Iso27001 Isaca Seminar (23 May 08)

2,338 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,338
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
231
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Iso27001 Isaca Seminar (23 May 08)

    1. 1. BSI Management System Beata Tang BSI Product Manager Introduction of an International Practise to Enhance Information Security
    2. 2. Hacker Process Failure Contractor Problem Employee Error Incidents System Failure Service Interruption Information Leakage
    3. 3. How many controls do we need? Security Controls
    4. 4. Introduction of Information Security Management Standards ISO 27001:2005
    5. 5. How ISMS Evolves BS 7799-2:1999 developed to support certification BS 7799-1:1995 Guidance Document Obtain ISO status ISMS 1995 BS 7799-1 1998 BS 7799-2 1999 BS 7799:1999 2000 ISO 17799:2000 (BS 7799-1) 2002 BS 7799-2:2002 2005 ISO27001:2005
    6. 6. Aim of ISMS Safeguarding the Confidentiality , Integrity and Availability of written , spoken and electronic information . Confidentiality Availability Integrity
    7. 7. What is the ISMS Standard about? DO Implement & Operate ISMS ACT Maintain & Improve ISMS Annex A 133 Controls Management Clause 4 ~ 8 <ul><ul><li>Establish ISMS framework </li></ul></ul><ul><ul><li>Set up security policy & objectives </li></ul></ul><ul><ul><li>Risk Assessment & Treatment </li></ul></ul><ul><ul><li>Risk Treatment </li></ul></ul><ul><ul><li>Implement measures </li></ul></ul><ul><ul><li>Resources allocation </li></ul></ul><ul><ul><li>Routine checking </li></ul></ul><ul><ul><li>Self-policing procedures </li></ul></ul><ul><ul><li>Management review </li></ul></ul><ul><ul><li>Audit </li></ul></ul><ul><ul><li>Trend analysis </li></ul></ul><ul><ul><li>Improvement Plan </li></ul></ul><ul><ul><li>Non-conformity </li></ul></ul><ul><ul><li>Corrective & preventive actions </li></ul></ul>CHECK Monitor & Review ISMS PLAN Establish ISMS
    8. 8. What is the Risk Assessment about ? Risk Threat Risk Treatment Vulnerabilities Asset Acceptable Level
    9. 9. Why ISO27001 ISO17799 & ISO27001
    10. 10. <ul><li>First International Standard addressing infosec </li></ul><ul><li>A best practise promotes infosec within and beyond the organisation </li></ul><ul><li>Internationally recognised standard, providing qualification for individuals & accreditation for corporations </li></ul>Benefits of implementing ISO27001
    11. 11. ISO 27001 & ISO 27002 <ul><li>Adopted by many countries for domestic use and translated in different languages </li></ul>Australia Brazil Canada Denmark Germany Iceland India Ireland Malaysia Netherlands New Zealand Czech Republic Taiwan Japan Korea Norway Poland Singapore South Africa Sweden Switzerland UK UAE
    12. 12. Benefits of Implementing ISO27001 ISO17799 & ISO27001
    13. 13. <ul><li>Adoption of Business Risk Approach </li></ul><ul><li>Systematic review and identify risk exposure & potential risk </li></ul><ul><li>Risk Assessment and Treatment Plan identify risk and applicable control </li></ul><ul><li> Manage Risk in effective & efficient manner </li></ul>Benefits of implementation
    14. 14. <ul><li>Cost-effective , through the effective & efficient use of resources </li></ul><ul><li> Facilitate Resource Management </li></ul><ul><li>Performance measurable </li></ul>Benefits of implementation (cont)
    15. 15. How ISO27001 help and improve Infosec at workplace ISO17799 & ISO27001
    16. 16. <ul><li>Enhance Employee’s involvement and awareness to a structured ISMS </li></ul><ul><li>Formal recognition of legal requirements </li></ul>ISO 27001 helps to improve infosec
    17. 17. <ul><li>Introduction of 133 best practice security controls </li></ul><ul><li>Provide a good reference point how to implement security control </li></ul><ul><li>So to reduce incident rate or impact of incident </li></ul>ISO 27001 helps to improve infosec
    18. 18. Security Controls <ul><li>Security policy </li></ul><ul><li>Organizational security </li></ul><ul><li>Asset Management </li></ul><ul><li>Human Resources Policy </li></ul><ul><li>Physical and environmental security </li></ul><ul><li>Communications and operations management </li></ul><ul><li>Access control </li></ul><ul><li>Information systems acquisition, development & maintenance </li></ul><ul><li>Information security incident management </li></ul><ul><li>Business continuity management </li></ul><ul><li>Compliance </li></ul>11 Control Areas 39 Control Objectives (Security Categories) 133 Controls
    19. 19. Why ISO 27001 Certified ISO17799 & ISO27001
    20. 20. <ul><li>Fulfilment of Contractual / Statutory Requirements </li></ul><ul><li>Business Enabler  integral part of the organization’s operating and business culture </li></ul><ul><li>Reduced risk  minimised financial loss / reputation loss, operation loss etc… </li></ul>Benefits of certifying ISO27001
    21. 21. Benefits of certifying ISO27001 Increasing Confidence - externally (customers / interest parties) & - internally (management & staff) Increase competitive edge Demonstrate commitment to information security
    22. 22. <ul><li>Easy certification route of a well recognised international Standard </li></ul><ul><li>It becomes a norm in the market or tendering advantage </li></ul>Benefits of certifying ISO27001
    23. 23. Introduction of ISO 27001 Certification Scheme ISO17799 & ISO27001
    24. 24. BSI Route to Certification Next Verification visit decided by Verfier. Max 3 year audit cycle. Max possible interim 12 months Pre-Application Questionnaire Quotation Application Stage 1: Assessment Certification 3-Year cycle Surveillance Assessment 3 rd Year Re-assessment Optional Pre-assessment Gap Analysis & / or Stage 2: Assessment
    25. 25. CUSTOMER PROFILE WITH BS 7799 / ISO 27001 CERTIFICATIONS Over 45% market share in the world …
    26. 26. For more ISO17799 & ISO27001 Pease contact our: Sales, Marketing & Training Department Tel: +852 3149-3300 / 3149-3320 Fax: +852 2743-8727 / 8343-7336 Email mkt. [email_address]
    27. 27. More about ISO 27000:2005 International Standard Series <ul><li>BS ISO/IEC 27000 – Fundamentals and vocabulary </li></ul><ul><li>BS ISO/IEC 27001 – Information security management systems – Requirements </li></ul><ul><li>BS ISO/IEC 27002 – Code of practice for Information security Management </li></ul><ul><li>BS ISO/IEC 27003 – Implementation guidance </li></ul><ul><li>BS ISO/IEC 27004 – Metrics and measurement </li></ul><ul><li>BS ISO/IEC 27005 – Information security risk management </li></ul><ul><li>27006…...27011 – Reserved for future development (products driven by both BSI and potentially ISO TC) </li></ul>Still in Development Available now / soon Future new product development

    ×