ISO 27001 is an information security standard that specifies requirements for an information security management system (ISMS). It contains 11 domains that describe 133 controls/countermeasures to manage vulnerabilities and threats to information. An organization implements an ISMS based on the Plan-Do-Check-Act cycle to establish, operate, monitor, maintain, and improve their information security system over time.

1. © 2008 Netsol Technologies, Inc. All rights reserved
ISO 27001
M. Faisal Naqvi, CISSP, CISA, 27001 LA & MI, AMBCI
Senior Consultant – Information Security

2. 2 © 2008 NetSol Technologies, Inc. All rights reserved
Development of ISO 27001 "family"
of Standards
ISO/IECISO/IEC
StandardStandard
DescriptionDescription
27000 Vocabulary and definitions
27001 Specification (BS7799-2) Issued Oct. 2005
27002 Code of Practice (ISO17799:2005)
27003 Implementation Guidance
27004 Metrics and Measurement
27005 Risk Management (BS 7799-3)

3. 3 © 2008 NetSol Technologies, Inc. All rights reserved
History of ISO 27001
ISO17799:2000International
BS7799-1:1999
BS7799-2:1999
UK
BS7799-Part 2: 2002
BS7799-1:2000
ISO17799:2005
ISO27001:2005
BS7799:1996
= copy/translation
= revision

4. 4 © 2008 NetSol Technologies, Inc. All rights reserved
Harmonization Example
Image courtesy of BSI America
/BS-25999
PAS 99 Integrated Management

5. 5 © 2008 NetSol Technologies, Inc. All rights reserved
Country wise Certified Organizations
Japan 2770 Romania 16 Bahrain 4 Yemen 2
India 426 Turkey 15 Kuwait 4 Armenia 1
UK 368 UAE 14 Norway 4 Bangladesh 1
Taiwan 183 Thailand 13 Sri Lanka 4 Belgium 1
China 161 Iceland 11 Switzerland 4 Egypt 1
Germany 108 Netherlands 11 Canada 3 Iran 1
USA 77 Singapore 11 Chile 3 Kazakhstan 1
Hungary 74 Pakistan 10 Croatia 3 Kyrgyzstan 1
Czech Republic 66 France 10 Indonesia 3 Lebanon 1
Korea 58 Russian Federation 10 Macau 3 Lithuania 1
Italy 54 Saudi Arabia 10 Peru 3 Luxembourg 1
Poland 34 Philippines 10 Portugal 3 Macedonia 1
Hong Kong 30 Mexico 8 Vietnam 3 Moldova 1
Australia 28 Colombia 7 Bulgaria 2 New Zealand 1
Ireland 26 Sweden 7 Gibraltar 2 Ukraine 1
Malaysia 26 Slovakia 6 Isle of Man 2 Uruguay 1
Spain 25 Slovenia 6 Morocco 2
Austria 21 Greece 5 Oman 2 Relative Total 4813
Brazil 20 South Africa 5 Qatar 2 Absolute Total 4803
Source: http://www.iso27001certificates.com on September 25, 2008

6. 6 © 2008 NetSol Technologies, Inc. All rights reserved
ISO 27001
 Not a technical standard
 Not product or technology driven
 Not an equipment evaluation
methodology such as the Common
Criteria/ISO 15408
But may require utilization of a Common
Criteria Equipment Assurance Level (EAL)

7. 7 © 2008 NetSol Technologies, Inc. All rights reserved
Information Security Management System
 Information System Security
Security of Information Systems/Computers
 Information Security System
Any form of Information, Soft / Hard

8. 8 © 2008 NetSol Technologies, Inc. All rights reserved
Strength of Overall Security
 Strength of Overall state-of-the-art
Security is not more than its weakest
element
 Comprehensive Security Model in all
Aspects is needed

9. 9 © 2008 NetSol Technologies, Inc. All rights reserved
 Asset= anything has value to the
organization
 Vulnerability= any Weakness of Asset
 Threat= any possible Danger
 Risk= Vulnerability exposed to Threat
Risk= Vulnerability X Threat
 Control= Countermeasure to reduce Risk
Asset, Vulnerability, Threat, Risk
& Control

10. 10 © 2008 NetSol Technologies, Inc. All rights reserved
Asset, Vulnerability, Threat, Risk

11. 11 © 2008 NetSol Technologies, Inc. All rights reserved
Control

12. 12 © 2008 NetSol Technologies, Inc. All rights reserved
ISO 27001
 Deals with every possible Vulnerability
and Threat to Information
 11 major categories of controls/
countermeasures called domains
 133 countermeasures to control
Vulnerabilities and Threats

13. 13 © 2008 NetSol Technologies, Inc. All rights reserved
Vulnerabilities
11 Domains of ISO 27001
1. Security
Policy
2. InfoSec
Organization
3. Asset
Mgmt.
4. HR
Security
5. Physical &
Environment
Security
6. Comm &
Opr Mgmt
7. Access
Control
8. Info Sys
Dev. &
Maintenance
9. InfoSec
Incident
Mgmt
10. Business
Continuity
Mgmt
11.
Compliance
INFORMATION
Availability
Integrity
Confidentiality
Threats
Threats

14. 14 © 2008 NetSol Technologies, Inc. All rights reserved
ISO-27001 Domains & Controls
S. No. Domain Controls
1 Security Policy 2
2 Organization of Information Security 11
3 Asset Management 5
4 Human Resources Security 9
5 Physical and Environmental Security 13
6 Communications and Operations Management 32
7 Access Control 25
8 Information Systems Acquisition, Development and
Maintenance
16
9 Information Security Incident Management 5
10 Business Continuity Management 5
11 Compliance 10
Total 133

15. 15 © 2008 NetSol Technologies, Inc. All rights reserved
Why Policies & Standards?
Information
Attacks through
Technology:
Virus, Worm, Trojan
(D-)DOS attacks
SQL injection
Buffer overflow
Brute force attack
Password cracking
Attacks through People:
Abuse of Privileges
Social Engineering
Physical access
to bypass controls
Misuse of Systems
Password guessing
Theft of laptops
/ Storage media

16. 16 © 2008 NetSol Technologies, Inc. All rights reserved
Policy
Organization of
Information Security
Asset Mgmt. Access Ctrl
Compliance InfoSec Incident Mgmt
HR Security Biz Continuity Mgmt
Info Systems Acquisition, Dev & Maintenance
Comm. & Operations Mgmt Physical & Env Security
Management
Operations
Domain Area

17. 17 © 2008 NetSol Technologies, Inc. All rights reserved
Plan-Do-Check-Act (PDCA)
Interested
parties
Interested
parties
Establish the
ISMS
Plan
Implement and
operate the ISMS
Do
Maintain and
improve the ISMS
Act
Monitor and
review the ISMS
Check
Information
security
requirements
and expectations
Managed
information
security

18. 18 © 2008 NetSol Technologies, Inc. All rights reserved
PDCA
Establish the ISMS
 Scope of the ISMS
 ISMS policy (objectives, requirements)
 Systematic approach to risk management
 Risks Identification
 Risks Assessment
 Risks Evaluation & treatment
 Control objectives and controls for risks treatment
 Statement of Applicability
 Management approval for residual risks
 Authorization to implement and operate

19. 19 © 2008 NetSol Technologies, Inc. All rights reserved
PDCA
Implement and operate the ISMS
 Formulate a risk treatment plan
 Implement the risk treatment plan
 Implement the controls selected
 Implement training and awareness programs
 Manage operations
 Manage resources
 Implement procedures and controls to detect
and response to security incidents

20. 20 © 2008 NetSol Technologies, Inc. All rights reserved
PDCA
Monitor and review the ISMS
 Execute monitoring procedures
 Undertake regular reviews
 Review, level of residual risk
 Conduct internal audits
 Undertake a management review
 Record actions and events

21. 21 © 2008 NetSol Technologies, Inc. All rights reserved
PDCA
Maintain and improve the ISMS
 Implement the identified improvements
 Take appropriate corrective and preventive
actions
 Communicate results
 Ensure effectiveness

22. 22 © 2008 NetSol Technologies, Inc. All rights reserved
Documentation Requirements
 Policies
 Objectives
 Scope
 Procedures
 Controls
 risk assessment methodologies
 risk treatment plan.
 Documents protection and control

23. 23 © 2008 NetSol Technologies, Inc. All rights reserved
ISO 27001 Management Framework

24. 24 © 2008 NetSol Technologies, Inc. All rights reserved
Management Responsibilities
 Commitment:
 Establishment
 Implementation
 Operation
 Monitoring
 Review
 Maintenance
 and Improvement of the ISMS
 Resource management
 Training, Awareness and Competence
 Internal Audit
 Review of the ISMS