2. What is Information Security
The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether
accidental or intentional
Information Assets
• Asset is something that has “value to the organization”
• Information assets of an organization can be:
• business data
• E-mail data
• Employee information
• Research records
• Price lists
• Tender documents
• Spoken in conversations over the telephone
Organization must determine which assets can materially affect the delivery of product/service by their
absence or degradation
Information Security Management relates to all types of information, be it paper-based, electronic or other. It
determines how information is processed, stored, transferred, archived and destroyed.
A secure information is one which ensures Confidentiality, Integrity, and Availability.
It is all about protecting information assets from potential security breaches.
6/27/2023
– Data stored on computers
– Transmitted across networks
– Printed out
– Written on a paper, sent by fax
– Stored on disks
– Held on microfilm
3. What is Information Security
6/27/2023
• Confidentiality
• Is my communication private?
• Ensuring that the data is read only by the intended person
• Protection of data against unauthorized access or disclosure
• Possible through access control and encryption
• Integrity
• Has my communication been altered?
• Protection of data against unauthorized modification or substitution
• If integrity is compromised, no point in protecting data
• A transparent envelope that is tamper evident
• Availability
• Are the systems responsible for delivering, storing and processing
information accessible when needed
• Are the above systems accessible to only those who need them
4. Management Concerns
• Market reputation
• Business continuity
• Disaster recovery
• Business loss
• Loss of confidential data
• Loss of customer confidence
• Legal liability
• Cost of security
Security
Measures/Controls
• Technical
• Procedural
• Physical
• Logical
• Personnel
• Management
6/27/2023 4
Need for ISMS
All these can be addressed effectively and
efficiently only by establishing a proper
Information Security Management System (ISMS)
5. Structure
The specification is spread across 5
clauses, which approach the ISMS
from a managerial perspective.
4. Information security
management system
5. Management responsibility
6. Internal ISMS audits
7. Management review of the ISMS
8. ISMS improvement
Structure
The specification is spread across 7
clauses, which do not have to be
followed in the order they are listed.
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
6/27/2023
Comparing ISO 27001:2005 to ISO 27001:2013
ISO 27001:2005 ISO 27001:2013
6. Process
The standard clearly states that it follows the
PDCA (Plan-Do-Check-Act) model
Process
The standard does not specify any particular
process model.
The standard requires that a process of continual
improvement is used
6/27/2023
Comparing ISO 27001:2005 to ISO 27001:2013
ISO 27001:2005 ISO 27001:2013
Governance and management
Management roles are described as
‘management’ and ‘top management’,
removing reference to the board.
The organization is that part of the business
that falls within the scope, and not
necessarily the legal entity.
The board initiates the ISMS; management
oversees the implementation of the ISMS
Governance and management
Senior management plays a major role.
Management and board engagement is high but
the separation between board and management
is not clear.
7. Risk assessments
The definition of risk is the “combination of the
probability of an event and its consequences”.
The organization identifies risks against assets.
The asset owner determines how to treat the risk,
accepting residual risk. Controls are drawn from
Annex A.
Annex A is not exhaustive, so additional controls
can be drawn from other sources.
The Statement of Applicability records whether a
control from Annex A is selected and why.
Risk assessments
The definition of risk is the “effect of uncertainty
on objectives”, which may be positive or negative.
Baseline controls based on regulatory, business
and contractual obligations may be identified and
implemented before the risk assessment is
conducted.
The organization identifies risks to the
organization's information the assessment does
not have to be asset-based.
The risk owner determines how to treat the risk,
accepting residual risk.
Controls are drawn from any source or control Set
Selected controls are compared to those in Annex
A.
The Statement of Applicability records whether a
control from Annex A is selected and why
6/27/2023
Comparing ISO 27001:2005 to ISO 27001:2013
ISO 27001:2005 ISO 27001:2013
8. Controls
Annex A contains 133 controls across 11 control
categories.
Controls from other sources are used to ‘plug
gaps’ not covered by Annex A controls
Controls
Annex A contains 114 controls across 14
control categories
Controls (from any source) are identified
before referring to Annex A
6/27/2023
Comparing ISO 27001:2005 to ISO 27001:2013
ISO 27001:2005 ISO 27001:2013
Documentation
The standard makes no distinction between
documents and records.
Documents and records are subject to the
same control requirements.
Documentation
The standard recognizes two forms: documents
and records.
Documents include policies, procedures, process
diagrams, etc.
Records track work completed, audit schedules,
etc.
9. ISO27001 Structure
9
ISO27001
ISO/IEC 27001:2013 Auditable Standard
Clauses: Mandatory Processes Annex A: Control Objectives
4 Context of the organisation
5 Leadership
6 Planning
7 Support
14 Domains
35 Control Objectives
114 controls
8 Operation
9 Performance evaluation
10 ISMS Improvement
10. Number of Domains and Controls
Domains Control Obj. Controls
A5. Information Security policies 1 2
A6. Organization of information security 2 7
A7. Human resources security 3 6
A8. Asset management 3 10
A.9 Access control 4 14
A.10 Cryptography 1 2
A.11 Physical and environmental security 2 15
A.12. Operations Security 7 14
A.13 Communications Security 2 7
A.14 Systems acquisition, development & Maint. 3 13
A.15 Supplier Relationship 2 5
A.16 Information security incident management 1 7
A.17 Information Security aspect of Business continuity management 2 4
A.18 Compliance 2 8
Total - 14 35 114
10
11. ISO 27001 Main Clauses
• Clause 4: Context of the organization
• Understanding the organization and its context
• Understanding the needs and expectation of interested parties.
• Determining the scope of the information security management system
• Information security management system
• Clause 5: Leadership
• Leadership and Commitment
• Policy
• Organization, roles, responsibilities and authorties
• Clause 6: Planning
• Action to address Risk and Opportunities
• Information security objectives and Planning to achieve them
• Clause 7: Support
• Resource
• Competence
• Awareness
• Communication
• Documented Information
6/27/2023 11
12. ISO 27001 Main Clauses
• Clause 8: Operation
• Operation planning and control
• Information security Risk assessment
• Information security Risk Treatment
• Clause 9: Performance evaluation
• Monitoring, measurement, analysis and evaluation
• Internal Audit
• Management Review
• Clause 10: Improvement
• Non conformity and corrective action
• Continual improvement
6/27/2023 12
13. ISMS Scope
6/27/2023 13
The Information Security Management Systems
covering all business functions and processes
associated with information assets to provide
customers, employees and business partners benefits
and services in the organization.
14. Quality & Security Policy :
NST is committed to maintain high quality standards in delivering timely and cost
effective solutions to our customers by continual improvement of our processes,
instilling quality consciousness amongst all employees and recognizing the
confidentiality, integrity and availability of information assets to relevant
stakeholders including our customers.
Business Objectives
Key Objective 1: Provide high quality services to our clients.
Key Objective 2: Continuous focus on employee satisfaction and competency development so as to reduce and
stabilize employee attrition.
Key Objective 3: Continual improvement of services to our internal & external customers.
Key Objective 4: To secure its information assets and of its customers, NST shall deploy procedures to maintain
confidentiality, integrity and availability of all information assets.
Key Objective 5: To have year on year revenue increase while maintaining profitability.
Quality Policy & Business Objectives
15. 6/27/2023 15
ISMS Documentation
Procedure
Work Instructions,
checklists, forms,
etc.
Records
ISMS Manual
(Apex document)
Policy,
scope
Risk Assessment,
statement of applicability
Describes processes
who, what, when, where
Describes how tasks and specific
activities are done
Provides objective evidence of compliance
to ISMS requirements
Management framework
policies
Level 2
Level 3
Level 4
Level 1
16. Risk Assessment and Management
• Risk Assessment
• Identify all Stakeholders
• Identify Business Process
• Identify Operation Process
• Identify Assets
• Identify Risk on the basis of all Stakeholders
• Identify Threats and Vulnerabilities
• Evaluate Probability and Impact
• Calculate Risk Value
• Risk treatment
• Mitigate/Reduce risk
• Avoid risk
• Transfer risk
• Accept risk
• Risk Management
• Mitigate the risk by appropriate controls
• Evaluate controls periodically
6/27/2023 16
17. ISO 27001:2013 Main Clauses-10
• Clause 4: Context of the Organization
• Clause 5: Leadership
• Clause 6: Planning
• Clause 7: Support
• Clause 8: Operation
• Clause 9: Performance Evaluation
• Clause 10: Improvement
• Clause 11: Domain, Control Objective & Controls
There are 14 domains 35 control objectives and 114 detail controls
18. Structure of ISO 27001:2013 Controls
A.5 Information security policies – controls on how the policies are written and reviewed
A.6 Organization of information security – controls on how the responsibilities are assigned; also
includes the controls for mobile devices and teleworking
A.7 Human resources security – controls prior to employment, during, and after the employment
A.8 Asset management – controls related to inventory of assets and acceptable use, also for
information classification and media handling
A.9 Access control – controls for Access control policy, user access management, system and
application access control, and user Responsibilities
A.10 Cryptography – controls related to encryption and key management
A.11 Physical and environmental security – controls defining secure areas, entry controls,
protection against threats, equipment security, secure disposal, clear desk and clear screen
policy, etc.
A.12 Operational security – lots of controls related to management of IT production: change
management, capacity management, malware, backup, logging, monitoring, installation,
vulnerabilities, etc.
A.13 Communications security – controls related to network security, segregation, Network
services, transfer of information, messaging, etc.
14 Domains comprising 35 Control Objectives and 114 Controls
19. Structure of ISO 27001:2013 Controls
19
A.14 System acquisition, development and maintenance – controls defining security requirements
and security in development and support processes
A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the
suppliers
A.16 Information security incident management – controls for reporting events and weaknesses,
defining responsibilities, response procedures, and collection of evidence
A.17 Information security aspects of business continuity management – controls requiring the
planning of business continuity, procedures, verification and reviewing, and IT redundancy
A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual
property protection, personal data protection, and reviews of information security
20. 6/27/2023
Guidelines for using the Risk Register Sheet-13
Risk analysis is an evaluation of the identified risk events to determine the likelihood of the events occurring and their impact,
to assign a risk rating based on the project criteria and to prioritize the risks. For each risk event, the following risk analysis
guidelines can be used:
Probability Vulnerability (Impact)value
The likelihood of occurrence can be
categorized as:
The vulnerability of each risk are attributed to a
characterization value as follows:
Rating Description Score Rating Description Score
Near
certaint
y
Event that has a
greater than 75%
chance of occurring
5
Showstoppe
r
The effect is catastrophic; the
organization may face significant
loss and impact. The project will
fail. 4
Highly
likely
Event that has
between a 51 – 75%
chance of occurring
4
Critical The impact is serious and the
project may be largely affected due
to the risk. There could be huge
delays and the project could be
postponed due to it. 3
Likely Event that has
between a 20 – 50%
chance of occurring 3
Marginal The risks could affect in small
delays in schedule .
2
Unlikely Event that has
between a 10 – 20%
chance of occurring 2
Negligible The impact of these risks on the
project could be minimal.
1
Remote Event that has a 0 –
10% chance of
occurring 1
Risk Value = (probability of event) + ( Vulnerability) +(CIA Value)
Probability (P)
Levels
Vulnerability (V)
Values
CIA Value
(C)
Risk Values (P+I+C)
1 - (R)emote 1 - (N)egligible
1- Low 3 to 5 -
Normal/Trivial
2 - (U)nlikely 2 - (M)arginal
2-
Medium 6 to 7 – Low
3 - (L)ikely 3 - (C)ritical 3- High 8 to 10 – Medium
4 - (H)ighly likely 4 - (S)howstopper 11 to 12 - High
5 - (N)ear
certainty
Risk Level Value definition
3 to 5: No action required
6 to 7: To be reviewed regularly and Organization will accept
risk up to this level
8 to 10: Medium level risk, mitigation to be planned in a period
of six months
11 to 12: High Level risk, Mitigation immediately required
1 2
3
21. 21
6/27/2023
Understanding the Needs and Expectation from Interested Parties
Stake holders Issues
Internal Management
Governance, Resource availability, organization structure, roles
and accountabilities, Policies, objectives, and the strategies
Employees
Fulfillment of commitments, adherence to organization policies,
processes and guidelines and to ensure seamless /
uninterrupted operations. Expectation of employees in terms of
commitment made by the organization need to be fulfilled.
Shareholders
Relationship with, and perceptions and values of, internal
stakeholder’s
Board of Directors
Maintaining commitment to customers, goodwill and repute of
the organization, and maintaining return on investment
committed on the business, in totality
Corporate
requirements Standards, guidelines and models adopted by the organization
Users / Other
departments
Information technology related requirements to the
organization such as access right, IT infra availability to internal
users and other departments.
HR
Resource availability, resource competence, training,
background verification etc.,
Finance Approval of financial commitments
Legal
Vetting of Legal contracts and protecting the organization from
non-compliance of legal, regulatory and contractual
requirements
External Customers Service delivery
Vendors
Supply of goods and services to enable the organization to
meet the requirement of the customer
Users / Public
Information technology related requirements to the
organization such as access right, IT infra availability to
internal users and other departments.
Government
Submission of desired reports and statements and approvals
to carry out the business. Fulfilling the legal, and regulatory
requirement.
Society and
environment
Natural and competitive environment, Key drives and trends
having impact on the objectives of the organization, Political,
financial status of the country.
22. 22
6/27/2023
Communication
What to
communicate
When to communicate
With whom
to
communicate
Who shall
communicate
Processes by which
communication
shall be effected.
Technical matters
To seek clarification,
communicate execution
and discussing options
of delivery
Customer
Delivery
Manager /
Technical Lead
Email / Hard
copy/Phone
Non-Technical
Business
Development
when communicating
upgrades / updates and
offers of NST
Customer Account Manager
Email / Hard
copy/Phone
Financial
Information such as
Invoices, Payment
reminder, Proposal,
upgrade offer etc.
As and when the event
takes place
Customer
Accounts
Manager
Email / Hard
copy/Phone
Technical matters
To get the action
initiated on completion
of delivery
Accounts
Manager /
Business
Head
Delivery
Manager /
Technical Lead
Email / Hard
copy/Phone
Performance report Monthly / quarterly
Business
Head
Account Manager
and Delivery
Manager
PPT / Word /
Excel -
Email/Phone
Technical Matters
As and when the event
takes place
Project
Manager
Developer/Tester
PPT / Word /
Excel -
Email/Phone
Communications provide the
statement to the Organization of the
Information Security of the business
that highlighting the importance of
information s protection.
Users shall be made aware about
the risk of Information Security while
exchanging information through
Voice, Email, Fax, and Video
Communication facility
23. Statement of Applicability
Document describing the control objectives and controls that are
relevant and applicable to the organization’s ISMS, based on the
results of risk assessment and risk treatment processes.
6/27/2023 23
24. Exercise
Given below are various risks that may faced by an organization. Go
through the list of clauses and map them against each risk.
6/27/2023 24
Threat / Concern Threat impact
Impact
Rating
Probability of
Happening
Probability
Rating
Unauthorised
Access
It will/may change the
functionality of s/w High
Can happen
Occasionaly Medium
Loss of Source
code
Sytem breakdown /
Competitive access High Occasionally Medium
Maintenance
support'
Lack of customer
satisfaction, High Frequently High
Training and
awareness
Wrong / errorneous
operation Meium frequently High
25. Generic Changes from ISO 27001:2005 standard
• Puts more emphasis on measuring and evaluating how well an organization's ISMS is
performing
• New section on Outsourcing
• Does not emphasize the Plan-Do-Check-Act cycle.
• More attention is paid to the organizational context of information security.
• Risk assessment has changed.
• Management commitment requirements have a focus on “leadership”
• Preventive action has been replaced with “actions to address, risks and opportunities”
• SOA requirements are similar, with more clarity on the need to determine controls by
the risk treatment process
• Controls in Annex A have been modified to reflect changing threats, remove
duplication and have a more logical grouping.
• Stress on maintaining documented information, rather than information record
• Greater emphasis is on setting objectives, monitoring performance and metric
25
26. Risk assessment and risk treatment
• Risk management is the activities to make clear what kind of information security risks may occur,
determine the risk treatment and manage the risks.
• The activities to make the risks clear are referred to as "risk assessment".
• Identify the risk owners
• The actions taken for the risks, which are made clear, are referred to as "risk treatment".
• Avoiding: Withdrawal of business, etc.
• Taking or increasing risk in order to pursue an opportunity: Additional investment, etc.
• Changing the likelihood of risks: Performing preventive measures, etc.
• Removing the risk sources: Performing preventive measures, etc.
• Changing the consequences of risks: Preparing the actions taken for the possible situations, etc.
• Sharing the risks with another parties: Insuring the risks, etc.
• Retaining the risk as they are: Accepting the risks upon recognition
• This is the same as the "management judgment" conventionally conducted by Management.
27. New controls
14.2.1 Secure development policy – rules for development of software and
information systems
14.2.5 Secure system engineering principles – principles for system engineering
14.2.6 Secure development environment – establishing and protecting development
environment
14.2.8 System security testing – tests of security functionality
16.1.4 Assessment of and decision on information security events – this is part of
incident management
17.2.1 Availability of information processing facilities – achieving redundancy
27
28. 28
Conceptual changes
New/Updated Concepts Explanation
Context of the organization The environment in which the organization operates
Issues, risks and opportunities Replaces preventive action
Interested parties Replaces stakeholders
Leadership Requirements specific to top management
Communication There are explicit requirements for both internal and external communications
Information security objectives Information security objectives are now to be set at relevant functions and
levels
Risk assessment Identification of assets, threats and vulnerabilities is no longer a prerequisite
for the identification of information security risks.(6.1.2 d) – Now emphasis is
on impact and Probability
Risk owner Replaces asset owner
Risk treatment plan The effectiveness of the risk treatment plan is now regarded as being more
important than the effectiveness of controls
Controls Now determined during the process of risk treatment.
Documented information Replaces documents and records
Performance evaluation Covers the measurement of ISMS and risk treatment plan effectiveness
Continual improvement Methodologies other than Plan-Do-Check-Act (PDCA) may be used
29. List of controls removed from ISO 27001:2005
64
A.06.01.1 Management commitment to information
security A.11.04.6 Network Connection control
A.06.01.2 Information security coordination A.11.04.7 Network routing control
A.06.01.4 Authorization process for information
processing facilities A.11.05.2 User identification and authentication
A.06.02.1 Identification of risks related to external
parties A.11.05.5 Session time-out
A.06.02.2 Addressing security when dealing with
customers A.11.05.6 Limitation of connection time
A.10.02.1 Service delivery A.11.06.2 Sensitive system isolation
A.10.04.2: Controls against Mobile code A.12.02.1: Input data validation
A.10.07.4 Security of system documentation A.12.02.2 Control of internal processing
A.10.08.5 Business Information Systems A.12.02.3 Message integrity
A.10.09.3 Publicly available information A.12.02.4 Output data validation
A.10.10.2 Monitoring system use A.12.05.4 Information leakage
A.10.10.4 Administrator and operator logs
A.14.01.1 Including information security in the business
continuity management process
A.10.10.5 Fault logging
A.14.01.3 Developing and implementing continuity
plans including formation security.
A.11.04.2 User authentication for external
connections A.14.01.4 Business continuity planning framework
A.11.04.3 Equipment identification in networks
A.15.01.5 Prevention of misuse of information
processing facilities
A.11.04.4 Remote Diagnostic and configuration port
protection A.15.03.2 Protection of information systems audit tools