SlideShare a Scribd company logo

ISMS User_Awareness Training.pptx

Download as PPTX, PDF
Mukesh Pant
Mukesh Pant

This document provides an overview of ISO 27001 and information security. It begins with defining what information is and its lifecycle. Next, it defines information security, risks, threats, and vulnerabilities. It then introduces ISO 27001 as the leading international standard for information security management systems and describes the components of an ISMS. Key aspects of ISO 27001 such as its requirements, annexes, and history are summarized. Finally, the document outlines user responsibilities for maintaining information security.

Technology
1 of 40
By – MukeshPant FIA TechnologyServicesPvt.Ltd. ISO/IEC 27001:2013 Awareness Training MukeshPant FIA TechnologyServicesPvt.Ltd.
Agenda  What is Information?  What is Information Security?  What is RISK?  An Introduction to ISO 27001:2013  ISMS @ Organization  User Responsibilities
What is Information Information is an asset that, like other important business assets, has value to an organization and consequently needs to be suitably protected. ISO 27000:2018
Information Lifecycle
Information Types Information can be in many forms, including:  Digital form (e.g. data files stored on electronic or optical media),  Material form (e.g. on paper)  Unrepresented information in the form of knowledge of the employees.  Shown on corporate videos  Displayed / published on web  Verbal – spoken in conversations ‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (ISO 27000:2018)
InformationSecurity What is Information Security?  Safeguarding an organization’s information and Information processing facilities from unauthorized access or modification to ensure its, Confidentiality, Integrity and Availability. (ISO 27000:2018)
Property of being accessible and usable on demand by an authorized entity Property of accuracy and completeness ISO27000:2018defines InformationSecurityas the preservationof: C I A Confidentiality Integrity Availability Property that information is not made available or disclosed to unauthorized individuals, entities, or processes INFORMATIONATTRIBUTES
InformationSecurity Benefits  Helps Retain Customers and Win New Business  Improves Information Security Processes and Strategies  Ensures Implementation of Best Practices  Promotes Compliance with Commercial, Contractual and Legal requirements  Continuously Monitor and Prevent Risk  Prepares your Organization for Long-term Success BUSINESS SURVIVAL DEPENDSON INFORMATIONSECURITY
INFOSEC COMPONENTS Organization’s Staff PEOPLE TECHNOLOGY Technology Used by Organization Business Processes PROCESS
People who use or interact with the Information include:  Share Holders / Owners  Management  Employees  Business Partners  Service providers  Contractors  Customers / Clients  Regulators etc… Diagram PEOPLE (Who we are) PEOPLE STACK HOLDERS PEOPLE PROCESS TECHNOLOGY03
Diagram PROCESS The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include:  Helpdesk / Service management  Incident Reporting and Management  Change Requests process  Request fulfillment  Access management  Identity management  Service Level / Third-party Services Management  IT procurement process etc... PROCESS (What we do) PEOPLE PROCESS TECHNOLOGY03
TECHNOLOGY Network Infrastructure:  Cabling, Data/Voice Networks and equipment  Telecommunications services (PABX), ISDN , Video Conferencing  Server computers and associated storage devices  Operating Software for server, Desktops & Laptops  Communications equipment and related hardware.  Intranet and Internet connections  VPNs and Virtual environments  Remote access services  Wireless connectivity Environmental management Systems:  Ventilation , Air Conditioning, Fire Control systems  Electricity / Power backup TECHNOLOGY (“what we use to improve”) PEOPLE PROCESS TECHNOLOGY
Application software:  HROne & Bill Pay portals Physical Security components:  CCTV Cameras  Clock in systems / Biometrics Access Devices:  Desktop computers  Laptops  Thin client computing.  Digital cameras, Printers, Scanners, Photocopier etc. TECHNOLOGY (“what we use to improve”) PEOPLE PROCESS TECHNOLOGY TECHNOLOGY
15 Effect of uncertainty on objectives RISK Potential cause of an unwanted incident, which can result in harm to a system or organization Weakness of an asset or control that can be exploited by one or more threats THREATS VULNERABILITY RISK, THREATS & VULNERABILITY
16 B OPTIONS RISK Risk is defined as the potential for loss or damage when a threat exploits a vulnerability. Examples of risk include:  Financial losses  Loss of privacy  Damage to your reputation  Legal implications  Even loss of life THREATS VULNERABILITY RISK, THREATS & VULNERABILITY
17 RISK THREATS VULNERABILITY A threat refers to a new or newly discovered incident that has the potential to harm a system or your company overall. There are three main types of threats:  Natural threats  Unintentional threats  Intentional threats RISK, THREATS & VULNERABILITY
18 B OPTIONS C OPTIONS RISK THREATS VULNERABILITY A vulnerability refers to a known weakness of an asset (resource) that can be exploited by one or more attackers. In other words, it is a known issue that allows an attack to succeed.  Network Vulnerabilities  Lack of security cameras  Unlocked doors at businesses  Lack of user awareness RISK, THREATS & VULNERABILITY
RELATIONSHIP BETWEEN RISK, THREATS, AND VULNERABILITIES
Security Breaches Leads To  Reputation loss  Financial loss  Intellectual property loss  Legislative Breaches leading to legal actions (Cyber Law)  Loss of customer confidence  Business interruption costs L O S S O F G O O D W I L L
RISK & THREATS SO HOW DO WE OVERCOME THESE PROBLEMS?
“WHEN THINGS DON'T WORK AS THEY SHOULD, IT OFTEN MEANS THAT STANDARDS ARE ABSENT”
WHAT IS ISO SO HOW DO WE OVERCOME THESE PROBLEMS? ISO is an independent, non-governmental international organization with a membership of 167 national standards bodies. It is important to note that the full name of ISO 27001 is “ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements.” It is the leading international standard focused on information security, published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards. ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC 27000 series.
ISO FRAMEWORK AND THE PURPOSE OF ISO 27001 SO HOW DO WE OVERCOME THESE PROBLEMS? ISO framework is a combination of policies and processes for organizations to use. ISO 27001 provides a framework to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).
WHY IS ISO 27001 IMPORTANT? SO HOW DO WE OVERCOME THESE PROBLEMS? Not only does the standard provide companies with the necessary know-how for protecting their most valuable information, but a company can also get certified against ISO 27001 and, in this way, prove to its customers and partners that it safeguards their data. Individuals can also get ISO 27001-certified by attending a course and passing the exam and, in this way, prove their skills to potential employers. Because it is an international standard, ISO 27001 is easily recognized all around the world, increasing business opportunities for organizations and professionals.
WHAT IS AN ISMS? SO HOW DO WE OVERCOME THESE PROBLEMS? An Information Security Management System (ISMS) is a set of rules that a company needs to establish in order to: 1. identify stakeholders and their expectations of the company in terms of information security. 2. identify which risks exist for the information. 3. define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks. 4. set clear objectives on what needs to be achieved with information security. 5. implement all the controls and other risk treatment methods. 6. continuously measure if the implemented controls perform as expected. 7. make continuous improvement to make the whole ISMS work better. This set of rules can be written down in the form of policies, procedures, and other types of documents, or it can be in the form of established processes and technologies that are not documented. ISO 27001 defines which documents are required, i.e., which must exist at a minimum.
INTRODUCTION TO ISO 27001 (History)
ISMS – REQUIRMENTS (Clause #4 – Clause #10) SO HOW DO WE OVERCOME THESE PROBLEMS?
ISMS – ANNEX (Control Clauses A5 – A18) SO HOW DO WE OVERCOME THESE PROBLEMS?
USER RESPONSIBILITY WHO IS AT THE CENTRE OF SEC ITY U-R
USER RESPONSBILITIES – (Access Control – Physical)  Follow Information Security Policies and Procedures.  Wear Identity Cards and Badges.  Ask unauthorized visitor his credentials.  Attend visitors in Reception and Conference Room only  Bring visitors in operations area without prior permission.  Bring hazardous and combustible material in secure area.  Practice “Piggybacking”.  Bring and use pen drives, zip drives, ipods, other storage devices unless and otherwise authorized to do so.
USER RESPONSBILITIES – (Password Guideline)  Always use at least 8 character password with combination of alphabets, numbers and special characters (*, %, @, #, $, ^)  Use passwords that can be easily remembered by you  Change password regularly as per policy  Use password that is significantly different from earlier passwords  Try to use Passphrase in place of Password  Use passwords which reveals your personal information or words found in dictionary  Write down or Store passwords  Share passwords over phone or Email  Use passwords which do not match above complexity criteria How Secure Is My Password? | Password Strength Checker (security.org)
USER RESPONSBILITIES – (Internet Usage)  Use internet services for business purposes only.  Do not access internet through dial-up connectivity.  Do not use internet for viewing, storing or transmitting obscene or pornographic material.  Do not use internet for accessing auction sites.  Do not use internet for hacking other computer systems.  Do not use internet to download / upload commercial software / copyrighted material. IT Department is continuously monitoring Internet Usage. Any illegal use of internet and other assets shall call for Disciplinary Action.
USER RESPONSBILITIES – (E-mail Usages)  Do not use official ID for any personal subscription purpose  Do not send unsolicited mails of any type like chain letters or E-mail Hoax  Do not send mails to client unless you are authorized to do so  Do not post non-business related information to large number of users  Do not open the mail or attachment which is suspected to be virus or received from an unidentified sender  Use official mail for business purposes only  Follow the mail storage guidelines to avoid blocking of E-mails  If you come across any junk / spam mail, do the following:  Remove the mail.  Inform the security help desk / IT Administrator  Inform the same to server administrator  Inform the sender that such mails are undesired
Report Security Incidents to (IT) Helpdesk through: E-mail to rajkaran.rana@fiaglobal.com Telephone : e.g.: 9654676543 IT Incidents: Mail Spamming, Virus attack, Hacking, etc. Non-ITIncidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media  Do not discuss security incidents with anyone outside the organization.  Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents. User Responsibilities – (Security Incidents)
 Ensure your system (Laptop/Desktops) are having latest antivirus updates  Ensure your system is locked when you are away  Always store laptops/ media in a lockable place  Be alert while working on laptops during travel  Ensure sensitive business information is under lock and key when unattended  Ensure back-up of sensitive and critical information assets  Understand Compliance Issues such as: o Cyber Law / IPR, Copyrights, / IT act 2000 etc. / Contractual Obligations with customer  Verify credentials, if the message is received from unknown sender  Always switch off your computer before leaving for the day  Keep your self updated on information security aspects User Responsibilities
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx

Recommended

What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
Business Beam
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 

Recommended

What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
Business Beam
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
ControlCase
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
Mart Rovers
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
Gaffri Johnson
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
Dejan Kosutic
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013
Magda CHELLY, Ph.D, S-CISO, CISSP®
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
AvniJain836319
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certification
tschraider
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
SAROJ BEHERA
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
Uppala Anand
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
Security solutions for a smarter planet
Security solutions for a smarter planetSecurity solutions for a smarter planet
Security solutions for a smarter planet
Vincent Kwon
 

More Related Content

What's hot

ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certification
tschraider
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
Uppala Anand
 

What's hot (20)

ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certification
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
 

Similar to ISMS User_Awareness Training.pptx

5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet
Ana Meskovska
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
SAROJ BEHERA
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
Elyes ELEBRI
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
Napoleon NV
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)
samsontamwaiho
 

Similar to ISMS User_Awareness Training.pptx (20)

Information security
Information securityInformation security
Information security
 
Security solutions for a smarter planet
Security solutions for a smarter planetSecurity solutions for a smarter planet
Security solutions for a smarter planet
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
ISO 27001 Certification in libya.pdf
ISO 27001 Certification in libya.pdfISO 27001 Certification in libya.pdf
ISO 27001 Certification in libya.pdf
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
ISO 27001 Certification in Libya
ISO 27001 Certification in Libya ISO 27001 Certification in Libya
ISO 27001 Certification in Libya
 
Data Security - English
Data Security - EnglishData Security - English
Data Security - English
 
ISO 27001 Information Security Management.pdf
ISO 27001 Information Security Management.pdfISO 27001 Information Security Management.pdf
ISO 27001 Information Security Management.pdf
 
Is iso 27001-an-answer-to-security
Is iso 27001-an-answer-to-securityIs iso 27001-an-answer-to-security
Is iso 27001-an-answer-to-security
 
Is iso 27001, an answer to security
Is iso 27001, an answer to securityIs iso 27001, an answer to security
Is iso 27001, an answer to security
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
 
ISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptxISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptx
 
Iso 27001 certification body in singapore
Iso 27001 certification body in singaporeIso 27001 certification body in singapore
Iso 27001 certification body in singapore
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

ISMS User_Awareness Training.pptx

  • 1. By – MukeshPant FIA TechnologyServicesPvt.Ltd. ISO/IEC 27001:2013 Awareness Training MukeshPant FIA TechnologyServicesPvt.Ltd.
  • 2.
  • 3. Agenda  What is Information?  What is Information Security?  What is RISK?  An Introduction to ISO 27001:2013  ISMS @ Organization  User Responsibilities
  • 4. What is Information Information is an asset that, like other important business assets, has value to an organization and consequently needs to be suitably protected. ISO 27000:2018
  • 6. Information Types Information can be in many forms, including:  Digital form (e.g. data files stored on electronic or optical media),  Material form (e.g. on paper)  Unrepresented information in the form of knowledge of the employees.  Shown on corporate videos  Displayed / published on web  Verbal – spoken in conversations ‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (ISO 27000:2018)
  • 7. InformationSecurity What is Information Security?  Safeguarding an organization’s information and Information processing facilities from unauthorized access or modification to ensure its, Confidentiality, Integrity and Availability. (ISO 27000:2018)
  • 8. Property of being accessible and usable on demand by an authorized entity Property of accuracy and completeness ISO27000:2018defines InformationSecurityas the preservationof: C I A Confidentiality Integrity Availability Property that information is not made available or disclosed to unauthorized individuals, entities, or processes INFORMATIONATTRIBUTES
  • 9. InformationSecurity Benefits  Helps Retain Customers and Win New Business  Improves Information Security Processes and Strategies  Ensures Implementation of Best Practices  Promotes Compliance with Commercial, Contractual and Legal requirements  Continuously Monitor and Prevent Risk  Prepares your Organization for Long-term Success BUSINESS SURVIVAL DEPENDSON INFORMATIONSECURITY
  • 10. INFOSEC COMPONENTS Organization’s Staff PEOPLE TECHNOLOGY Technology Used by Organization Business Processes PROCESS
  • 11. People who use or interact with the Information include:  Share Holders / Owners  Management  Employees  Business Partners  Service providers  Contractors  Customers / Clients  Regulators etc… Diagram PEOPLE (Who we are) PEOPLE STACK HOLDERS PEOPLE PROCESS TECHNOLOGY03
  • 12. Diagram PROCESS The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include:  Helpdesk / Service management  Incident Reporting and Management  Change Requests process  Request fulfillment  Access management  Identity management  Service Level / Third-party Services Management  IT procurement process etc... PROCESS (What we do) PEOPLE PROCESS TECHNOLOGY03
  • 13. TECHNOLOGY Network Infrastructure:  Cabling, Data/Voice Networks and equipment  Telecommunications services (PABX), ISDN , Video Conferencing  Server computers and associated storage devices  Operating Software for server, Desktops & Laptops  Communications equipment and related hardware.  Intranet and Internet connections  VPNs and Virtual environments  Remote access services  Wireless connectivity Environmental management Systems:  Ventilation , Air Conditioning, Fire Control systems  Electricity / Power backup TECHNOLOGY (“what we use to improve”) PEOPLE PROCESS TECHNOLOGY
  • 14. Application software:  HROne & Bill Pay portals Physical Security components:  CCTV Cameras  Clock in systems / Biometrics Access Devices:  Desktop computers  Laptops  Thin client computing.  Digital cameras, Printers, Scanners, Photocopier etc. TECHNOLOGY (“what we use to improve”) PEOPLE PROCESS TECHNOLOGY TECHNOLOGY
  • 15. 15 Effect of uncertainty on objectives RISK Potential cause of an unwanted incident, which can result in harm to a system or organization Weakness of an asset or control that can be exploited by one or more threats THREATS VULNERABILITY RISK, THREATS & VULNERABILITY
  • 16. 16 B OPTIONS RISK Risk is defined as the potential for loss or damage when a threat exploits a vulnerability. Examples of risk include:  Financial losses  Loss of privacy  Damage to your reputation  Legal implications  Even loss of life THREATS VULNERABILITY RISK, THREATS & VULNERABILITY
  • 17. 17 RISK THREATS VULNERABILITY A threat refers to a new or newly discovered incident that has the potential to harm a system or your company overall. There are three main types of threats:  Natural threats  Unintentional threats  Intentional threats RISK, THREATS & VULNERABILITY
  • 18. 18 B OPTIONS C OPTIONS RISK THREATS VULNERABILITY A vulnerability refers to a known weakness of an asset (resource) that can be exploited by one or more attackers. In other words, it is a known issue that allows an attack to succeed.  Network Vulnerabilities  Lack of security cameras  Unlocked doors at businesses  Lack of user awareness RISK, THREATS & VULNERABILITY
  • 19. RELATIONSHIP BETWEEN RISK, THREATS, AND VULNERABILITIES
  • 20. Security Breaches Leads To  Reputation loss  Financial loss  Intellectual property loss  Legislative Breaches leading to legal actions (Cyber Law)  Loss of customer confidence  Business interruption costs L O S S O F G O O D W I L L
  • 21. RISK & THREATS SO HOW DO WE OVERCOME THESE PROBLEMS?
  • 22. “WHEN THINGS DON'T WORK AS THEY SHOULD, IT OFTEN MEANS THAT STANDARDS ARE ABSENT”
  • 23. WHAT IS ISO SO HOW DO WE OVERCOME THESE PROBLEMS? ISO is an independent, non-governmental international organization with a membership of 167 national standards bodies. It is important to note that the full name of ISO 27001 is “ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements.” It is the leading international standard focused on information security, published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards. ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC 27000 series.
  • 24. ISO FRAMEWORK AND THE PURPOSE OF ISO 27001 SO HOW DO WE OVERCOME THESE PROBLEMS? ISO framework is a combination of policies and processes for organizations to use. ISO 27001 provides a framework to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).
  • 25. WHY IS ISO 27001 IMPORTANT? SO HOW DO WE OVERCOME THESE PROBLEMS? Not only does the standard provide companies with the necessary know-how for protecting their most valuable information, but a company can also get certified against ISO 27001 and, in this way, prove to its customers and partners that it safeguards their data. Individuals can also get ISO 27001-certified by attending a course and passing the exam and, in this way, prove their skills to potential employers. Because it is an international standard, ISO 27001 is easily recognized all around the world, increasing business opportunities for organizations and professionals.
  • 26. WHAT IS AN ISMS? SO HOW DO WE OVERCOME THESE PROBLEMS? An Information Security Management System (ISMS) is a set of rules that a company needs to establish in order to: 1. identify stakeholders and their expectations of the company in terms of information security. 2. identify which risks exist for the information. 3. define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks. 4. set clear objectives on what needs to be achieved with information security. 5. implement all the controls and other risk treatment methods. 6. continuously measure if the implemented controls perform as expected. 7. make continuous improvement to make the whole ISMS work better. This set of rules can be written down in the form of policies, procedures, and other types of documents, or it can be in the form of established processes and technologies that are not documented. ISO 27001 defines which documents are required, i.e., which must exist at a minimum.
  • 27. INTRODUCTION TO ISO 27001 (History)
  • 28. ISMS – REQUIRMENTS (Clause #4 – Clause #10) SO HOW DO WE OVERCOME THESE PROBLEMS?
  • 29. ISMS – ANNEX (Control Clauses A5 – A18) SO HOW DO WE OVERCOME THESE PROBLEMS?
  • 30. USER RESPONSIBILITY WHO IS AT THE CENTRE OF SEC ITY U-R
  • 31. USER RESPONSBILITIES – (Access Control – Physical)  Follow Information Security Policies and Procedures.  Wear Identity Cards and Badges.  Ask unauthorized visitor his credentials.  Attend visitors in Reception and Conference Room only  Bring visitors in operations area without prior permission.  Bring hazardous and combustible material in secure area.  Practice “Piggybacking”.  Bring and use pen drives, zip drives, ipods, other storage devices unless and otherwise authorized to do so.
  • 32. USER RESPONSBILITIES – (Password Guideline)  Always use at least 8 character password with combination of alphabets, numbers and special characters (*, %, @, #, $, ^)  Use passwords that can be easily remembered by you  Change password regularly as per policy  Use password that is significantly different from earlier passwords  Try to use Passphrase in place of Password  Use passwords which reveals your personal information or words found in dictionary  Write down or Store passwords  Share passwords over phone or Email  Use passwords which do not match above complexity criteria How Secure Is My Password? | Password Strength Checker (security.org)
  • 33. USER RESPONSBILITIES – (Internet Usage)  Use internet services for business purposes only.  Do not access internet through dial-up connectivity.  Do not use internet for viewing, storing or transmitting obscene or pornographic material.  Do not use internet for accessing auction sites.  Do not use internet for hacking other computer systems.  Do not use internet to download / upload commercial software / copyrighted material. IT Department is continuously monitoring Internet Usage. Any illegal use of internet and other assets shall call for Disciplinary Action.
  • 34. USER RESPONSBILITIES – (E-mail Usages)  Do not use official ID for any personal subscription purpose  Do not send unsolicited mails of any type like chain letters or E-mail Hoax  Do not send mails to client unless you are authorized to do so  Do not post non-business related information to large number of users  Do not open the mail or attachment which is suspected to be virus or received from an unidentified sender  Use official mail for business purposes only  Follow the mail storage guidelines to avoid blocking of E-mails  If you come across any junk / spam mail, do the following:  Remove the mail.  Inform the security help desk / IT Administrator  Inform the same to server administrator  Inform the sender that such mails are undesired
  • 35. Report Security Incidents to (IT) Helpdesk through: E-mail to rajkaran.rana@fiaglobal.com Telephone : e.g.: 9654676543 IT Incidents: Mail Spamming, Virus attack, Hacking, etc. Non-ITIncidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media  Do not discuss security incidents with anyone outside the organization.  Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents. User Responsibilities – (Security Incidents)
  • 36.  Ensure your system (Laptop/Desktops) are having latest antivirus updates  Ensure your system is locked when you are away  Always store laptops/ media in a lockable place  Be alert while working on laptops during travel  Ensure sensitive business information is under lock and key when unattended  Ensure back-up of sensitive and critical information assets  Understand Compliance Issues such as: o Cyber Law / IPR, Copyrights, / IT act 2000 etc. / Contractual Obligations with customer  Verify credentials, if the message is received from unknown sender  Always switch off your computer before leaving for the day  Keep your self updated on information security aspects User Responsibilities