GDPR compliance and information security: Reducing data breach risks
ISMS Part I
1. - By Khushboo Khandelwal Business Analyst & (Certified BS ISO/IEC 27001:2005 Lead Auditor) -At iViZ Techno Solutions Pvt. Ltd.
2.
3.
4.
5. S Integrity Clause 3.8 of ISO/IEC Confidentiality Clause 3.3 of ISO/IEC 27001 Availability Clause 3.2 of ISO/IEC 27001 Information SECURITY SECURITY SECURITY SECURITY THREATS VULNERABILITIES RISKS Safeguarding the accuracy and completeness of information processing methods. Ensuring that information is accessible only to those authorized to have access. Ensuring that authorized users have access to information and associated assets when required .
20. ISO/IEC 27001:2005 Requirements for Information Security Management Systems ISO/IEC 27002:2005 Code of Practice for Information Security Management
21. Maintain and Improve an ISMS Take corrective and preventive actions, based on the results of the management review, to achieve continual improvement of an ISMS Implement and Operate the ISMS Implement and operate the security policy , controls , processes and procedures Establish the ISMS Establish the security policy , objectives, and procedures relevant to managing risk and improving information security to deliver in accordance with an organization’s overall policies and objectives Monitor and Review the ISMS Assess and, where applicable , measure process performance against security policy, objectives and practical experience and report the results to the management for review.
22.
23.
24.
25. A.5 Security Policy [A.5.1 {A.5.1.1to A.5.1.2}] Total No of Controls: 2 A.6 Organization of Information Security [A.6.1{A.6.1.1to A.6.1.8} + A.6.2{A.6.2.1to A.6.2.3}] Total No of Controls:11 A.7 Asset Management [A.7.1{A.7.1.1toA.7.1.3} + A.7.2{A.7.2.1toA.7.2.2}]- -Total No of Controls : 5 A.8 Human Resources Security [A.8.1{A.8.1.1to A.8.1.3} + A.8.2{A.8.2.1to A.8.2.3}+ A.8.3{A.8.3.1-A.8.3.3}] Total No of Controls:9 A.9 Physical and Environmental Security [A.9.1{A.9.1.1to A.9.1.6}+A.9.2{A.9.2.1to A.2.7}] Total No of Controls : 13 A.10 Communications and Operations Management [A.10.1{A.10.1.1toA.10.1.4}+A.10.2{A.10.2.1toA.10.2.3}+ A.10.3{A.10.3.1toA.10.3.2} + A.10.4{A.10.4.1to A.10.4.2} +A.10.5{A.10.5.1} + A.10.6{A.10.6.1to A.10.6.2}+A.10.7{A.10.7.1to A.10.7.4}+A.10.8{A.10.8.1to A.10.8.5}+A.10.9{A.10.9.1to A.10.9.3}+A.10.10{A.10.10.1to A.10.10.6}} Total No of Controls : 32 A.11 Access Control [A.11.1{A.11.1.1}+A.11.2{A.11.2.1toA.11.2.4}+A.11.3{A.11.3.1toA.11.3.3}+A.11.4{A.11.4.1toA.11.4.7}+A.11.5{A.11.5.1to A.11.5.6}+A.11.6{A.11.6.1to A.11.6.2}+A.11.7{A.11.7.1toA.11.7.2} Total No of Controls : 25 A.12 Information Systems Acquisition, Development, and Maintenance [A.12.1{A.12.1.1}+A.12.2{A.12.2.1to A.12.2.4}+ A.12.3{A.12.3.1to A.12.3.2}+A.12.4{A.12.4.1toA.12.4.3}+A.12.5{A.12.5.1to A.12.5.5}+A.12.6{A.12.6.1} Total No of Controls : 16 A.13 Information Security Incident Management [A.13.1{A.13.1.1}+A.13.2{A.13.2.1toA.13.2.3}] Total No of Controls :5 A.14 Business Continuity Management [A.14.1{A.14.1.1toA.14.1.5} Total No of Controls: 5 A.15 Compliance [A.15.1{A.15.1.1to A.15.1.6} + A.15.2{A.15.2.1to 15.2.2} +A.15.3{A.15.3.1 toA.15.3.2}] Total No of Controls: 10
26.
27. Controls Considered Essential from a Legislative Point of View Data protection and privacy of personal information Protection of organizational records Intellectual property rights Controls Considered to be Best Practice Information security policy document Allocation of information security responsibilities Information security awareness, education, and training Correct processing in applications Technical vulnerability management Business continuity management Management of information security incidents and improvements
28. ISO/IEC 27001:2005 Clause 4.2.1 requires a risk assessment to be carried out to identify threats to assets. Guidance is now available using ISO/IEC 27005:2008
29.
30.
31.
32.
33. ISO 27799 Health Informatics - Security Management in Health using ISO 17799 ISO 19077 Software Asset Management ISO 27005 Information Security Risk Management ISO 15489 Effective Records Management ISO 21188 Public Key infrastructure for Financial Services ISO 18044 Incident Management BS 8470 Secure Disposal of confidential material BS 8549 Security Consultancy Code of Practice ISO 15288 System & Software Engineering - System lifecycle processes
34. Status 17 th January 2009 See http://www.iso27001certificates.com/ for the registry of certificates
35.
36.
37. Presenter: Khushboo Khandelwal Business Title: Business Analyst at iViZ Techno Solutions Pvt. Ltd. Email: [email_address]