Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
What is broken with ISO27001
and how to fix it using
Security Standards
Management:
 ISM3
 Standard of Good Practice for Information Security from ISF.
 ISO 27001.
 Cobit...
ISMS Certification
 Why companies go for ISMS certification?
 The main reason is that they want to show
they are serious...
ISMS Certification
 What is certification good for?
 It is a driver for implementation of better ISM
practices.
ISMS Certification - Trust
 Establishing trust relationships.
ISMS Certification - Trust
 A way to evidence the organization's stance on security;
 A part of a contract to ensure com...
ISMS Certification - Trust
 Trust relationships with Third Parties, like Partners,
Customers and Suppliers.
ISMS Certification - Challenges
 Challenges (1/3)
 Certification doesn’t guarantee performance.
Performance depends on t...
ISMS Certification - Challenges
Specification
ISMS Certification - Challenges
Different
Implementations
ISMS Certification - Challenges
If you get the
same certificate
ISMS Certification - Challenges
For different
implementations
ISMS Certification - Challenges
The market
reputation you
will get is that of
the worst
implementation
ISMS Certification - Challenges
 Challenges (2/3):
 Some threats fall out of the scope of information
security:
– Human ...
ISMS Certification - Challenges
ISMS Certification – Challenges
 Challenges (3/3):
 Certification alone doesn’t take capability levels
beyond “Managed”:...
ISMS Certification - Summary
 Certification doesn’t guarantee
performance.
 Bad performers damage the
reputation of all ...
Traditional approach to security:
“We want to prevent attacks from
succeeding”. With this approach, to be secure
means to...
ISM3 Approach
“We want to guarantee that our business
goals are met”. With this approach, to be
secure means to be reliab...
Comparison
Traditional: The Invoicing Database Confidentiality is HIGH, Availability:
HIGH, Integrity is MEDIUM.
ISM3: I...
ISM3 Business Focus
Business Goals
Security
Goals
Quality
Goals
ISM3 Business Focus
Security
Goals
Business
Needs and
Limitations
Compliance
Needs and
Limitations
Technical
Needs and
Lim...
ISM3 Business Focus
 Business Goals – Fundamental to the existence of an
organization. Resilience depends on security obj...
ISM3 - What needs protection?
 Business Objectives examples:
 Paying taxes in time;
 Invoice all products and services ...
ISM3 - What protection is needed?
 Business Objectives.
 Security Objectives examples:
 Business needs and limitations:...
ISM3 - Is protection successful?
 Business Objectives.
 Security Objectives.
 Security Targets examples.
 Business tar...
ISM3 - Continuous Improvement
What you can’t measure you can’t manage.
What you can’t manage you can’t improve.
ISM3 us...
ISM3 - Continuous Improvement
Security Targets.
Process Management Metrics:
 Activity.
 Coverage.
 Update.
 Availabi...
 ISM3 can be used for a better ISO27001
Implementation or alone.
 Example for Patching of Critical Systems
12.5.2 Techni...
Process OSP-5 Environment Patching
Description This process covers the on-going update of services to prevent incidents re...
Process OSP-5 Environment Patching
Description This process covers the on-going update of services to prevent incidents re...
ISM3 compared to ISO27001
Criteria ISM3 ISO27001
Maturity Levels Five No
Organizational Model
Process owner
Customer
Roles...
ISM3 compared to ISO27001
Criteria ISM3 ISO27001
Security Processes Selection
Suited to Security Objectives and
Targets
Ty...
ISM3 compared to ISO27001
Criteria ISM3 ISO27001
Goal
Achievable Security / Maximize
ROSI
Rationale specified per process
...
ISM3 compared to ISO27001
1. Incidents Happen, ISO27001 or no ISO27001.
2. Security is a negative result (No Incidents equ...
ISM3 Flexibility
 ISM3 is adaptable to organizations with different
missions and contexts.
 ISM3 is adaptable to organiz...
ISM3 Maturity Levels
Security Investment & Risk
Level 0 Level 1 Level 2 Level 3 Level 4 Level 5
Security Investment
Risk
R...
ISM3 Maturity Levels (examples)
 ISM3 Level 1 - Significant risk reduction from technical threats, for a
minimum investme...
Reporting
Strategic Managers
Tactical Managers
Operational Managers
Stakeholders
Report
Report
Report
Responsibilities Dis...
 Deal with broad goals, coordination and
provision of resources;
 Deals with the design and
implementation of the ISM sy...
Strategic Practices
Tactical Practices
Operational Practices
Generic Practices
Specific Goals
Specific Goals
Specific Goal...
Advantages of ISM3
Maturity Levels make easier to prioritize and optimize
investment in information security.
ISO9001 co...
Advantages of ISM3
It supports explicitly the outsourcing of security
management and operations processes. The results fo...
Summary
 Business Focused
 Manageable (with Metrics)
 Compatible (ITIL, ISO27001, ISO9001, CobIT)
 Adaptable
 Flexibl...
Information Security that makes Business
Sense
inovement.es/oism3
Web www.inovement.es
Video Blog youtube.com/user/vaceitu...
ISMS Certification
You can check the information security
management methodology ISM3 at:
www.ISM3.com
THANKS
Upcoming SlideShare
Loading in …5
×

O-ISM3 vs ISO27001

14,240 views

Published on

Published in: Technology
  • Be the first to comment

O-ISM3 vs ISO27001

  1. 1. What is broken with ISO27001 and how to fix it using
  2. 2. Security Standards Management:  ISM3  Standard of Good Practice for Information Security from ISF.  ISO 27001.  Cobit by ISACA.  IT Baseline Protection by BSI Risk Management  Magerit by Ministerio de Administraciones Públicas (Spain).  OCTAVE by Software Engineering Institute.  May others. Products and Systems Engineering:  SSE-CMM (ISO/IEC 21827: 2002)  ISO15408 Common Criteria
  3. 3. ISMS Certification  Why companies go for ISMS certification?  The main reason is that they want to show they are serious about information security  This doesn’t necessarily mean that they are serious about information security.
  4. 4. ISMS Certification  What is certification good for?  It is a driver for implementation of better ISM practices.
  5. 5. ISMS Certification - Trust  Establishing trust relationships.
  6. 6. ISMS Certification - Trust  A way to evidence the organization's stance on security;  A part of a contract to ensure commitment by one of the parties to security management;  A selling point for vendors;  A possible requirement for outsourcing providers;  A mechanism to ensure mutual understanding of the services obtained from an security outsourcing provider.
  7. 7. ISMS Certification - Trust  Trust relationships with Third Parties, like Partners, Customers and Suppliers.
  8. 8. ISMS Certification - Challenges  Challenges (1/3)  Certification doesn’t guarantee performance. Performance depends on the budget, the capability and the commitment of those involved in running it.  Certification only guarantees that the cause of faults is not poor process design.  Poor performers and bogus certifications lower the reputation of the certification and damage the reputation of all certificate holders.
  9. 9. ISMS Certification - Challenges Specification
  10. 10. ISMS Certification - Challenges Different Implementations
  11. 11. ISMS Certification - Challenges If you get the same certificate
  12. 12. ISMS Certification - Challenges For different implementations
  13. 13. ISMS Certification - Challenges The market reputation you will get is that of the worst implementation
  14. 14. ISMS Certification - Challenges  Challenges (2/3):  Some threats fall out of the scope of information security: – Human error; – Incompetence; – Fraud; – Corruption.
  15. 15. ISMS Certification - Challenges
  16. 16. ISMS Certification – Challenges  Challenges (3/3):  Certification alone doesn’t take capability levels beyond “Managed”: – Undefined. The process might be used, but it is not defined. – Defined. The process is documented and used. – Managed. The process is Defined and the results of the process are used to fix and improve the process. – Controlled. The process is Managed and milestones and need of resources is accurately predicted. – Optimized. The process is Controlled and improvement leads to a saving in resources.
  17. 17. ISMS Certification - Summary  Certification doesn’t guarantee performance.  Bad performers damage the reputation of all certificate holders.
  18. 18. Traditional approach to security: “We want to prevent attacks from succeeding”. With this approach, to be secure means to be invulnerable. An incident is any loss of confidentiality, integrity or availability. You look at a piece of data and think: Is it confidential, has it got integrity, is it available?
  19. 19. ISM3 Approach “We want to guarantee that our business goals are met”. With this approach, to be secure means to be reliable, despite attacks, accidents and errors. An incident is a failure to meet a security objective resulting from accidents, errors or attacks. Using ISM3 you look at a piece of data and think: What properties of this data must be protected for it to have business value?
  20. 20. Comparison Traditional: The Invoicing Database Confidentiality is HIGH, Availability: HIGH, Integrity is MEDIUM. ISM3: Invoices should be accessible to the Accountancy department and the Collection department only - Paid Invoices are to be kept for 3 years and destroyed after no more than four years - The system has to register the user account, the date and time of invoice creation. - The system needs to be available 9 to 5 Monday to Friday, with no more than 5 interruptions per week, with a duration of no more than one hour in total, and causing no more 15 Invoices to be re-entered. - There must be less than 5 errors per hundred invoices. - More than 99,8% of products served must be invoiced. - The system is a third party application that which license must be kept current. - The invoicing system keeps personal information, according to the law the database must be registered at the Data Protection agency. -The system must not be visible to systems from outside the company or have any remote access. - The system must be kept in the Data Center under controlled environmental conditions and company safeguards against fire, flood, etc
  21. 21. ISM3 Business Focus Business Goals Security Goals Quality Goals
  22. 22. ISM3 Business Focus Security Goals Business Needs and Limitations Compliance Needs and Limitations Technical Needs and Limitations Business Goals Security Goals Quality Goals
  23. 23. ISM3 Business Focus  Business Goals – Fundamental to the existence of an organization. Resilience depends on security objectives.  Security Objectives are derived from business, compliance and technical needs and limitations. This are the goals of the ISM.  Security Targets measure the achievement of security objectives in business terms.
  24. 24. ISM3 - What needs protection?  Business Objectives examples:  Paying taxes in time;  Invoice all products and services provided;  Keep any records needed to pass successfully any audit, like a tax audit or a software licenses audit.  Security Objectives.  Security Targets.
  25. 25. ISM3 - What protection is needed?  Business Objectives.  Security Objectives examples:  Business needs and limitations: “Secrets should be accessible to authorized users only”  Compliance needs and limitations: “Repositories with Personal information have to be registered with the Data Protection agency”  Technical needs and limitations: “Systems are as free of weaknesses as possible”  Security Targets.
  26. 26. ISM3 - Is protection successful?  Business Objectives.  Security Objectives.  Security Targets examples.  Business targets: “Less than 2 secrets revealed every year, accounting for less than 0.1% of the value of the company”  Compliance targets: “Fewer than one incident every two years where a Repository is not registered”  Technical targets: “Medium update level in the DMZ environment below 3 days”
  27. 27. ISM3 - Continuous Improvement What you can’t measure you can’t manage. What you can’t manage you can’t improve. ISM3 uses PDCA per process & Metrics for continuous improvement.
  28. 28. ISM3 - Continuous Improvement Security Targets. Process Management Metrics:  Activity.  Coverage.  Update.  Availability.
  29. 29.  ISM3 can be used for a better ISO27001 Implementation or alone.  Example for Patching of Critical Systems 12.5.2 Technical review of applications after operating system changes: When operating systems are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. ISM3 & ISO27001
  30. 30. Process OSP-5 Environment Patching Description This process covers the on-going update of services to prevent incidents related to known weaknesses. Rationale Patching prevents incidents arising from the exploitation of known weaknesses in services. Documentation OSP-051-Services Update Level Report Template, OSP-052-Services Patching Management Procedure Inputs Inventory of Assets, Alerts and Fixes Report Work Products Up to date services in every environment, Services Update Level Report. Activity Number of Work Products submitted, Number of patching updates in information systems Scope Percentage of information systems covered by the process Update Time since last Work Products submission Mean time between Work Products submissions Update level, calculated as follows: 1. Every information system update level is equal to the sum of the number of days old that are all the security patches pending to app ly. 2. The environment update level is equal to the sum of the individual update levels, divided by the number of information systems. The lower this metric, the better. This metric allows checking of the progress of the patching process, and comparison of the update level of different environments. Availability Percentage of time the patching systems are available ISM3 Guidance on Patching of Systems
  31. 31. Process OSP-5 Environment Patching Description This process covers the on-going update of services to prevent incidents related to known weaknesses. Rationale Patching prevents incidents arising from the exploitation of known weaknesses in services. Documentation OSP-051-Services Update Level Report Template, OSP-052-Services Patching Management Procedure Inputs Inventory of Assets, Alerts and Fixes Report Work Products Up to date services in every environment, Services Update Level Report. Activity Number of Work Products submitted, Number of patching updates in information systems Scope Percentage of information systems covered by the process Update Time since last Work Products submission Mean time between Work Products submissions Update level, calculated as follows: 1. Every information system update level is equal to the sum of the number of days old that are all the security patches pending to app ly. 2. The environment update level is equal to the sum of the individual update levels, divided by the number of information systems. The lower this metric, the better. This metric allows checking of the progress of the patching process, and comparison of the update level of different environments. Availability Percentage of time the patching systems are available WHAT WHY METRICS METRICS METRICS METRICS RESULTS INPUTS DOCUMENTS ID ISM3 Guidance (Explained)
  32. 32. ISM3 compared to ISO27001 Criteria ISM3 ISO27001 Maturity Levels Five No Organizational Model Process owner Customer Roles Responsibilities TPSRSR Processes Management / Not Management Link between Business Goals and Information Security Information qualities: - Access Control - Durability - Quality - Priority - Compliance - Technical Security Objectives - Attacks - Errors - Accidents Security Targets Incident: Breach of a security objective Information qualities - Confidentiality - Availability - Integrity - Attacks Incident: Breach of CIA.
  33. 33. ISM3 compared to ISO27001 Criteria ISM3 ISO27001 Security Processes Selection Suited to Security Objectives and Targets Types of assessment: -Threat Assessment; - Vulnerability Assessment; - Business Impact Analysis; - Risk Assessment; - ROSI Analysis. Controls not adopted have to be justified for successful accreditation. - Risk Assessment Success criteria Yes No Paradigm Process based Controls based Use of PDCA Pre process basis Whole ISMS basis Improvement Cycle Continuous using metrics Discrete, with long Audit - Risk Assessment cycles. Outsourcing Metrics can be used to create SLAs, KGIs, KPIs No support Approach Top-Down Botton-up
  34. 34. ISM3 compared to ISO27001 Criteria ISM3 ISO27001 Goal Achievable Security / Maximize ROSI Rationale specified per process Absolute Security / Invulnerability Rationale not specified Inputs Yes No Outputs Yes No Metrics Security Targets Scope Availability Activity Update No Accreditable Yes, ISO9001 and ISO27001 (level 4&5) compatible Yes Distribution of responsibilities Strategic Tactical Operational Process owner example No References Rich in references to best practices None
  35. 35. ISM3 compared to ISO27001 1. Incidents Happen, ISO27001 or no ISO27001. 2. Security is a negative result (No Incidents equals Security). 3. But if just One Incident happening meant the ISMS has Failed, then all ISO27001 would be Failures. 4. How can you tell a successful ISO27001 from a failed one? Can that depend on a single Incident? How many Incidents are too many? 5. How can you improve cost-effectively an ISMS if you don’t know when good is good enough?
  36. 36. ISM3 Flexibility  ISM3 is adaptable to organizations with different missions and contexts.  ISM3 is adaptable to organizations with different resources.  Security investment is driven by business need.  Some organizations may not have a huge budget for Information Security ( 20 / 80 Rule).  Maturity levels describe different levels of sophistication of ISM systems.  Organizations can identify appropriate processes, choose a level suitable for them, and show implementation progress.
  37. 37. ISM3 Maturity Levels Security Investment & Risk Level 0 Level 1 Level 2 Level 3 Level 4 Level 5 Security Investment Risk Risk Reduction/ Extra Security Investment (Qualitative Graphic. Risk Reduction / Extra Security Investment, scaled x40 for readability)
  38. 38. ISM3 Maturity Levels (examples)  ISM3 Level 1 - Significant risk reduction from technical threats, for a minimum investment in essential ISM processes.  For organizations with low Information Security Targets in low risk environments.  ISM3 Level 3 - Highest risk reduction from technical threats, for a significant investment in Information Security processes.  For organizations with high Information Security Targets in normal or high-risk environments.  ISM3 Level 5 - Highest risk reduction from technical and internal threats, for a high and optimized investment in Information Security processes.  For organizations affected by specific requirements (such as utilities, and financial institutions) with high Information Security Targets in normal or high-risk environments.
  39. 39. Reporting Strategic Managers Tactical Managers Operational Managers Stakeholders Report Report Report Responsibilities Distribution
  40. 40.  Deal with broad goals, coordination and provision of resources;  Deals with the design and implementation of the ISM system, specific goals and management of resources;  Deals with achieving defined goals by means of technical processes. Strategic Practices Tactical Practices Operational Practices Responsibilities Distribution
  41. 41. Strategic Practices Tactical Practices Operational Practices Generic Practices Specific Goals Specific Goals Specific Goals Generic Goals Direct and Provide Implement and Optimize Support Responsibilities Distribution
  42. 42. Advantages of ISM3 Maturity Levels make easier to prioritize and optimize investment in information security. ISO9001 compatible certifications; Some companies can't make big investments. It is well known that 20% of investment can give 80% of the results, but there is no way to show this. ISM3 levels 1 to 3 can help here. It scales to small and big organizations. The use of separate process in every environment prevents using procedures for restrictive environments all over the organization.
  43. 43. Advantages of ISM3 It supports explicitly the outsourcing of security management and operations processes. The results for each process are defined and the responsibilities to perform each process are defined too.  It provides metrics, that help to manage the processes, measure the success and improve the ISM system. It is possible to achieve capability levels beyond Managed. It provides Information Security Governance guidance.
  44. 44. Summary  Business Focused  Manageable (with Metrics)  Compatible (ITIL, ISO27001, ISO9001, CobIT)  Adaptable  Flexible  Open Standard, readily available  Rich in implementation guidance
  45. 45. Information Security that makes Business Sense inovement.es/oism3 Web www.inovement.es Video Blog youtube.com/user/vaceituno Blog ism3.com Twitter twitter.com/vaceituno Presentations slideshare.net/vaceituno/presentations Articles slideshare.net/vaceituno/documents
  46. 46. ISMS Certification You can check the information security management methodology ISM3 at: www.ISM3.com THANKS

×