As a globally recognized security standard, the ISO 27001 certification is gaining traction in the U.S. as more companies are pursuing the certification to meet contractual obligations or to gain a competitive advantage. Gene Geiger, Director at A-lign will outline the steps required to become ISO 27001 Certified. View the recording of our live presentation here: https://www.youtube.com/watch?v=mMmpAwmXRNU
4. • An Overview of ISO 27001
• Certification Preparation
• Steps to Certification
• Ongoing Maintenance
• Q & A
Agenda
5. • Risk Driven Standard
• BS 7799 – 1990’s
• ISO 27001:2005
• ISO 27001:2013
History of ISO 27001
6. Understanding ISO 27001
• Security Framework
– Living processes
– Monitors & improves information security
– Requires management involvement
– Requires ongoing activities
– Requires evidence from ISMS activities
7. Understanding ISO 27001
• Key Terms/Concepts
– Information security management system
– Plan-do-check-act
– Risk assessment
– Statement of applicability
– Continuous improvement
– Management of security system & other
compliance standards
8. Polling Question 1
What is the most important component of an ISMS?
A. Management Involvement
B. Documented Policies
C. Defining the Scope
9. Why Conform With ISO 27001
• Conformance vs. Compliance
• International Operations/Customers
• Meet Contractual Obligations
• Gain Competitive Advantage
• Evaluate Security Practices
11. Polling Question 2
Which ISO 27000 standard is an organization certified
against?
A. 27002
B. 27007
C. 27001
D. 27004
12. ISO 27001 Components
Organizational Context & Stakeholders
Information Security Leadership & High-Level Support for Policy
Planning an ISMS; Risk Assessment; Risk Treatment
Supporting an ISMS
Making an ISMS Operational
Reviewing the System's Performance
Corrective Action
13. ISO 27001 Components
A.5 Information Security Policies
A.6 Organization of Information Security
A.7 Human Resource Security
A.8 Asset Management
A.9 Access Control
A.10 Cryptography
A.11 Physical & Environmental Security
A.12 Operations Security
14. ISO 27001 Components
A.13 Communications Security
A.14 System Acquisition, Development & Maintenance
A.15 Supplier Relationships
A.16 Information Security Incident Management
A.17
Information Security Aspects of Business Continuity
Management
A.18 Compliance
15. Certification Preparation
• Management commitment &
approval
• Define ISMS scope &
boundaries
• Information security
requirements analysis
• Conduct risk assessment &
treatment plan
• Design the ISMS
• Six to nine months
ISO 27003 Information technology — Security Techniques
Information security management system implementation guidance
16. • Selecting Certification Body
– Accredited
– Unaccredited
– Independence
• Scheduling Audit
– Stage 1 audit
– Stage 2 audit
• Calculating On-Site Time
Steps to Certification
17. Polling Question 3
It is best to have your certification auditor help you develop
your ISMS.
A. True
B. False
18. • Certification Received
– Three year
• Surveillance Audit
– Years 2 & 3
– Timing
• Revocation/Suspension
Steps to Certification
19. • Previous Audit Concerns
– External audits
– Certification audits
– Internal audits
• Internal Audit
– Selecting the team
• Management Review
– Not a check-the-box process
Ongoing Maintenance
20. • Continual Improvement
– Policies/processes/technology
– Measure it
• Changes in the Environment
• Complaints/Issues Tracking
Ongoing Maintenance
21. Polling Question 4
A Dedicated Internal Audit Department is not required to be
ISO 27001 certified.
A. True
B. False
22. • Understand the Level of Effort
• Obtain Outside Training
• Communicate with your CB
• Be Proactive
Recommendation