal audit Management review 9 Performance evaluation Operational planning, control, risk assessment and risk treatment, including change controls and retention of the results of the risk assessment and treatment 8 Operation ISO/IEC 27001:2013 Leadership and commitment; Information security policy; Roles, responsibilities & authorities 5 Leadership Actions to address risks and opportunities (risk assessment and treatment); Information security objectives and planning to achieve them 6 Planning Resources Competence Awareness Communication Documented information 7 Support 4 Context of the organization Understanding the organization, its context, the needs and expectations of interested parties; and determining the scope of the ISMS Context of the organization 1 Scope 2 Normative references 3 Terms and definitions Slide 11 June 2016 Introduction to ISO 27001:2013
PwC ISO/IEC 27001 Risk Assessment 1 Scope 2 Normative references 3 Terms and definitions 4 Context of the organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance evaluation 10 Improvement 6.1.2 Information Security Risk Assessment The organization shall define and apply an information security risk assessment process that: a) establishes and maintains information security risk criteria that include: i. the risk acceptance criteria; and ii. criteria for performing information security risk assessments; b) ensures that repeated information security risk assessments produce consistent, valid and comparable results; c) identifies the information security risks: i. apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and ii. identify the risk owners; d) analyses the information security risks: i. assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize; ii. assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and iii. determine the levels of risk; e) evaluates the information security risks: i. compare the results of risk analysis with the risk criteria established in 6.1.2 a); and ii. prioritize the analysed risks for risk treatment. The organization shall retain documented information about the information security risk assessment process. Slide 12 June 2016 Introduction to ISO 27001:2013
PwC ISO/IEC 27001 Risk Treatment 1 Scope 2 Normative references 3 Terms and definitions 4 Context of the organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance evaluation 10 Improvement 6.1.3 Information Security Risk Treatment The organization shall define and apply an information security risk treatment process to: a) select appropriate information security risk treatment options, taking account of the risk assessment results; b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen; c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted;. d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A; e) formulate an information security risk treatment plan; and f) obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks. The organization shall retain documented information about the information security risk treatment process. Slide 13 June 2016 Introduction to ISO 27001:2013
PwC ISO/IEC 27001 Risk Management In a nutshell 6.1.2 Information security risk assessment and 6.1.3 Information security risk treatment requires the following: • Have a documented Risk Assessment Methodology • Implement/Conduct the Risk Assessment • Have a plan on how to Treat Risks (e.g. Mitigate, Transfer, Avoid, Accept) • Document your Risk Assessment (e.g. Risk Assessment Report) • Document a Statement of Applicability or SOA • Implement the Risk Treatment Plan (RTP) Slide 14 June 2016 Introduction to ISO 27001:2013
PwC ISO/IEC 27002:2013 - Code of practice for information security controls ISO 27002 (Annex A for ISO 27001) establishes guidelines and general principles for initiating, implementing, maintaining, and improving security management in an organization. This document may serve as a guideline for developing organizational security documentation and effective security management practices. Control Clauses* (also referred to as Domains) of ISO 27002 5 Information Security Policies 6 Organization of Information Security 7 Human Resource Security 8 Asset Management 9 Access Control 10 Cryptography 11 Physical and Environmental Security 12 Operations Security 13 Communications Security 14 Systems Acquisition, Development and Maintenance 15 Supplier Relationships 16 Information Security Incident Management 17 Information Security Aspects of Business Continuity Management 18 Compliance 114 Controls 14 Control Clauses *Section 1-4 are introductory. Slide 15 June 2016 Introduction to ISO 27001:2013
PwC The ISO/IEC 27002:2013 Controls Map Slide 16 June 2016 Introduction to ISO 27001:2013
PwC ISO 27001 and ISO 27002 ISO/IEC 27001:2013 ISO/IEC 27002:2013 Info Sec Policies Compliance Organization of Info Sec HR Security Asset Mgmt Access Control Cryptography Phys. & Env. Security Operations Security Communications Security Sys Acq, Dev & Maintenance Supplier Relationships InfoSec Incident Mgmt InfoSec aspects of BCM Leadership Planning Improve Support Perf. evaluation Operation ISO/IEC 27001:2013 Context of the org Continual Improvement Process Slide 17 June 2016 Introduction to ISO 27001:2013
PwC Documentation requirements Organization’s shall ensure appropriate: • Identification and description • Format • Review and approval for suitability and adequacy Documented information shall be controlled to ensure: • Available and suitable for use when, and where it is needed • Adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity) Slide 18 June 2016 Introduction to ISO 27001:2013
PwC Documentation requirements The following shall be addressed as applicable: • Distribution, access*, retrieval and use • Storage, preservation, including the preservation of legibility • Control of changes (e.g. version control) • Retention and disposition • External documentation determined by the organization as necessary for the planning and operation of the ISMS shall be identified as appropriate and controlled *Access implies a decision on the permission to view document information only, or the permission and authority to view and change the documented information Slide 19 June 2016 Introduction to ISO 27001:2013
PwC Documentation requirements - SOA • Link between the Risk Assessment and implementation of the Risk Treatment Plan • Summarises which risks you have prioritised to treat, identifies other reasons (e.g. legislative, contractual) and justifies the inclusion exclusion of controls from Annex A (ISO 27002) and other sources (e.g. PCI DSS) • Central document used by auditors • References and points to the control (e.g. Policy/Procedure) Slide 20 June 2016 Introduction to ISO 27001:2013
PwC ISO/IEC 27001 certification An ISMS may be certified to be compliant with ISO 27001 by an independent third party registrar. Certification against ISO 27001 typically involves a three- stage audit process: ISO is responsible for developing, maintaining, and publishing the ISO 27000 series of standards, but itself ISO does not audit or assess the management systems of organizations. Certification is not a requirement of any of ISO’s management system standards. • Stage 1: Preliminary review of ISMS and its relevant documentation. • Stage 2: Formal compliance audit, testing ISMS against the requirements of ISO 27001. Note: PwC will only assist the client in audit and actual certification audit will be conducted by BSI certified agency • Stage 3: Follow-up reviews to test continued compliance. Certification maintenance requires periodic re-assessment audits. Assist client in Surveillance audit. Slide 21 June 2016 Introduction to ISO 27001:2013
PwC Implementation steps An organization needs to undertake the following steps in establishing, monitoring, maintaining and improving its ISMS: • Identify information assets and their associated information security requirements • Assess information security risks and treat information security risks • Select and implement relevant controls to manage unacceptable risks • Monitor, maintain and improve the effectiveness of controls associated with the organization’s information assets - ISO 27000:2013 Slide 22 June 2016 Introduction to ISO 27001:2013
PwC Advantages and Disadvantages of ISO / IEC 27001 Advantages Disadvantages Compliance Documentation Top Management Buy-in Time and cost to implement Marketing Change in behaviours and culture* Lower expenses in the long run Puts security in order: - Responsibilities - Availability of Security Information - Security awareness Slide 23 June 2016 Introduction to ISO 27001:2013
PwC PwC Services for ISO 27001 • ISO 27001 Information Security Management System (ISMS) Design and Development • ISO 27001 ISMS Implementation • ISO 27001 ISMS Pre-Certification Audit • ISO 27001 Post Certification Maintenance and Support Slide 24 June 2016 Introduction to ISO 27001:2013
PwC PwC ISMS implementation methodology This 5 phased model underpins the ISO 27000-series standards approach to implementing a successful ISMS. This model is intended to help build an Information Security Program that can support multiple existing and future requirements. Step 3 – ISMS Component Inventory & Risk Assessment We will perform an ISMS component inventory, using ISO 27001 as a guide, to identify if any core components of the ISMS are already in place, and to what degree. We will also define, customize and execute the required risk assessment focused on the asset inventory items. Step 4 – Risk Treatment Plan & SoA After completion of the risk assessment, we will work with the client to define the risk treatment plan and draft the statement of applicability (SoA). The SoA defines the scope of the controls operated by the ISMS, and drives the majority of remediation activities. Step 5 – SoA Controls Assessment Once the SoA has been drafted, we will perform a controls gap assessment using the required SoA controls as the scope. The outcome will be a list of projects required to implement the needed controls. Step 6 – Build/Remediate We will work with client’s information security teams to stand up the ISMS and remediate controls gaps identified during the gap assessment. We will also assist with any remaining build out of core ISMS functionality such as the ISMS framework (policy), control metrics, control effectiveness monitoring capabilities, and any outstanding required documentation. Step 7 – Operate ISMS As portions of the ISMS are implemented, operations of the ISMS will be handed over to your teams. This phase will include operation of the ISMS, management review, and corrective action plans. Phase 1 Phase 2 Phase 3 Phases 4 & 5 ISMS Operation and Ongoing Audits • Operate Information Security management System (ISMS) • Review ISMS processes for continuous improvement • Annual internal audits of ISMS effectiveness • 3 year ISO27001 certification renewal audits Step 1 – Scoping During the initial phase, we will work with the client to clearly define and articulate their scope. in draft form. The key ISMS stakeholders should be identified, and communication to stakeholders should begin, including an introduction to the intended scope and a discussion of the planned value of the ISMS. Step 2 – Asset Inventory Once a draft scope is defined, we will create an inventory of the in-scope assets. The in-scope systems, data categories, locations, personnel and processes will be clearly enumerated and will drive the next set of ISMS implementation activities. Scoping & Planning Step 8 – Pre-Certification Audit We will review ISMS documentation that is created during the operating phase to identify any areas of improvement prior to the certification audit. The purpose of the pre-certification audit is to assess the level of readiness for the actual certification audit as well as prepare individuals for what to expect during the audit. The pre-certification audit can also serve as the required ISMS internal audit. Step 9 – 3rd Party Certification Audit An accredited 3rd party will perform the certification audit of your ISMS and make a recommendation to the certifying authority. PwC can provide assistance during the audit as needed. Design ISMS Build & Operate ISMS Certify ISMS Slide 25 June 2016 Introduction to ISO 27001:2013
PwC Review – ISO 27001 quiz Q: What document do 3rd party auditors typically use as a starting point for the audit? A: Statement of Applicability Q: A 1st party audit is performed by whom on who? A: An organization on itself Q: List 3 asset types that ISO 27001 aims to protect. A: Information Assets, Technology, Physical Assets, Services, People, Intangibles Slide 26 June 2016 Introduction to ISO 27001:2013
PwC Q & A Slide 27 June 2016 Introduction to ISO 27001:2013
PwC Appendix A – Documentation requirements Documents* ISO 27001:2013 clause number Scope of the ISMS 4.3 Information security policy and objectives 5.2, 6.2 Risk assessment and risk treatment methodology 6.1.2 Statement of Applicability 6.1.3 d) Risk treatment plan 6.1.3 e), 6.2 Risk assessment report and treatment plan 8.2, 8.3 Definition of security roles and responsibilities A.7.1.2, A.13.2.4 Documented information determined by the organisation as being necessary for the effectiveness of the ISMS 7.5.1 b) Inventory of assets A.8.1.1 Acceptable use of assets A.8.1.3 Access control policy A.9.1.1 Operational Planning and Control and Operating procedures for IT management 8.1, A.12.1.1 Secure system engineering principles A.14.2.5 Supplier security policy A.15.1.1 Incident management procedure A.16.1.5 Business continuity procedures A.17.1.2 Legal, regulatory, and contractual requirements A.18.1.1 Slide 28 June 2016 Introduction to ISO 27001:2013
PwC Appendix A – Documentation requirements Records* ISO 27001:2013 clause number Records of training, skills, experience and qualifications (evidence of competence) 7.2 Monitoring and measurement results 9.1 Internal audit program (evidence of audit programmes and audit results) 9.2 Results of internal audits 9.2 Results of the management review 9.3 Evidence of the nature of non-conformities and any subsequent actions taken; Evidence of the results of any corrective actions taken 10.1 f), 10.1 g Logs of user activities, exceptions, and security events A.12.4.1, A.12.4.3 Slide 29 June 2016 Introduction to ISO 27001:2013
PwC Appendix B – Documentation – non mandatory Documents ISO 27001:2013 clause number Procedure for document control* 7.5 Controls for managing records* 7.5 Procedure for internal audit* 9.2 Procedure for corrective action* 10.1 Bring your own device (BYOD) policy A.6.2.1 Mobile device and teleworking policy A.6.2.1 Information classification policy A.8.2.1, A.8.2.2, A.8.2.3 Password policy A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3 Disposal and destruction policy A.8.3.2, A.11.2.7 Procedures for working in secure areas A.11.1.5 Clear desk and clear screen policy A.11.2.9 Change management policy A.12.1.2, A.14.2.4 Backup policy A.12.3.1 Information transfer policy A.13.2.1, A.13.2.2, A.13.2.3 Business impact analysis A.17.1.1 Exercising and testing plan A.17.1.3 Maintenance and review plan A.17.1.3 Business continuity strategy A.17.2.1 Slide 30 June 2016 Introduction to ISO 27001:2013
PwC Appendix C – Implementation Steps Slide 31 June 2016 Introduction to ISO 27001:2013
Thank You The information contained in this document is provided 'as is', for general guidance on matters of interest only. PricewaterhouseCoopers is not herein engaged in rendering legal, accounting, tax, or other professional advice and services. Before making any decision or taking any action, you should consult a competent professional advisor. © 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India), which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

Recommended

ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingOperational Excellence Consulting
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxssuser00d6eb
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterOperational Excellence Consulting
 

Recommended

ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingOperational Excellence Consulting
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxssuser00d6eb
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterOperational Excellence Consulting
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Chandan Singh Ghodela
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationNetwork Intelligence India
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptxSuman Garai
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4Obrina Candra, CISA, ISMS-LA
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkMaganathin Veeraragaloo
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?PECB
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
ISO27001
ISO27001ISO27001
ISO27001Ruchit Ahuja
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
CQI-IRCA 27001:2013 Lead Auditor Course
CQI-IRCA 27001:2013 Lead Auditor Course CQI-IRCA 27001:2013 Lead Auditor Course
CQI-IRCA 27001:2013 Lead Auditor Course Desmond Muchetu
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?Lars Neupart
 
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 

More Related Content

Similar to 541728869-Introduction-to-ISO-27001.pdf

Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Chandan Singh Ghodela
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationNetwork Intelligence India
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptxSuman Garai
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?PECB
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
CQI-IRCA 27001:2013 Lead Auditor Course
CQI-IRCA 27001:2013 Lead Auditor Course CQI-IRCA 27001:2013 Lead Auditor Course
CQI-IRCA 27001:2013 Lead Auditor Course Desmond Muchetu
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?Lars Neupart
 

Similar to 541728869-Introduction-to-ISO-27001.pdf (20)

Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics Implementation
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISO27001
ISO27001ISO27001
ISO27001
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
CQI-IRCA 27001:2013 Lead Auditor Course
CQI-IRCA 27001:2013 Lead Auditor Course CQI-IRCA 27001:2013 Lead Auditor Course
CQI-IRCA 27001:2013 Lead Auditor Course
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
 

Recently uploaded

Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxaryanv1753
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...NETWAYS
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Escort Service
 
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYPHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYpruthirajnayak525
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSebastiano Panichella
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...NETWAYS
 
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxAnne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxnoorehahmad
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...NETWAYS
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...NETWAYS
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationNathan Young
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxCarrieButtitta
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Salam Al-Karadaghi
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfhenrik385807
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Krijn Poppe
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxFamilyWorshipCenterD
 
James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !risocarla2016
 
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)Basil Achie
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@vikas rana
 

Recently uploaded (20)

Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptx
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170
 
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYPHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation Track
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
 
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxAnne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism Presentation
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptx
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
 
James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !
 
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
 

541728869-Introduction-to-ISO-27001.pdf

  • 2. PwC Agenda • Client drivers • Why use the ISO 27001 framework? • Background on ISO/IEC and ISO/IEC 27001 Certified Organizations • Information Security Management from the ISO/IEC 27001 perspective • Plan Do Check Act Model • ISO/IEC 27001 Information Security Management Systems Requirements • ISO/IEC 27002 Code of Practice for Information Security Controls • Documentation Requirements • ISO/IEC 27001 Certification • Implementation Steps • Advantages and Disadvantages Slide 2 June 2016 Introduction to ISO 27001:2013
  • 3. PwC Client drivers for implementing ISO/IEC 27001 Our clients face a number of challenges in managing information security and the ISO 27001 Information Security Management System (ISMS) is one way to holistically address all these issues. Protecting business critical information Enabling the business to succeed Effectively protecting sensitive data Managing external and internal threats Implementing security controls Quantifying threat and vulnerability impact Ensuring information availability Regulatory compliance Managing third-party compliance Responding to security events Slide 3 June 2016 Introduction to ISO 27001:2013
  • 4. PwC Why use the ISO 27000 framework? Source: Implementing Information Security based on ISO 27001/ ISO 17799 Reasons for implementing the ISO 27001 ISMS and associated ISO 27002 controls include: Strategic Customer Confidence Internal Effectiveness Regulatory Requirements ISMS Strategic – Better manage security within the broader external risk environment Customer Confidence – Show customers that their data will be reasonably protected by the organization, or to differentiate the organization from competitors Regulatory Requirements – Introduce a framework to integrate and manage widely varying regulations Internal Effectiveness – Manage information effectively as a good practice Slide 4 June 2016 Introduction to ISO 27001:2013
  • 5. PwC Background on ISO and IEC • International Organization for Standardization officially began operations on February 1947 (from the International Federation of National Standardizing Associations and United Nations Standards Coordinating Committee) • World’s leading developer of international standards • Comprised of a network of standards institutes in 165 countries • Over 19,500 International Standards published • International Electrotechnical Commission founded in June 1906 • ISO and IEC created the Joint Technical Committee 1 (JTC1) for information technology which then created subcommittee 27 in charge of IT security techniques Slide 5 June 2016 Introduction to ISO 27001:2013
  • 6. PwC ISO/IEC 27000 Family Slide 6 June 2016 Introduction to ISO 27001:2013
  • 7. PwC Information Security Management from the ISO/IEC 27001 perspective • “Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected.” • IT facilitates: Creation -> Processing -> Storing -> Transmitting -> Protection -> Destruction • Stored and processed: Digital, Material, Unrepresented • Transmitted: Courier, Electronic or Verbal communication • “Information security includes three main dimensions: Confidentiality, Availability and Integrity.” - ISO 27000:2013 ISO 27001 aims to protect: • Information Assets • Technology • Physical Assets • Services • People • Unrepresented (Intangibles) Slide 7 June 2016 Introduction to ISO 27001:2013
  • 8. PwC Information Security Management from the ISO/IEC 27001 perspective • Management involves activities to direct, control and continually improve the organization within appropriate structures, including making necessary decisions to achieve business objectives through the protection of information assets. • A management system uses a framework of resources to achieve the organization’s objectives and includes: • Organizational structure • Policies • Planning activities • Responsibilities • Practices • Procedures and processes • Resources - ISO 27000:2013 Slide 8 June 2016 Introduction to ISO 27001:2013
  • 9. PwC Plan Do Check Act* William Edwards Deming updated Walter Andrew Shewhart’s cycle *Note: Taken out in 27001:2013, organizations can now identify the best continual improvement process for their business Plan – set objectives and establish expectations Do – implement the plan, execute the process and collect the data for analysis Check – compare collected data or actual results with objectives Act – analyse differences, determine root cause and perform corrective actions I m p r o v e m e n t Time (Iterations) Continual Improvement Slide 9 June 2016 Introduction to ISO 27001:2013
  • 10. PwC ISO/IEC 27001:2013 – Information Security Management System Requirements ISO/IEC 27001:2013 is referred to as a “specification” for the design and operation of an Information Security Management System • This specification is what is being referred to when “ISO certification” is discussed • The specification uses phrasing such as “must” and “shall”, indicating that elements presented within the specification are not optional • The specification requires implementation of a number of elements, such as: Understanding Context Leadership Commitment Asset Identification Risk Assessment Risk Treatment Incident Monitoring Performance Evaluation Improvement 4 6,8 6,8 9 6,8 9 10 5 Slide 10 June 2016 Introduction to ISO 27001:2013
  • 11. PwC ISO/IEC 27001:2013 – Information Security Management System Requirements Leadership Improvement Planning Support Operation Performance evaluation Nonconformity and corrective action Continual improvement 10 Improvement Monitoring, measurement, analysis and evaluation Internal audit Management review 9 Performance evaluation Operational planning, control, risk assessment and risk treatment, including change controls and retention of the results of the risk assessment and treatment 8 Operation ISO/IEC 27001:2013 Leadership and commitment; Information security policy; Roles, responsibilities & authorities 5 Leadership Actions to address risks and opportunities (risk assessment and treatment); Information security objectives and planning to achieve them 6 Planning Resources Competence Awareness Communication Documented information 7 Support 4 Context of the organization Understanding the organization, its context, the needs and expectations of interested parties; and determining the scope of the ISMS Context of the organization 1 Scope 2 Normative references 3 Terms and definitions Slide 11 June 2016 Introduction to ISO 27001:2013
  • 12. PwC ISO/IEC 27001 Risk Assessment 1 Scope 2 Normative references 3 Terms and definitions 4 Context of the organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance evaluation 10 Improvement 6.1.2 Information Security Risk Assessment The organization shall define and apply an information security risk assessment process that: a) establishes and maintains information security risk criteria that include: i. the risk acceptance criteria; and ii. criteria for performing information security risk assessments; b) ensures that repeated information security risk assessments produce consistent, valid and comparable results; c) identifies the information security risks: i. apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and ii. identify the risk owners; d) analyses the information security risks: i. assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize; ii. assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and iii. determine the levels of risk; e) evaluates the information security risks: i. compare the results of risk analysis with the risk criteria established in 6.1.2 a); and ii. prioritize the analysed risks for risk treatment. The organization shall retain documented information about the information security risk assessment process. Slide 12 June 2016 Introduction to ISO 27001:2013
  • 13. PwC ISO/IEC 27001 Risk Treatment 1 Scope 2 Normative references 3 Terms and definitions 4 Context of the organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance evaluation 10 Improvement 6.1.3 Information Security Risk Treatment The organization shall define and apply an information security risk treatment process to: a) select appropriate information security risk treatment options, taking account of the risk assessment results; b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen; c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted;. d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A; e) formulate an information security risk treatment plan; and f) obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks. The organization shall retain documented information about the information security risk treatment process. Slide 13 June 2016 Introduction to ISO 27001:2013
  • 14. PwC ISO/IEC 27001 Risk Management In a nutshell 6.1.2 Information security risk assessment and 6.1.3 Information security risk treatment requires the following: • Have a documented Risk Assessment Methodology • Implement/Conduct the Risk Assessment • Have a plan on how to Treat Risks (e.g. Mitigate, Transfer, Avoid, Accept) • Document your Risk Assessment (e.g. Risk Assessment Report) • Document a Statement of Applicability or SOA • Implement the Risk Treatment Plan (RTP) Slide 14 June 2016 Introduction to ISO 27001:2013
  • 15. PwC ISO/IEC 27002:2013 - Code of practice for information security controls ISO 27002 (Annex A for ISO 27001) establishes guidelines and general principles for initiating, implementing, maintaining, and improving security management in an organization. This document may serve as a guideline for developing organizational security documentation and effective security management practices. Control Clauses* (also referred to as Domains) of ISO 27002 5 Information Security Policies 6 Organization of Information Security 7 Human Resource Security 8 Asset Management 9 Access Control 10 Cryptography 11 Physical and Environmental Security 12 Operations Security 13 Communications Security 14 Systems Acquisition, Development and Maintenance 15 Supplier Relationships 16 Information Security Incident Management 17 Information Security Aspects of Business Continuity Management 18 Compliance 114 Controls 14 Control Clauses *Section 1-4 are introductory. Slide 15 June 2016 Introduction to ISO 27001:2013
  • 16. PwC The ISO/IEC 27002:2013 Controls Map Slide 16 June 2016 Introduction to ISO 27001:2013
  • 17. PwC ISO 27001 and ISO 27002 ISO/IEC 27001:2013 ISO/IEC 27002:2013 Info Sec Policies Compliance Organization of Info Sec HR Security Asset Mgmt Access Control Cryptography Phys. & Env. Security Operations Security Communications Security Sys Acq, Dev & Maintenance Supplier Relationships InfoSec Incident Mgmt InfoSec aspects of BCM Leadership Planning Improve Support Perf. evaluation Operation ISO/IEC 27001:2013 Context of the org Continual Improvement Process Slide 17 June 2016 Introduction to ISO 27001:2013
  • 18. PwC Documentation requirements Organization’s shall ensure appropriate: • Identification and description • Format • Review and approval for suitability and adequacy Documented information shall be controlled to ensure: • Available and suitable for use when, and where it is needed • Adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity) Slide 18 June 2016 Introduction to ISO 27001:2013
  • 19. PwC Documentation requirements The following shall be addressed as applicable: • Distribution, access*, retrieval and use • Storage, preservation, including the preservation of legibility • Control of changes (e.g. version control) • Retention and disposition • External documentation determined by the organization as necessary for the planning and operation of the ISMS shall be identified as appropriate and controlled *Access implies a decision on the permission to view document information only, or the permission and authority to view and change the documented information Slide 19 June 2016 Introduction to ISO 27001:2013
  • 20. PwC Documentation requirements - SOA • Link between the Risk Assessment and implementation of the Risk Treatment Plan • Summarises which risks you have prioritised to treat, identifies other reasons (e.g. legislative, contractual) and justifies the inclusion exclusion of controls from Annex A (ISO 27002) and other sources (e.g. PCI DSS) • Central document used by auditors • References and points to the control (e.g. Policy/Procedure) Slide 20 June 2016 Introduction to ISO 27001:2013
  • 21. PwC ISO/IEC 27001 certification An ISMS may be certified to be compliant with ISO 27001 by an independent third party registrar. Certification against ISO 27001 typically involves a three- stage audit process: ISO is responsible for developing, maintaining, and publishing the ISO 27000 series of standards, but itself ISO does not audit or assess the management systems of organizations. Certification is not a requirement of any of ISO’s management system standards. • Stage 1: Preliminary review of ISMS and its relevant documentation. • Stage 2: Formal compliance audit, testing ISMS against the requirements of ISO 27001. Note: PwC will only assist the client in audit and actual certification audit will be conducted by BSI certified agency • Stage 3: Follow-up reviews to test continued compliance. Certification maintenance requires periodic re-assessment audits. Assist client in Surveillance audit. Slide 21 June 2016 Introduction to ISO 27001:2013
  • 22. PwC Implementation steps An organization needs to undertake the following steps in establishing, monitoring, maintaining and improving its ISMS: • Identify information assets and their associated information security requirements • Assess information security risks and treat information security risks • Select and implement relevant controls to manage unacceptable risks • Monitor, maintain and improve the effectiveness of controls associated with the organization’s information assets - ISO 27000:2013 Slide 22 June 2016 Introduction to ISO 27001:2013
  • 23. PwC Advantages and Disadvantages of ISO / IEC 27001 Advantages Disadvantages Compliance Documentation Top Management Buy-in Time and cost to implement Marketing Change in behaviours and culture* Lower expenses in the long run Puts security in order: - Responsibilities - Availability of Security Information - Security awareness Slide 23 June 2016 Introduction to ISO 27001:2013
  • 24. PwC PwC Services for ISO 27001 • ISO 27001 Information Security Management System (ISMS) Design and Development • ISO 27001 ISMS Implementation • ISO 27001 ISMS Pre-Certification Audit • ISO 27001 Post Certification Maintenance and Support Slide 24 June 2016 Introduction to ISO 27001:2013
  • 25. PwC PwC ISMS implementation methodology This 5 phased model underpins the ISO 27000-series standards approach to implementing a successful ISMS. This model is intended to help build an Information Security Program that can support multiple existing and future requirements. Step 3 – ISMS Component Inventory & Risk Assessment We will perform an ISMS component inventory, using ISO 27001 as a guide, to identify if any core components of the ISMS are already in place, and to what degree. We will also define, customize and execute the required risk assessment focused on the asset inventory items. Step 4 – Risk Treatment Plan & SoA After completion of the risk assessment, we will work with the client to define the risk treatment plan and draft the statement of applicability (SoA). The SoA defines the scope of the controls operated by the ISMS, and drives the majority of remediation activities. Step 5 – SoA Controls Assessment Once the SoA has been drafted, we will perform a controls gap assessment using the required SoA controls as the scope. The outcome will be a list of projects required to implement the needed controls. Step 6 – Build/Remediate We will work with client’s information security teams to stand up the ISMS and remediate controls gaps identified during the gap assessment. We will also assist with any remaining build out of core ISMS functionality such as the ISMS framework (policy), control metrics, control effectiveness monitoring capabilities, and any outstanding required documentation. Step 7 – Operate ISMS As portions of the ISMS are implemented, operations of the ISMS will be handed over to your teams. This phase will include operation of the ISMS, management review, and corrective action plans. Phase 1 Phase 2 Phase 3 Phases 4 & 5 ISMS Operation and Ongoing Audits • Operate Information Security management System (ISMS) • Review ISMS processes for continuous improvement • Annual internal audits of ISMS effectiveness • 3 year ISO27001 certification renewal audits Step 1 – Scoping During the initial phase, we will work with the client to clearly define and articulate their scope. in draft form. The key ISMS stakeholders should be identified, and communication to stakeholders should begin, including an introduction to the intended scope and a discussion of the planned value of the ISMS. Step 2 – Asset Inventory Once a draft scope is defined, we will create an inventory of the in-scope assets. The in-scope systems, data categories, locations, personnel and processes will be clearly enumerated and will drive the next set of ISMS implementation activities. Scoping & Planning Step 8 – Pre-Certification Audit We will review ISMS documentation that is created during the operating phase to identify any areas of improvement prior to the certification audit. The purpose of the pre-certification audit is to assess the level of readiness for the actual certification audit as well as prepare individuals for what to expect during the audit. The pre-certification audit can also serve as the required ISMS internal audit. Step 9 – 3rd Party Certification Audit An accredited 3rd party will perform the certification audit of your ISMS and make a recommendation to the certifying authority. PwC can provide assistance during the audit as needed. Design ISMS Build & Operate ISMS Certify ISMS Slide 25 June 2016 Introduction to ISO 27001:2013
  • 26. PwC Review – ISO 27001 quiz Q: What document do 3rd party auditors typically use as a starting point for the audit? A: Statement of Applicability Q: A 1st party audit is performed by whom on who? A: An organization on itself Q: List 3 asset types that ISO 27001 aims to protect. A: Information Assets, Technology, Physical Assets, Services, People, Intangibles Slide 26 June 2016 Introduction to ISO 27001:2013
  • 27. PwC Q & A Slide 27 June 2016 Introduction to ISO 27001:2013
  • 28. PwC Appendix A – Documentation requirements Documents* ISO 27001:2013 clause number Scope of the ISMS 4.3 Information security policy and objectives 5.2, 6.2 Risk assessment and risk treatment methodology 6.1.2 Statement of Applicability 6.1.3 d) Risk treatment plan 6.1.3 e), 6.2 Risk assessment report and treatment plan 8.2, 8.3 Definition of security roles and responsibilities A.7.1.2, A.13.2.4 Documented information determined by the organisation as being necessary for the effectiveness of the ISMS 7.5.1 b) Inventory of assets A.8.1.1 Acceptable use of assets A.8.1.3 Access control policy A.9.1.1 Operational Planning and Control and Operating procedures for IT management 8.1, A.12.1.1 Secure system engineering principles A.14.2.5 Supplier security policy A.15.1.1 Incident management procedure A.16.1.5 Business continuity procedures A.17.1.2 Legal, regulatory, and contractual requirements A.18.1.1 Slide 28 June 2016 Introduction to ISO 27001:2013
  • 29. PwC Appendix A – Documentation requirements Records* ISO 27001:2013 clause number Records of training, skills, experience and qualifications (evidence of competence) 7.2 Monitoring and measurement results 9.1 Internal audit program (evidence of audit programmes and audit results) 9.2 Results of internal audits 9.2 Results of the management review 9.3 Evidence of the nature of non-conformities and any subsequent actions taken; Evidence of the results of any corrective actions taken 10.1 f), 10.1 g Logs of user activities, exceptions, and security events A.12.4.1, A.12.4.3 Slide 29 June 2016 Introduction to ISO 27001:2013
  • 30. PwC Appendix B – Documentation – non mandatory Documents ISO 27001:2013 clause number Procedure for document control* 7.5 Controls for managing records* 7.5 Procedure for internal audit* 9.2 Procedure for corrective action* 10.1 Bring your own device (BYOD) policy A.6.2.1 Mobile device and teleworking policy A.6.2.1 Information classification policy A.8.2.1, A.8.2.2, A.8.2.3 Password policy A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3 Disposal and destruction policy A.8.3.2, A.11.2.7 Procedures for working in secure areas A.11.1.5 Clear desk and clear screen policy A.11.2.9 Change management policy A.12.1.2, A.14.2.4 Backup policy A.12.3.1 Information transfer policy A.13.2.1, A.13.2.2, A.13.2.3 Business impact analysis A.17.1.1 Exercising and testing plan A.17.1.3 Maintenance and review plan A.17.1.3 Business continuity strategy A.17.2.1 Slide 30 June 2016 Introduction to ISO 27001:2013
  • 31. PwC Appendix C – Implementation Steps Slide 31 June 2016 Introduction to ISO 27001:2013
  • 32. Thank You The information contained in this document is provided 'as is', for general guidance on matters of interest only. PricewaterhouseCoopers is not herein engaged in rendering legal, accounting, tax, or other professional advice and services. Before making any decision or taking any action, you should consult a competent professional advisor. © 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India), which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.