The document introduces the International Standard ISO 27001 for information security management systems. It discusses the evolution of the standard from earlier versions like BS 7799. ISO 27001 provides requirements and guidance for establishing, implementing, maintaining and improving an information security management system. The standard aims to safeguard the confidentiality, integrity and availability of information by implementing 133 controls across 11 control areas. Certification to ISO 27001 demonstrates an organization's commitment to information security and can help fulfill contractual requirements, reduce risks, increase confidence and provide a competitive advantage.

1. BSI Management System Beata Tang BSI Product Manager Introduction of an International Practise to Enhance Information Security

2. Hacker Process Failure Contractor Problem Employee Error Incidents System Failure Service Interruption Information Leakage

3. How many controls do we need? Security Controls

4. Introduction of Information Security Management Standards ISO 27001:2005

5. How ISMS Evolves BS 7799-2:1999 developed to support certification BS 7799-1:1995 Guidance Document Obtain ISO status ISMS 1995 BS 7799-1 1998 BS 7799-2 1999 BS 7799:1999 2000 ISO 17799:2000 (BS 7799-1) 2002 BS 7799-2:2002 2005 ISO27001:2005

6. Aim of ISMS Safeguarding the Confidentiality , Integrity and Availability of written , spoken and electronic information . Confidentiality Availability Integrity

7. What is the ISMS Standard about? DO Implement & Operate ISMS ACT Maintain & Improve ISMS Annex A 133 Controls Management Clause 4 ~ 8 Establish ISMS framework Set up security policy & objectives Risk Assessment & Treatment Risk Treatment Implement measures Resources allocation Routine checking Self-policing procedures Management review Audit Trend analysis Improvement Plan Non-conformity Corrective & preventive actions CHECK Monitor & Review ISMS PLAN Establish ISMS

8. What is the Risk Assessment about ? Risk Threat Risk Treatment Vulnerabilities Asset Acceptable Level

9. Why ISO27001 ISO17799 & ISO27001

10. First International Standard addressing infosec A best practise promotes infosec within and beyond the organisation Internationally recognised standard, providing qualification for individuals & accreditation for corporations Benefits of implementing ISO27001

11. ISO 27001 & ISO 27002 Adopted by many countries for domestic use and translated in different languages Australia Brazil Canada Denmark Germany Iceland India Ireland Malaysia Netherlands New Zealand Czech Republic Taiwan Japan Korea Norway Poland Singapore South Africa Sweden Switzerland UK UAE

12. Benefits of Implementing ISO27001 ISO17799 & ISO27001

13. Adoption of Business Risk Approach Systematic review and identify risk exposure & potential risk Risk Assessment and Treatment Plan identify risk and applicable control  Manage Risk in effective & efficient manner Benefits of implementation

14. Cost-effective , through the effective & efficient use of resources  Facilitate Resource Management Performance measurable Benefits of implementation (cont)

15. How ISO27001 help and improve Infosec at workplace ISO17799 & ISO27001

16. Enhance Employee’s involvement and awareness to a structured ISMS Formal recognition of legal requirements ISO 27001 helps to improve infosec

17. Introduction of 133 best practice security controls Provide a good reference point how to implement security control So to reduce incident rate or impact of incident ISO 27001 helps to improve infosec

18. Security Controls Security policy Organizational security Asset Management Human Resources Policy Physical and environmental security Communications and operations management Access control Information systems acquisition, development & maintenance Information security incident management Business continuity management Compliance 11 Control Areas 39 Control Objectives (Security Categories) 133 Controls

19. Why ISO 27001 Certified ISO17799 & ISO27001

20. Fulfilment of Contractual / Statutory Requirements Business Enabler  integral part of the organization’s operating and business culture Reduced risk  minimised financial loss / reputation loss, operation loss etc… Benefits of certifying ISO27001

21. Benefits of certifying ISO27001 Increasing Confidence - externally (customers / interest parties) & - internally (management & staff) Increase competitive edge Demonstrate commitment to information security

22. Easy certification route of a well recognised international Standard It becomes a norm in the market or tendering advantage Benefits of certifying ISO27001

23. Introduction of ISO 27001 Certification Scheme ISO17799 & ISO27001

24. BSI Route to Certification Next Verification visit decided by Verfier. Max 3 year audit cycle. Max possible interim 12 months Pre-Application Questionnaire Quotation Application Stage 1: Assessment Certification 3-Year cycle Surveillance Assessment 3 rd Year Re-assessment Optional Pre-assessment Gap Analysis & / or Stage 2: Assessment

25. CUSTOMER PROFILE WITH BS 7799 / ISO 27001 CERTIFICATIONS Over 45% market share in the world …

26. For more ISO17799 & ISO27001 Pease contact our: Sales, Marketing & Training Department Tel: +852 3149-3300 / 3149-3320 Fax: +852 2743-8727 / 8343-7336 Email mkt. [email_address]

27. More about ISO 27000:2005 International Standard Series BS ISO/IEC 27000 – Fundamentals and vocabulary BS ISO/IEC 27001 – Information security management systems – Requirements BS ISO/IEC 27002 – Code of practice for Information security Management BS ISO/IEC 27003 – Implementation guidance BS ISO/IEC 27004 – Metrics and measurement BS ISO/IEC 27005 – Information security risk management 27006…...27011 – Reserved for future development (products driven by both BSI and potentially ISO TC) Still in Development Available now / soon Future new product development