How Does the New ISO 27001 Impact Your IT Risk Management Processes?

1,433 views

Published on

There is a new ISO 27001 coming out later this year. It sets new requirements to your information security management systems (ISMS). This slide deck presents how the updated standard impacts your IT Risk Management processes. The slide deck is also presented in this webinar: http://www.neupart.com/events/webcasts

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,433
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
108
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

How Does the New ISO 27001 Impact Your IT Risk Management Processes?

  1. 1. How  Does  the  new  ISO  27001  Impact  Your  IT  Risk  Management  Processes?  Presented  by  Lars  Neupart    Founder,  CEO  of  Neupart  –  The  ERP  of  Security  LN@neupart.com  twiBer  @neupart    
  2. 2. The  ISO  2700x  standards  ISO  27000  • Overview  and  vocabulary  ISO27001  • InformaKon  Security  Management  Systems  –  Requirements  ISO27002  • Code  of  pracKce  for  informaKon  security  management  ISO  27003    • ISMS  ImplementaKon  Guidelines  ISO  27004  • InformaKon  Security  Management  -­‐  Measurement.    ISO27005  • InformaKon  Security  Risk  Management  ISO27006  • Requirements  for  bodies  providing  audit  and  cerKficaKon    +  +  +  +    
  3. 3. New  drafts  available  ISO  27000  • Overview  and  vocabulary  ISO27001  • InformaKon  Security  Management  Systems  –  Requirements  ISO27002  • Code  of  pracKce  for  informaKon  security  management  ISO  27003    • ISMS  ImplementaKon  Guidelines  ISO  27004  • InformaKon  Security  Management  -­‐  Measurement    ISO27005  • InformaKon  Security  Risk  Management  ISO27006  • Requirements  for  bodies  providing  audit  and  cerKficaKon    +  +  +  +    
  4. 4. Information  Security  Management  Systems  –  Requirements  ISO  27001  –  the  2013  edition  ISO/IEC  DIS  27001  =  draft.    I.e.  changes  are  likely  to  happen    Aim  of  todays  webinar  is  to  give  you  a  head  start  preparing  for  the  new  standard  so  you  can  have  a  smoother  transition.  
  5. 5. What’s  new?  •  A  lot!  •  New  content  •  New  requirements  numbering  •  Still  short:  9  pages  of  requirements  to  an  ISMS  •  Controls  are  still  listed  in  Annex  A,  and  referring  to  ISO  27002  (the  new)  •  Maintaining  a  fair  portion  of  backwards  compatibility  
  6. 6. Poll:  How  do  you  use  ISO  27001  today?  •  We  are  certified  •  We  plan  to  certify  •  We  plan  to  comply;  no  certification  •  Best  practice  inspiration  •  Dont  know  
  7. 7. Still  risk  oriented:  •  The  first  requirement  in  the  new  ISO  27001  refers  to  an  Enterprise  Risk  Management  Standard:  ISO  31000  
  8. 8. ISO  31000  Enterprise  Risk  Management  Plan  Do  Check  Act  
  9. 9. Enterprise  Risk  Management  (ISO  31000)  InformaKon  Security  Risk  Management  (ISO  27005)  ISMS  Requirements  (ISO  27001)    
  10. 10. ISO  27005  recap  
  11. 11. IT  Risk  Management  -­‐  Explained  RiskIncidentLikelihoodIncidentConsequenceThreatFrequencyThreatEffectThreatsPreventiveMeasuresCorrectiveMeasures
  12. 12. ReduceLikelihoodProactiveSecurityIT Security PolicyCompliance & AwarenessChange ManagementOperating ProceduresAccess ControlMonitoringSystem RedundancyFirewallAntivirusReactiveSecurityReduceConsequenceIT Service Continuity TeamsIT Service Continuity StrategyIT Service Continuity PlansDisaster Recovery ProceduresEmergency OperationsFlexibilityStandby EquipmentVirtualizationBackupIT  Risk  Management  -­‐  Explained  RiskPrioritizationIncidentLikelihoodIncidentConsequenceThreatFrequencyThreatEffectThreatsPreventiveMeasuresCorrectiveMeasures
  13. 13. Vulnerability  &  control  environment  assessment  AdministraKve  Measures  Physical  /  Technical  Measures  PrevenKve  Measures  CorrecKve  Measures  Firewall   AnKvirus  Server  Cluster  RAID   Backup  Standby  Equipment  VirtualizaKon  Security  Policy  System  DocumentaKon  Awareness  Compliance  Checks  Alarm  System  Fire  Suppression  Logging  Change  Management  IT  Service  ConKnuity  Plan  Disaster  Recovery  Procedures  Business  ConKnuity  Strategy  Redundancy  Access  Control  System  Standby  Site  Server  snapshots  Assessments  based  on  Capability  Maturity  Model  Monitoring  
  14. 14. Assets:  Dependency  Hierarchy  Business  Impact  values  are  inherited  downwards  Vulnerability  values  are  inherited  upwards  Server  01  Virtual  Server  SAN  01  Data  Staorage  HP  DL380  Hardware    unit  Data  Center  Oslo  Datacenter  Finance  DB  Database  ERP  IT  Service  Dynamics  AOS  Business  system  HP  DL380  Hardware  unit  Server  02  Virtual  Server  Finance  Business  Process  
  15. 15. Comparing  ISO  27005,  NIST  SP800-­‐30  ISO  27005   NIST  SP800-­‐30  Context  establishment              Identification  of  assets   System  Characterization  Identification  of  threats   Threat  Identification  Identification  of  existing  controls   Vulnerability  Identification  Identification  of  vulnerabilities   Control  Analysis  Identification  of  consequences              Assessment  of  consequences   Likelihood  Determination  Assessment  of  incident  likelihood   Impact  Analysis  Risk  estimation   Risk  Determination          Risk  evaluation              Risk  treatment   Control  Recommendations  Risk  acceptance      Risk  communication   Results  Documentation  
  16. 16. Examples  of  how  the  27001  update  will  impact  your  risk  management  processes  
  17. 17. 27001:  Not  only  downside  risks  •  6.1  Actions  to  address  risks  and  opportunities    •  Quote  ISO  31000:  “Organizations  of  all  types  and  sizes  face  internal  and  external  factors  and  influences  that  make  it  uncertain  whether  and  when  they  will  achieve  their  objectives.  The  effect  this  uncertainty  has  on  an  organizations  objectives  is  “risk”.  
  18. 18. Risk  Owner  •  Risk  Owner  approves  risk  treatment  plan  and  accepts  residual  risks  •  Note:  Asset  ownership  is  formally  no  longer  a  ISO  27001  requirement,  but  it’s  still  in  the  annex  A  Control  List.  Practically  same  requirement,  as  you  can’t  expect  it  to  not  be  in  your  Statement  of  Applicability  
  19. 19. Increased  flexibility  in  your  choice    of  risk  method  The  organization  shall  define  an  information  security  risk  assessment  process  that:    1.  establishes  and  maintains  information  security  risk  criteria,  including  the  risk  acceptance  criteria;    2.  determines  the  criteria  for  performing  information  security  risk  assessments;  and    3.  ensures  that  repeated  information  security  risk  assessments  produce  consistent,  valid  and  comparable  results.    (section  6.1  )    
  20. 20. Time  to  vote  •  What  IT  risk  assessment  method  or  framework  do  you  use  today?  –  ISO  27005  –  NIST  SP  800  series  –  IRAM    –  OCTAVE  –  Some  other  threat  based  approach  –  Some  other  control  based  approach  –  Don’t  know  
  21. 21. The  organization  shall  apply  an  information  security  risk  treatment  process    
  22. 22. Treating  Risks  Accept   Reduce  Share   Avoid  Treatment  opKons  according  to  ISO  27001:2005  and  ISO  27005.  ISO  27001:2013,  do  not  require  these  specific  treatment  opKons;  but  you  are  free  to    choose  these.  
  23. 23. SoA  linked  even  closer  to  Risk  Treatment  Risk  treatment  SoA  =  Statement  of  Applicability  •  Select  treatment  options  •  Determine  controls  •  Check  controls  with  Annex  A,    verify  no  necessary  controls  are  omitted  •  Make  SoA  and  justify  exclusions  AND  inclusions  (new)  •  Clearly  worded  that  you  must  determine  all  necessary  controls  
  24. 24. Review  of  Neuparts  well  known  4  responsible  short-­‐cuts  –  do  they  still  apply?  Assess  your  most  important  assets  first    (you  can  add  more  later)  1:  Not  all  assets  Do  not  use  complete  threat  catalogue  on  each  of  your  assets  (relevant  threats  depends  on  asset  type)  2:  Not  all  threats  • Inheritance:  Business  impact  values  inherits  downwards  • Vulnerability  scores  inherits  upwards  • Asset  dependencies  /  Hierarchy  3:  Inheritance  • Make  overall  assessment  first  –  refine  later  • Example:  Assess  threats  combined  first  –  individually  later  4:  Fewer  assessments  
  25. 25. Oh,  what  happened  to  PDCA?  Plan  -­‐  Do  –  Check  -­‐  Act  is  still  there,  now  called  continual  improvement  
  26. 26. Risk  Management  •  Risk  Owner  •  (Assets)  •  Threats  •  Business  Impact  Assessment  •  Vulnerability  Assessment  •  Reporting  &  evaluating  •  Treating  (Accept,  Reduce,  Share,  Avoid)  
  27. 27. Time  to  vote  •  Will  the  new  ISO  improve  your  risk  management  processes?  –  Yes  –  the  update  is  easy  to  understand  and  makes  sense  –  Not  much  –  nothing  really  new  here  –  I’m  concerned  of  the  introduced  flexibility  –  Don’t  know  
  28. 28. About  Neupart  •  ISO  27001  certified  company  •  Provides  SecureAware®,    an  all-­‐in-­‐one,  efficient  IT  GRC  solution  allowing  organizations  to  automate  IT  governance,  risk  and  compliance  management    •  “The  ERP  of  Security”  •  HQ  in  Denmark,  subsidiary  in  Germany  and  a  200+  customer  portfolio  covering  a  wide  range  of  private  enterprises  and  governmental  agencies    IT  GRC  =  IT  Governance,    Risk  &  Compliance  Management  
  29. 29. SecureAware  Risk  TNG  Benefits  •  Less  specialist  knowledge  needed  to  conduct  professional  risk  management  •  Know  your  IT  related  business  risks  •  Fast  results  •  Saves  time  for  you  and  your  organization  •  ISO  27005  based  methodology  –and  fully  compatible  with  NIST  SP800-­‐30    •  Cloud  or  on-­‐premise  software  
  30. 30. Try  ISO  27001  compliant  IT  GRC  soluKon  at  www.neupart.com  Presented  by  Lars  Neupart    Founder,  CEO  of  Neupart  –  The  ERP  of  Security  LN@neupart.com  twiBer  @neupart    

×