The document discusses the implementation of ISO 27001:2013, which outlines the principles and controls for information security management systems. It details the history and evolution of the standard, as well as the key clauses related to organizational context, leadership, planning, support, operations, performance evaluation, and improvement. Additional emphasis is placed on specific controls, such as access control policies and compliance with legal requirements, vital for securing information assets in various forms.

1. Implementing ISO27001:2013
Scott McAvoy | @5c077mc | Managing Security Consultant

2. Information security
Information is defined as:
An asset that, like any other important business assets, is essential to an organisation’s
business. Information can exist in many forms. It can be printed or written on paper, stored
electronically, transmitted by post or by using electronic means, shown on films, or spoken in
conversation.
Information security and its objectives are defined as protecting and preserving the following principles:
Confidentiality - The property that information is not made available or disclosed to unauthorised
individuals, entities or processes;
Integrity - The property of safeguarding the accuracy and completeness of assets;
Availability - The property of being accessible and usable upon demand by an authorised entity.

3. Agenda
● ISO27001 history and certification bodies
● ISO27001:2013 Clause 4-10
● ISO27001:2013 Example Annex A controls

4. ISO27001:2013
• From 1995 to 2015
• Certification bodies
• Compliance or certification?

5. ISO27001: From 1995 to 2015
● 1995: UK Department for Trade & Industry (DTI) writes and the British
Standards Institute (BSI) publishes BS7799.
● 2000: BS7799 adopted by the International Organisation for
Standardisation (ISO) and International Electrotechnical Committee (IEC)
and renamed ISOIEC 17799.
● 2005: ISO/IEC 27001:2005 is published building in suggested security
controls, risk assessment and management.
● 2014: ISO/IEC 27001:2013 published.

6. ISO27001: Certification bodies

7. ISO27001: Compliance or certification?
Compliance Certification
Why? No contractual obligations.
Best practice.
Why? Contractual obligation.
Competitive advantage.
Pros Less cost.
Less resource.
Pros Internationally recognised.
Reduces impact of security on client
relationships.
Shows commitment.
Cons Prevents working with some clients.
Adds overhead to working with some
clients.
Cons Expensive.
Potentially dedicated resource.

8. ISO27001:2013 Clause 4-10
• Context of the organisation
• Leadership
• Planning
• Support
• Operation
• Performance evaluation
• Improvement

9. ISO27001: Context of the organisation
What? • Organisation issues;
• Interested parties needs and expectations;
• Information Security Management System (ISMS) scope.
How? • PESTEL & SWOT analysis.
Required
documentation
• ISMS scope.

10. ISO27001: Leadership
What? • Demonstration of top management commitment to information
security;
• Information security policy;
• Roles, responsibilities and authorities.
How? • Security forum;
• Security task force;
• Visible board support.
Required
documentation
• Information security policy.

11. ISO27001: Planning
What? • Determine risks and opportunities which need to be addressed;
• Define an information security risk assessment process;
• Define an information security risk treatment process;
• Define information security objectives.
How? • SWOT analysis;
• Risk assessment and treatment templates;
• ISO27005;
• Simple objectives with simple measures to begin with.
Required
documentation
• Risk assessment process;
• Risk treatment process;
• Statement of Applicability;
• Information security objectives.

12. ISO27001: Support
What? • Determine and provide the resources needed;
• Determine the necessary competence and ensure met;
• Staff awareness;
• Internal and external communication;
• The need for documented information.
How? • Map competency to specific training;
• Staff document set and test;
• Comms plan;
• Quality management control of documents.
Required
documentation
• Evidence of competence.

13. ISO27001: Operation
What? • Perform risk assessment;
• Perform risk treatment.
How? • Risk assessment and treatment templates;
• Involve top management.
Required
documentation
• Results of risk assessment;
• Results of risk treatment.

14. ISO27001: Performance evaluation
What? • Monitoring and measuring;
• Internal audit;
• Management review.
How? • Simple measures to begin with;
• ISO27004;
• Audit programme;
• Review plan.
Required
documentation
• Monitoring and measuring results;
• Audit programme;
• Audit results;
• Management review results.

15. ISO27001: Improvement
What? • Nonconformities;
• Corrective actions;
• Continual improvement.
How? • Nonconformity and corrective action templates;
• Internal and external audit;
• Internal and external penetration testing.
Required
documentation
• Nature or nonconformities;
• Corrective actions taken;
• Results of corrective actions.

16. ISO27001:2013 Annex A Controls
• Mobile device policy
• Access control policy
• Physical entry controls
• Clear desk and clear screen policy
• Addressing security in supplier agreements
• Compliance with Legal and Contractual requirements

17. Annex A.6.2.1 - Mobile device policy
● Registration of mobile devices;
● Requirements for physical protection;
● Restriction of software installation;
● Restriction of connection to information services;
● Access controls;
● Cryptographic techniques;
● Remote disabling, wipe or lockout.
When using mobile devices, special care should be taken to ensure that business
information is not compromised.

18. Annex A.9.1.1 - Access control policy
● Relevant legislation and any contractual obligations regarding limitation of
access to data or services;
● Formal authorisation of access requests;
● Periodic review of access rights;
● Removal of access rights;
● Roles with privileged access.
Asset owners should determine appropriate access control rules, access rights and
restrictions for specific user roles towards their assets.

19. Annex A.11.1.2 - Physical entry controls
● Date and time of entry and departure of visitors should be recorded;
● Visitors should be escorted at all times;
● Access to areas processing or storing sensitive information should be restricted
to authorised individuals only;
● Physical or electronic records of access should be securely maintained;
● All personnel, whether internal or external, should wear visible identification;
● Access rights to secure areas should be regularly reviewed and updated.
Secure areas should be protected by appropriate entry controls to ensure only
authorised personnel are allowed access.

20. Annex A.11.2.9 - Clear desk and clear screen policy
● Sensitive information should be locked away when not required or if the
desk is vacated;
● Computer screens should be locked and require a password to unlock
after a period of inactivity;
● Paper media should be removed from printers, scanners etc immediately
after use.
A clear desk policy for papers and removable storage media and a clear screen policy
for information processing facilities should be adopted.

21. Annex A.15.1.2 - Addressing security within supplier
agreements
● Descriptions of the information and methods for accessing it;
● Legal and regulatory requirements;
● Acceptable use of information;
● Obligations of each party;
● Incident management procedures;
● Training and awareness requirements;
● Right to audit.
Supplier agreements should be established and documented to ensure understanding
between organisations with regard to their obligations regarding information security.

22. Annex A.18.1 - Compliance with legal and contractual
requirements
● Identification of all legal and contractual obligations;
● Data protection and retention;
● Protection of personal identifiable information.
To avoid breaches of legal, statutory, regulatory or contractual obligations related to
information security and of any security requirements.

23. Questions?
Scott McAvoy | @5c077mc | Managing Security Consultant

24. References and links
ISOIEC, Oct 2013. ISO/IEC 27001:2013. Information technology - Security
techniques - Information management systems - Requirements
ISOIEC, Oct 2013. ISO/IEC 27002:2013. Information technology - Security
techniques - Code of practice for information security controls
7safe - Technical infrastructure and application testing training and external
Penetration testing
BSI - ISO27001 Implementation and Audit training and external audit
IT Governance - ISO27001 toolkits
27001 Academy - ISO27001 guidance and toolkits
Alien Vault - Security Incident & Event Monitoring (SIEM)
SANS - Top 25 most dangerous errors in software
OWASP - Top 10 most critical data risks