Overview of ISO:27001 is an Information Security

Management Standard
2010 April 3
Tags: ISO, ISO 14001, ISO 27001, ISO 27001 Consultant, ISO 27001 Documentation, ISO 9001, ISO
certificate, ISO Consultancy, ISO Services, ISO Training
Posted by sales

Overview of ISO 27001:

 Security Management Standard: (Security + Availability): Secure Business

 Key controls – Differ- Industry to Industry
 Importance of ISMS
 Loss of Reputation
 Business Continuity
 Loss of Data for Process Continuity
 Customer Specific Requirement: Contractual Obligation.
 Regulated by HIPAA Law: Health Insurance Portability and Accountability Act – Mandatory since
Apr’05.
 Productivity Loss
 PDCA Model
 Takes care of Confidentiality, Integrity and Availability- For all Information Assets
 Right Information available to Right People at Right Time.
 BS 7799 Part 2:2002 – Certifiable standard
 Guideline Document: ISO / IEC 17799:2000- (BS7799: Part 1) – Further Revised in 2005.
 Initiative from Department of Trade and industry in 1995- Part 1. Part 2 released in 1998. In 1999-
Swedish standard SS 62 7799 Part 1 &2 and new issue of BS 7799 Part 1 &2.
 In Dec’00 – ISO/IEC 17799:2000 released
 In 2001: New BS 7799- P2 drafted and Accepted in Sep’02.
 Standard: Four Mandatory requirements of Standard + Annexure A: Possible Controls.
 Develop, Implement and Maintain ISMS System for continually improve in context to

Organization Business Requirements and Risk.

 Section 5: Management Responsibility

 Section 6: MRM
 Section 7: Continual Improvement
 Annexure A: Management Controls
 Information Security Policy (A.3)
 Organizational Security: What are the activities to be done at Organization level for managing
security?  Eg Contractual requirements. (A.4)
 Asset Classification & Controls. (A.5)
 Personnel Security- Security from the Personnel. (53% frauds by internal people) (A.6)
 Physical and Environmental Security (A.7)
 Business Continuity Management (A.11)
 Compliance (A.12)

Technical Requirements

 A.8:    Communication & Operational Management – Focuses on basic infrastructure

 A.9:    Access Control – Network only- No Physical. For Physical details under A7.
 A.10:  System Development & Maintenance – Focuses on Software Development.
Total 36 Objectives and 127 Controls.
All 127 Controls are Optional For Exclusions Justification to be provided.

 Basic Focus of ISMS: Predictability & Repeatability

 Procedural Security & Technical (Product) Security
 Preventive Controls – Firewall,
 Detective Control: IDS.
 All Assets impacting CIA are termed as Information Assets.
 Users are all those having access to all information assets.
 Section 7
 Continual Improvement
 Corrective Action
 Preventive Action
 IS Organization Implications
 Management, Employees, Customers/Users, Share Holders, Company Culture, Ownership,
Legislation

Success of ISMS Depends

 Policies, objectivities and activities match business needs and requirements.

 Develop ISMS in line with existing Organizational Culture
 Change Management-
 Preventive Controls rather than Detective controls
 Awareness
 Commitment from Management
 Identify Information Assets impacting CIA
 Understanding of Security & Risk
 Effective marketing of security within the organization.
 Distribution of guidelines on policy and procedures.
 Training & education
 PDCA

Management Commitment

 Policy
 Objectives
 Roles & responsibility
 Communication
 Resources
 Levels of Risks

Scope of ISMS:
Define scope based on Business Characteristics, Organizational Characteristics, Locations, Information
Assets and Technology
Scope defines the ISMS deployed for all Information Assets- For Basic Focus on identified Information
Assets for effective controls with geographical and logical boundaries.

Steps involved in Establishing:

Steps-involved-in-Establishing

Location 1 can be covered with appropriate Internal Access control and control for External
Communication channel based on risk assessment.

Information Security Policy

 Management Responsibility
 Management Support
 Management Commitment
 Management Approval
 Management Communication

Content to include – Definition of information security, intent of management, definition of responsibilities

and reference to documentation.

Risk Assessment Framework

 Asset valuation for each of the asset information within the logical and physical boundary
 Asset 1: Severity 1 ….3 or H/M/L (Give weight age rather than ranks) for CIA condition (Severity 3:
serious damage based on disclosure of information (Confidentiality factor) i.e. Impact of Asset
Information on Business with respect to CIA factors.
 Define criteria for identification and classification of risks based on Impact.
 Segregate Critical Asset Information based on Impact value and Business Impact.
 Identify Asset Owners
 Management of Risks.
 Clock Synchronization
 For integrity of Data – Configuration Management
 For effective Scheduling i.e. Patch Updates, Antivirus uploads
 All Systems are in Sync.
 What is Risk Assessment?
 Assessment of threats to information, impacts on and the vulnerabilities of information and
information processing facilities and the likelihood of their occurrences.
 Assets and Scope
 Threats
 Vulnerability
 Degree of Impact on CIA

Threat, Vulnerability and Risk

Threat is any entity (inside or outside), which can exploit weakness (vulnerability) of system to cause
intentional/un intentional damage. Threat uses vulnerability for damage.
Threat uses the vulnerability and manifests into a risk (Resultant Impact).
Example:
Virus Attack = Threat
Antivirus not updated: Vulnerability (Weakness in the system)
Loss of Data, System Crashing (Resultant Impact) = Risk

Threat, Vulnerability and Risk Relationship

 Asset to Threat: One to Many relationship

 Threat to Vulnerability: One to Many relationship
 Threat and Vulnerability to Risk: One to Many relationship

Threat-Vulnerability-and-Risk-Relationship

Fundamental of Risk Management

Cannot handle threats and risk. Only can work on vulnerability associated with the Asset Information.

Types of Threats

 Technical: Failure of Network, Poor System Performance, Virus Attack, Connectivity

 Logical: Masquerading (Posing as an employee), Communication Infiltration.
 Physical: Theft, Willful damage
 Environmental: Power Failure, Earthquake

Vulnerabilities
Technical: Virus not updated, Unprotected connections to network

 Logical: Wrong selection and use of Password.

 Human: Insufficient security / user protection, Adequate knowledge
 Environmental: Lack of UPS

Risk Assessment Frame work development:

Based on Probability of Occurrence and Impact on Business Operation and Financial Health, Legal and
Regulatory Obligations, Reputation and loss of goodwill and personal information.

Approach:

 Asset Value
 Business Impact
 Probability of Occurrence
 Probability of Detection

Risk Index = (Asset Value x Business Impact x Probability of Occurrence) x Probability of Detection (Use
Low value of Detection i.e. 1 if High Detection rate)
Risk Management: The process of Identifying, controlling and minimizing or eliminating
Security risks that affects the information asset for an acceptable cost.
Risk-Management-Assessment-Diagram

Risk Treatment (Control of vulnerabilities): Controls selected and implemented to reduce the risk –
Preventive (Reducing Probability of Occurrence), Detective (Improving Probability of Detection) or
Corrective. May be physical, procedural or product based on Cost and Impact. Business Decision is required.

(Study Existing Controls vs Controls Needed- Gap Analysis)

Carry out Cost Benefit Analysis

Risk Treatment Plan

(Identify thee BS7799 Control Item e.g. A8.2.1 based on Counter Measure)

Revisit RIN Value for Probability Of Occurrence and Probability of Detection based on RTP

Prepare SOA based on the Control Items required.

(Controls selected based on RTP, Visible links back to Risk Assessment and Assets, Reasons for control
selection and exclusion and additional controls selected)
Controls can be Physical or Procedural and further classified as Preventive or Detective

Revisit RTP based on changes to Business requirements and priorities. Addition of New Assets, threats
and vulnerabilities.
Review effectiveness of Existing Controls.

Tools available for Risk Assessment:

 CRAMM (CCTA Risk Analysis and Management/Method),

 COBRA – Consultative, Objective and Bi-Functional, Risk Analysis.

Process Model to be implemented for identified Controls

 Policy – Based on PDCA

 Process- Based on ETVX
 Procedure- Based on SIPOC.

VAPT: Vulnerability Assessment and Penetration Testing

Information Life Cycle: Creation, Usage, Storage and Disposition.
Annexure A Requirements

What other parties would the organization be communicating with?

1. Local Police Station

2. Customs and Excise
3. Fire
4. Hospitals
5. Industry Association
6. Legal Advisors
7. Pollution Control Board
8. BSNL
9. VSNL
10. ISP
11. Accounting Advisor
12. Industry Specific Advisory & Regulatory Boards (STPI, AICTE, DEO)
13. EPZ
14. Banks
15. Municipality

A 4: Organization Security

 IS Forum Agenda and Attendees: Minutes

 Job Description – Review Job definitions against activities
 Authorizations process for IP Facilities
 List of IS advisors or sources: List of advices to organisation
 List of Contacts- Legal and other organizations: Communication records with other organization
 Documented commitment to independent reviews. Audit

Security of Third party and Outsourcing

 Risk Assessment and Management Process

 Links to Selected Controls in SOA
 Third Party Contacts and Controls.

A 5: Asset Classification and Control

 Identification of Assets
  Classification of Assets
 Labeling of Assets

A 6: Personnel Security

 Include Security aspects in Job Responsibilities

 Verification Checks on Joining
 Confidentiality Agreement
 Terms and Conditions of employment
 Business Continuity
 Information Security Training and Awareness: Verify Training Material for inclusion of all aspects.
 Security Incidents, Security Weakness, Software Malfunctions
 Learning’s
 Disciplinary Policy

What should be in the information Security Training Program?

Policy and Objectives

 Security Processes, Procedures and Policies

 Security Incidents, Weakness and Malfunction  – Identification and Reporting
 Key Contact Information
 Resource Utilization methodologies
 Social Engineering.

Book:  Art of Deception – Kevin Mitney

Security Incident
An activity output, which affects the CIA of the information, Asset identified.
Security Incident validates the perceptive value of CIA and the Business Impact captured during the initial
Risk Assessment.

Physical and Environment Security

Secure Area.

 Identify the Organization Perimeter and the associated Entry and Exit Points and the access controls
available: Site Plan and Network Plan
 Securing Offices, rooms and facilities – Define access controls-: Sample Access Logs, Stock of
Cards, and Loss Card Handling.
 Isolated delivery and loading areas

Equipment Security

 Equipment Citing and Protection

 Power Supplies
 Cabling Security
 Equipment Maintenance
 Security of Equipment off Premises
 Secure disposal or reuse of equipment
 Clear Desk and Clear Screen Policy
 Removal of Equipment with proper authorization.

A8 Communication and operations management

 Document Operating Procedures

 Operational Change Control
  Incident Management Procedures
 Segregation of duties – Identify Primary and Secondary Responsibilities.
 Separation of development and operational facilities
 External Facilities Management (Third Party Managing the Operations)
 Capacity Planning – Infrastructure plans in sync with Business Plan.
 System Acceptance- Criteria for acceptance for new information system, upgrades and new versions
and test the system prior to acceptance.
 Controls against malicious software- Virus control
 Back up process
 Operator logs- (Are not server logs):  Logging of activities and subjected to regular independent
checks
 Fault logging.
 Network Controls
 Email, Electronic Office systems and internet policies
 Information Exchange Procedures

Business Continuity Management

 Risk Analysis
 Cost Benefit Analysis and Prioritization
 Plan scope and Escalation
 Design and Development of Business Continuity Plan
 Implement and Test

BCP

 Identification of Risks
 Cost Benefit Analysis
 Framework based on Types of Disaster- Location, City, Country
 Criticality of Projects
 Identify Critical Projects and who are the associated resources and infrastructure.
 Impact on Slash.
 Critical Activity Chart: post Disaster and the Time required for recovery.
 Testing.

Access Control

 User Registration and De Registration

 Allocation of Privileges
 Allocation of Password and appropriate selection and use of Password
 Review of Access Rights
 Unattended equipment protection.