The document discusses key challenges and considerations for implementing an Information Security Management System (ISMS) based on ISO/IEC 27001. It highlights that ISMS implementation requires commitment from top management and involvement across the entire organization. Common difficulties include maintaining processes, continual improvement, and engaging employees outside of IT. Survey results show ISMS provides value through improved security and reduced costs, though certification can take 6-12 months and many organizations struggle with risk assessments and using all ISO 27001 controls.

1. 1
ISMSISMS ImplementationImplementation
challengeschallenges
Reza TeyniaReza Teynia
CEO of KASYSCEO of KASYS

2. 2
Reza TeyniaReza Teynia
• CEO of KASYS
• Master Degree
• Lead Auditor (QMS , ISMS, ITSM, BCM) in PECB, SGS, BV
• More than 20 Years experiences
2

3. 3
The illiterate of the 21st century
will not be those who cannot read
and write, but those who cannot
learn, unlearn, and relearn.
Alvin TofflerAlvin Toffler
3

4. 4
Importance of SecurityImportance of Security
• One third of time spent online at work in non-work-related. Websense-IDC
• 80% of companies reported that employees had abused internet privileges such as downloading pornography. CSI/FBI
• 45% of businesses had reported unauthorized access by insiders. CSI/FBI
• Although There are more than 430 million users of consumer IM at work. Only one quarter of companies have a clearly
defined policy on the use of IM at work. Silicon.com,
• 45% of the executable files downloaded through Kazaa contain malicious code. Trusecure,
• 73% of all movie searches on file-sharing networks were for pornography. Palisade Systems,
• 70% of porn is downloaded between 9am and 5pm. Sex Tracker
• 37% of at work internet users in the US had visited an X-rated website from work. ComScore Networks
• 77% of weekly online listening to internet radio takes place between 5 a.m. and 5 p.m. Arbitron
• 44% of corporate employees actively use streaming media. Nielsen NetRating
• Although 99% of companies use antivirus software, 82% of them were hit by viruses and worms. CSI/FBI

5. 5
Top 10 Strategic Technology Trends for 2017Top 10 Strategic Technology Trends for 2017 (Gartner)(Gartner)
• Advanced Machine Learning
• Intelligent Apps
• Intelligent Things
• Virtual Reality
• Block chain and Distributed office
• Conversational System
• Mesh App and Service Architecture
• Digital Technology Platforms
• Adaptive Security Architecture

6. 6
Top 10 Technologies for Information Security in 2016Top 10 Technologies for Information Security in 2016 (Gartner)(Gartner)
• Cloud Access Security Brokers
• Endpoint Detection and Response
• No signature Approaches for Endpoint Prevention
• User and Entity Behavioral Analytics
• Micro segmentation and Flow Visibility
• Security Testing for DevOps (DevSecOps)
• Intelligence-Driven Security Operations Center Orchestration Solutions
• Deception
• Pervasive Trust Services

7. 7
ISMS Main ObjectivesISMS Main Objectives
Business ContinuityBusiness Continuity

8. 8
ISO27001 HistoryISO27001 History
8

9. 9
ISO 27000 familyISO 27000 family
9

10. 10
ISO 27001:2013 ClausesISO 27001:2013 Clauses
Clause Coverage
4 Context of the organisation Understanding the organisation and its context, and Interested parties, defining
the ISMS scope
5 Leadership Demonstrate management commitment, create information security policy,
determination of roles and responsibilities
6 Planning Requirements for risk assessment and treatment, information security objectives
and planning to achieve them
7 Support Resourcing, competence, awareness, documentation and communication
8 Operation Operations, implementation of risk assessment and treatment
9 Performance evaluation Assessing the effectiveness of ISMS, internal audit and management review
10 Improvement Addressing non-conformities, continual improvement
10

11. 11
ISO27001:2013 ControlsISO27001:2013 Controls
11
Ref Section Controls Content
A.5 Information security policies 2 Management direction
A.6 Organization of information security 7 Internal organisation
A.7 Human resource security 6 Prior to, during employment; termination and change
A.8 Asset management 10 Responsibilities, information classification, media handling
A.9 Access control 14 Business requirements, user management and responsibilities, systems and application
access control
A.10 Cryptography 2 Cryptographic controls
A.11 Physical and environmental security 15 Secure areas, equipment
A.12 Operations security 14 Procedures and responsibilities, malware protection, backup, logging and monitoring,
operational software, technical vulnerabilities, systems audits
A.13 Communications security 7 Network security, information transfer,
A.14 Systems acquisition, development and maintenance 13 Security requirements, development and support, test data
A.15 Supplier relationships 5 Information security in supplier relationships, service delivery,
A.16 Information security incident management 7 Management of incidents, improvement (of ISMS)
A.17 Information security aspects of business continuity 4 Continuity, redundancy (of facilities)
A.18 Compliance 8 Legal and contractual compliance, reviews

12. 12
ISO/IEC 27001:2013ISO/IEC 27001:2013
• The standard has been prepared to provide requirements for
establishing, implementing, maintaining and continually improving an
information security management system (ISMS). The main objective
of ISMS – preserve the confidentiality, integrity and availability of
information. Applicable to all organizations, regardless of type, size or
nature.
Structure of the standard:
• 7 mandatory clauses.
• 114 controls spread across 14 domains and 35 control objectives.

13. 13
Top tips for implementing ISO/IEC 27001Top tips for implementing ISO/IEC 27001
• Get commitment and support from senior management.
• Engage the whole business with good internal communication.
• Compare existing information security management with ISO/IEC 27001
requirements.
• Get customer and supplier feedback on current information security.
• Establish an implementation team to get the best results.
• Map out and share roles, responsibilities and timescales.
• Adapt the basic principles of the ISO/IEC 27001 standard to your business.
• Motivate staff involvement with training and incentives.
• Share ISO/IEC 27001 knowledge and encourage staff to train as internal auditors.
• Regularly review your ISO/IEC 27001 system to make sure you are continually
improving it.

14. 14
ISO 27001 SurveyISO 27001 Survey source : ISO 27001 Global Report 2016source : ISO 27001 Global Report 2016
• 53 countries participated in the survey, with a large portion of respondents
representing the UK (41%), followed by India (10%) and the USA (7%).
• 29% of organizations had an annual turnover of over US$100 million (£76
million), while 26% had a turnover of less than $5 million (£3.8 million).
• The majority of respondents were from the technology sector (27%), business
services/consulting (14%) and financial services (13%), followed by
government/local authorities (10%)
• Individuals responsible for general IT functions (e.g. IT managers/directors) and
compliance/risk managers accounted for the largest number of respondents
(each accounting for 16% of respondents), followed by consultants (15%).
• 80% of respondents’ organizations were either certified to ISO 27001 (40%) or
were in the process of getting certified to ISO 27001 in the near future (40%).

15. 15
ISO 27001 SurveyISO 27001 Survey source : ISO 27001 Global Report 2016source : ISO 27001 Global Report 2016
• ISO 27001 directly improves an organization's information security
posture
• Resistance from executive teams about information security is still a
concern
• Implementers struggle with key areas of ISO 27001 implementation
• Supply chain demands are driving certification
• The median length of time for an ISO 27001 certification project is 6 -
12 months
• In general, companies are not tracking implementation costs

16. 16
ISO 27001 SurveyISO 27001 Survey source : ISO 27001 Global Report 2016source : ISO 27001 Global Report 2016
• Most companies do not employ a full time ISMS manager
• Almost a third of respondents do not assess C, I and A separately in
the risk assessment
• 76% of respondents follow an asset-based risk assessment
methodology
• Only 23% use ISO 27001:2013 controls in isolation
• Only half of individuals managing the ISMS have a formal ISO 27001
qualification
• There is a strong need for external assistance and support
• ISO 27001 delivers ROI , TCO

17. 17
IT'S NOT JUST THE IT DEPARTMENTIT'S NOT JUST THE IT DEPARTMENT Source: British-assessmentSource: British-assessment
• Information security isn’t just about websites, clouds, emails and
apps. It’s about everything in your business
• ISMS applies to everyone, wherever they are and whatever they do in
your organization
• You’ll need to consider systems and procedures that everyone must
follow.
• Don’t restrict your policies to only your direct employees.

18. 18
Key ChallengesKey Challenges
• Top management commitment and support
• Raise awareness and build security culture
• Systematically follow implemented ISMS processes
• Ensure continual improvement of ISMS
• Involvement of employee
• Relation between IT / IS into core business

19. 19
ISO Survey 2015ISO Survey 2015

20. 20
ISO Survey 2015ISO Survey 2015
Overview
Year 2009 2010 2011 2012 2013 2014 2015
TOTAL 12935 15626 17355 19620 21604 23005 27536
Africa 47 46 40 64 99 79 129
Central / South America 100 117 150 203 272 273 347
North America 322 329 435 522 712 814 1445
Europe 3563 4800 5289 6379 7952 8663 10446
East Asia and Pacific 7394 8788 9665 10422 10116 10414 11994
Central and South Asia 1303 1328 1497 1668 2002 2251 2569
Middle East 206 218 279 332 451 511 606

21. 21
ISO Survey 2015ISO Survey 2015
Year 2010 2011 2012 2013 2014 2015
Country 218 279 332 451 511 606
Bahrain 8 6 15 20 26 27
Iran, Islamic Republic of 7 13 4 9 23 23
Iraq 1 0 1 0
Israel 86 110 130 185 201 246
Jordan 2 1 3 2 2 1
Kuwait 18 15 17 15 18 20
Lebanon 1 3 3 3 1 2
Oman 9 11 10 11 8 7
Palestine 1 1 1 1
Qatar 6 9 7 23 28 35
Saudi Arabia 23 37 46 59 72 65
Syrian Arab Republic 0 0
United Arab Emirates 57 73 96 123 131 179
Yemen 0 0
ISO/IEC 27001 - Middle East

22. 22
"The only thing harder than planning for Security is
explaining why you didn't….“
"The only thing harder than planning for Security is
explaining why you didn't….“