General overview of standard ISO/IEC 27001, and its correspondence with ISO 9001.

1. 1
WELCOMEWELCOME

2. 2
Session topic isSession topic is
Overview ofOverview of
Information Security Management System,Information Security Management System,
ISO 27001 ISMSISO 27001 ISMS
andand
Integration with ISO 9001Integration with ISO 9001

3. 3
An OrganizationOrganization
is needed to be
managed …
… so that it can achieve its
objectivesobjectives
Managing OrganizationsManaging Organizations

4. 4
By late 1940s, causes of
failure of organizations,
were identified as …
Special causes
Common causes
CausesCauses ofof FailuresFailures …

5. 5
Input
Resources
Controls
OrganizationalOrganizational
ProcessesProcesses Output

6. 6
Management System StandardizationsManagement System Standardizations
Management System is ….
Planned arrangement of the organization ..
.. to manage its processes
.. to ensure that its set objectives are met
Management System Standard is ….
A model defined by the experts in the field ..
(to setup and operate a Management System)to setup and operate a Management System)
.. the model being internationally best
.. and state of the art practice

7. 7
Management System Standards are generic
… and foster GlobalizationGlobalization
Globalization isGlobalization is
““process by which the every-day lifeprocess by which the every-day life
is becoming standardizedis becoming standardized
around the world”around the world”
“Auguring against globalization is like
arguing against the law of gravity”
– Kofi Annan

8. 8
M.S.M.S.
PPLAN
All Management Systems are based on PDCA approach
DDOCCHECK
AACT
Continual Improvement

9. 9
M.S.M.S.
PlanPlan
PDCA approach
DDOCCHECK
AACT
PLAN = Establish ObjectivesObjectives and ProcessesProcesses
• Analyze organizational situations,
• Establish objectives,
• Set targets, and
• Develop plans to achieve them

10. 10
M.S.M.S.
DoDoCCHECK
AACT
DO = ImplementImplement the Plans
PLANPLAN
• Analyze organizational situations,
• Establish objectives,
• Set targets, and
• Develop plans to achieve them
PPLAN
PDCA approach

11. 11
M.S.M.S.
CheckCheck
AACT
CHECK = Monitor & MeasureMonitor & Measure the Results
PPLAN
DO - Implementation of PlansDO - Implementation of PlansDDO
ie, how far actual achievements have met
planned objectives?
PLANPLAN
• Analyze organizational situations,
• Establish objectives,
• Set targets, and
• Develop plans to achieve them
PDCA approach

12. 12
M.S.M.S.
ACT = Correct and/or improve the plans
PPLAN
DDO
CHECKCHECK
How far actual achievements
have met planned objectives?
ActAct
CCHECK
PLANPLAN
• Analyze organizational situations,
• Establish objectives,
• Set targets, and
• Develop plans to achieve them
DO - Implementation of PlansDO - Implementation of Plans
To achieve better results next time
PDCA approach

13. 13
All Management Systems
are based on …
Corrective ApproachCorrective Approach
Preventive ApproachPreventive Approach

14. 14
Basic ConcernsBasic Concerns
Quality
Environment
Social Accountability
Occupational Health & Safety
ISO 9001 : 2008ISO 9001 : 2008
ISO 14001 : 2004ISO 14001 : 2004
SA 8000 : 2008SA 8000 : 2008
OHSAS 18001 : 2007OHSAS 18001 : 2007
Available Management System StandardsAvailable Management System Standards

15. 15
Specific ConcernsSpecific Concerns
For Information Security
For Food Safety
For Energy Conservation
For Risk Management
For Supply Chain Security
ISO/IEC 27001 : 2005ISO/IEC 27001 : 2005
ISO 22000 : 2005ISO 22000 : 2005
ISO 50001 : 2011ISO 50001 : 2011
ISO 31000 : 2009ISO 31000 : 2009
ISO 28000 : 2007ISO 28000 : 2007
Available Management System StandardsAvailable Management System Standards

16. 16
Standard ISO/IEC 27001 : 2005Standard ISO/IEC 27001 : 2005
Published in 2005Published in 2005 – jointly by ISO and IEC– jointly by ISO and IEC
Full name is
ISO/IEC 27001:2005 – Information technology –ISO/IEC 27001:2005 – Information technology –
Security Techniques – Information securitySecurity Techniques – Information security
management systems - Requirementsmanagement systems - Requirements
Applicable to all types of organizations
• Commercial enterprises
• Government agencies
• Non-profit organizations
Commonly known as ISO 27001ISO 27001

17. 17
Standard ISO/IEC 27001 : 2005Standard ISO/IEC 27001 : 2005
It specifies the requirements forIt specifies the requirements for
establishing, implementing, operating,establishing, implementing, operating,
monitoring, reviewing, maintaining andmonitoring, reviewing, maintaining and
improving an ISMS in an organization …improving an ISMS in an organization …
…… for adequate &for adequate & proportionateproportionate security controlssecurity controls
to protect all information assets
and give confidence to interested partiesand give confidence to interested parties
about their security

18. 18
Standard ISO/IEC 27001 : 2005Standard ISO/IEC 27001 : 2005
It also presents (in appendix A)It also presents (in appendix A)
the list of all information security control methodsthe list of all information security control methods
From this list, organizations are to choose theFrom this list, organizations are to choose the
specific ones that are applicable to themspecific ones that are applicable to them
andand
supplement them, if required, with other a lasupplement them, if required, with other a la
carte optionscarte options

19. 19
It is intended for several types of uses …
Use within organizations to formulate security requirements and
objectives
Use within organizations as a way to ensure that security risks
are cost-effectively managed
Use within organizations to ensure compliance with laws and
regulations
Use within an organization as a process framework for the
implementation and management of controls to ensure that the
specific security objectives of an organization are met
To define new information security management processes
Identification and clarification of existing information security
management processes
Use by the management of organizations to determine the status
of information security management activities
Use by internal / external auditors as criteria for effective ISMS
Use by organizations to provide relevant information about their
information security policies, processes, etc for operational or
commercial reasons
Implementation of a business enabling information security
Use by organizations to provide relevant information about
information security to customers

20. 20
Standards under ISO 27000 seriesStandards under ISO 27000 series
ISO/IEC 27000:2009ISO/IEC 27000:2009 Overview and vocabularyOverview and vocabulary
ISO/IEC 27001:2005ISO/IEC 27001:2005 RequirementsRequirements
ISO/IEC 27002:2005ISO/IEC 27002:2005 Code of practiceCode of practice
ISO/IEC 27003:2010ISO/IEC 27003:2010 Implementation guidanceImplementation guidance
ISO/IEC 27004:2009ISO/IEC 27004:2009 Information security management measurementInformation security management measurement
ISO/IEC 27005:2008ISO/IEC 27005:2008 Information security risk managementInformation security risk management
ISO/IEC 27006:2007ISO/IEC 27006:2007 Requirements for certification bodiesRequirements for certification bodies
ISO/IEC 27011:2008ISO/IEC 27011:2008 Guidelines for telecommunications organizationsGuidelines for telecommunications organizations
ISO/IEC 27031:2011ISO/IEC 27031:2011 Guidelines for business continuityGuidelines for business continuity
ISO/IEC 27033-1:2009ISO/IEC 27033-1:2009 Network security, overview and conceptsNetwork security, overview and concepts
ISO/IEC 27033-3:2010ISO/IEC 27033-3:2010 Network security, networking scenariosNetwork security, networking scenarios
ISO 27799:2008ISO 27799:2008 Information security management in healthInformation security management in health
Published (12)

21. 21
Standards under ISO 27000 seriesStandards under ISO 27000 series
ISO/IEC 27007ISO/IEC 27007 for auditing ISMSfor auditing ISMS
ISO/IEC TR 27008ISO/IEC TR 27008 for auditing of information security controlsfor auditing of information security controls
ISO/IEC 27010ISO/IEC 27010 for inter-sector/organizational communicationsfor inter-sector/organizational communications
ISO/IEC 27013ISO/IEC 27013 for integrated implementation of 20000-1 & 27001for integrated implementation of 20000-1 & 27001
ISO/IEC 27014ISO/IEC 27014 for information security governancefor information security governance
ISO/IEC 27015ISO/IEC 27015 for financial services industryfor financial services industry
ISO/IEC TR 27016ISO/IEC TR 27016 for economics of ISMSfor economics of ISMS
ISO/IEC 27032ISO/IEC 27032 for cyber securityfor cyber security
ISO/IEC 27033 pt 2ISO/IEC 27033 pt 2 for network securityfor network security
ISO/IEC 27034ISO/IEC 27034 for application securityfor application security
ISO/IEC 27035ISO/IEC 27035 for information security incident managementfor information security incident management
ISO/IEC 27036ISO/IEC 27036 for security of supplier relationshipsfor security of supplier relationships
ISO/IEC 27037ISO/IEC 27037 for digital evidencefor digital evidence
ISO/IEC 27038ISO/IEC 27038 for digital redactionfor digital redaction
ISO/IEC 27040ISO/IEC 27040 for storage securityfor storage security
Under preparation (15)

22. 22
Basic premise of ISO 27001Basic premise of ISO 27001
Information is always a critical asset of an organization
(like any other business asset), and so,
…. it needs to be suitably protected
Information lies stored in many forms
• Digital form (eg, data files stored on electronic or optical media),
• Material form (eg, on paper),
• Knowledge form (eg, with employees in unrepresented/personal manner)
Information gets transmitted by various means
courier, electronic, verbal communication
Information always needs appropriate protectionInformation always needs appropriate protection
- in whatever form it is, orin whatever form it is, or
- by whatever means it is transmittedby whatever means it is transmitted

23. 23
Basic premise of ISO 27001Basic premise of ISO 27001
Organizations are always exposed to security risks ofOrganizations are always exposed to security risks of
their information systems fromtheir information systems from ...
 Physical threats
 Human threats
 Technology threats
(sabotages, frauds, espionages, vandalisms, natural calamities, etc)(sabotages, frauds, espionages, vandalisms, natural calamities, etc)
Damage to information systems & networks haveDamage to information systems & networks have
become more common, more ambitious, andbecome more common, more ambitious, and
increasingly sophisticated … throughincreasingly sophisticated … through
• Malicious codes
• Computer hacking
• Denial of services / attacks

24. 24
Security of ‘Information Asset’ means its ..Security of ‘Information Asset’ means its ..
 ConfidentialityConfidentiality (ie, only authorized persons can access it)
 IntegrityIntegrity (ie, its accuracy, completeness, and reliability are safeguarded)
 AvailabilityAvailability (ie, authorized users have quick access to it when required)
Basic Approach of ISO 27001Basic Approach of ISO 27001
Assess actual risk to each Information Asset in terms of ..Assess actual risk to each Information Asset in terms of ..
 Vulnerability of securityVulnerability of security
(ie, ineffectiveness of present security arrangements towards the above losses)
 Probability of lossProbability of loss
(ie, the probability of failure of present security arrangements)
 Replacement valueReplacement value
(ie, the money and time cost for recreating the Asset if it is lost)
 Business impact of the LossBusiness impact of the Loss
(ie, the effect on organization’s business if the Information Asset leaks out)

25. 25
Depending upon the evaluated risk of everyDepending upon the evaluated risk of every
Information Asset, manage its security by ..Information Asset, manage its security by ..
Basic Approach of ISO 27001Basic Approach of ISO 27001
 Avoiding the use of risky assetAvoiding the use of risky asset
 Knowingly accepting the riskKnowingly accepting the risk
 Applying operational controls to eliminate riskApplying operational controls to eliminate risk
 Transferring the risk to another partyTransferring the risk to another party
(like insurer, supplier, service-provider)
 Adding infrastructure to control the riskAdding infrastructure to control the risk

26. 26
ISO 27001 - The Implementation
Standardized
ISMS Elements
(ISO 27001)
Intentions & Directions (Policy)
Statement of Applicability
STRATEGY (What ? Who ?)
SPECIFIED WAY (How ?)
INSTRUCTIONS (By what means ?)
RECORDS
[Proofs of Achievements]

27. 27
ISO 27001ISO 27001 has been developed as compatible with
other Standardized Management Systems
So, Integrated systems are most effectiveSo, Integrated systems are most effective
… and a necessity
…. To enable organizations to integrate
their Information Securitytheir Information Security
into their other management systems

28. 28
Correspondence of RequirementsCorrespondence of Requirements
ISO 9001:2008 ISO/IEC 27001:2005
4 QUALITY MANAGEMENT
SYSTEM (Title)
4 INFO. SECURITY MGMT.
SYSTEM (Title)
4.1 General Requirements, para 1,3
4.1 General Requirements
4.2.1.a & i Establish the ISMS
4.1 General Requirements, para 2,4 4.2.1.c-h Establish the ISMS
(None)
4.2.1.j Establish the ISMS
4.2.2 Implement & Operate the
ISMS
4.2 Doc. Requirements (Title) 4.3 Doc. Requirements (Title)
4.2.1 General 4.3.1 General
4.2.2 Quality Manual (None)
4.2.3 Control of Documents 4.3.2 Control of Documents
4.2.4 Control of Records 4.3.3 Control of Records

29. 29
Correspondence of RequirementsCorrespondence of Requirements
5 MGMT. RESPONSIBILITY
(Title)
5 MGMT. RESPONSIBILITY
(Title)
5.1 Management Commitment 5.1 Mgmt. Commitment
5.2 Customer Focus (None)
5.3 Quality Policy 4.2.1.b Establish the ISMS
5.4 Planning (Title)
(None)
5.4.1 Quality Objectives
5.4.2 Quality Mgmt System
Planning
(None)
5.5 Resp., Authority &
Communication (Title)
5.5.1 Resp. & Authority
5.5.2 Mgmt. Representative
5.5.3 Internal Communi.
5.6 Management Review (Total) 7 Management Review (Total)

30. 30
Correspondence of RequirementsCorrespondence of Requirements
6 RESOURCE MGMT (Title) 5.2 RESOURCE MGMT (Title)
6.1 Provision of Resources 5.2.1 Provision of Resources
6.2 Human Resources (Title) (None)
6.2.1 General
5.2.2 Training, awareness &
Competence (para 1)
6.2.2 Competence, training &
Awareness
5.2.2 Training, awareness &
Competence (para 2)
6.3 Infrastructure
(None)
6.4 Work Environment

31. 31
Correspondence of RequirementsCorrespondence of Requirements
7 PRODUCT
REALIZATION (7.1 to
7.2)
(None)
7.3 Design and Develop.
(Total)
7.4.1 Purchasing Process
7.4.2 to 7.5
7.6 Control of Moni. & Meas.
Equip

32. 32
Correspondence of RequirementsCorrespondence of Requirements
8 MEAS., ANALY & IMP. (Title) 8 ISMS IMPROVE. (Title)
8.1 General (None)
(None) 4.2.2.d Impl. & Oper. ISMS
8.2 Monitoring & Measurement (Title)
(None)
8.2.1 Customer Satisfaction
8.2.2 Internal Audit 6 Internal ISMS Audits
8.2.3 Moni. & Meas. of Processes 4.2.3 Monitor & Review ISMS
8.2.4 Monit. & Meas. of Product
(None)
8.3 Control of NC Product
8.4 Analysis of Data
8.5 Improvement (Title)
8.5.1 Continual Improve.
4.2.4 Maintain & Improve ISMS
8.1 Continual Improve.
8.5.2 Corrective Action 8.2 Corrective Action
8.5.3 Preventive Action 8.3 Preventive Action

33. 33
Thanks