Scribd
Upload
144 views14 pages

A Bit About ISO Certification

The document discusses ISO certification and information security management systems (ISMS). It provides information on what ISO is, how certification works through external bodies, and the key aspects of confidentiality, integrity, and availability that an ISMS aims to protect. It also summarizes the Plan-Do-Check-Act (PDCA) cycle that ISO 27001 requires for continuous improvement in information security policies.

Uploaded by

Avirup Chakraborty
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
144 views14 pages

A Bit About ISO Certification

The document discusses ISO certification and information security management systems (ISMS). It provides information on what ISO is, how certification works through external bodies, and the key aspects of confidentiality, integrity, and availability that an ISMS aims to protect. It also summarizes the Plan-Do-Check-Act (PDCA) cycle that ISO 27001 requires for continuous improvement in information security policies.

Uploaded by

Avirup Chakraborty
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 14

A bit about ISO certification

The International Organization for Standardization is an independent, non-governmental organization, the members of
which are the standards organizations of the 164 member countries

It publishes the internal standards for process audit. The standards help businesses increase productivity while
minimizing errors and waste.

ISO does not perform certification. At ISO, we develop International Standards, such as ISO 9001 and ISO 14001, but
not involved in their certification, and do not issue certificates. Certification is performed by external certification
bodies, thus a company or organization cannot be certified by ISO.

The certification body (CB) assesses whether the system, product or personnel fulfil the requirements stated in the
certification requirements. There are different kinds of assessment methods and they can include the assessment,
testing or inspection of data gathered from practical operations based on documents and a written or competence-
based qualification in the case of personnel certification.

An accreditation body (AB) is an organization that provides accreditation services, which is a formal, third party
recognition of competence to perform specific tasks. 
Information Security Management System (ISMS)

An ISMS is a systematic approach consisting of processes, technology and people that helps you protect and manage your
organisation’s information through effective risk management.

It enables compliance with a host of laws, and focuses on protecting three key aspects(CIA Triad)
of information:

1.Confidentiality(C): Ensuring that information can only be accessed by those with the proper authorization.

2. Integrity(I) : Safeguarding the accuracy and completeness of information and the ways in which it is processed.

3. Availability(A) : Ensuring that authorized users have access to information and associated assets when required

An Information is an asset that, like other important business assets, is essential to an organization’s
business and consequently needs to be suitably protected. Information assets of an organization can be of
Business data Employee information Research records Price lists Tender documents and many more.
ISO 27001 require you to use a method for continuous improvement in information security policy. PDCA or Plan-Do-
Check-Act is the preferred method for most information security teams.

Step 1: In the Plan phase, the business objectives are


identified. Management support is obtained, the scope of the
ISMS is defined. Risk analysis methods are chosen, and an
appropriate inventory of assets at risk with ranked risk
assessments is produced.
Step 2: The Do phase manages the risks by generating a
treatment plan for the risks, by allocating budgets, training
staff and by the creation of policies.
Step 3: The Check phase monitors the implementation of the
security management activities, and possibly prepares for the
certification of its results.
Step 4: Act phase carries our re-assessment audits that
evaluate the overall outcome of the corrective actions and the
initiates a new round of the cycle with corrective input, if
necessary.
Process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an
organization’s ISMS:
What is Risk?

Risk – The potential for loss, damage or destruction


of an asset as a result of a threat exploiting a
vulnerability.

Threat – Anything that can exploit a vulnerability,


intentionally or accidentally, and obtain, damage, or
destroy an asset. A Threat is something that can
potentially cause damage to the organization, IT
Systems or Network.

Vulnerability – Weaknesses or gaps in a security


program that can be exploited by threats to gain
unauthorized access to an asset.

Risk= Vulnerability X Threat


Continuous Risk Assessment in a Project/ Process

The objective of a risk assessment in a project is to understand the existing system and environment, and identify risks
through analysis of the information/data collected. The project scope and objectives can
influence the style of analysis and types of deliverables of the enterprise security risk assessment

Risk assessment should be done on the following factors:

• Security requirements and objectives


• Information available to the public or accessible from any web site
• Physical assets, such as hardware, including those in the data centre, network, and
communication components and peripherals (e.g., desktop, laptop, PDAs)
• Operating systems, such as PC and server operating systems, and
network management systems.
• Data repositories, such as database management systems and files
• Network details, such as supported protocols and network services offered
• Security systems in use, such as access control mechanisms, change control, and network monitoring
• Identification and authentication mechanisms
• Risk assessment should be done on Test data and its protection mechanism.
ISMS controls are safeguards or  countermeasures  to avoid, detect, The 14 control Domains of ISO/ IEC
counteract, or minimize  security  risks  to physical property, information, 27001
computer systems, or other assets.

Most organizations have many information security controls. However, if an


organization doesn’t have an ISMS the controls tend to be unstuck and
disjointed as they’re a lot of usually enforced as a method to agitate specific
solutions and not as a matter of convention.

Trust: It provides confidence and assurance to purchasers and commerce


partners that your organization take security serious. This may even be wont
to market your organization.
Efficiency: It provides a framework for distinguishing and managing risks in
your organization in an economical manner.
Continual Improvement: It provides you with tools to repeatedly improve
your organizations information.

Security : It helps you to higher verify the correct quantity of security required
for you organization. Not too few resources spent, not the several, however
simply the correct quantity.
Access control
Access control is the process of granting authorised users the right to use a service while preventing access to non –
authorised users. Controlled access to services ensures that the organization
isabletomaintainmoreeffectivelytheconfidentialityofitsinformation.

Activities of access control


Requesting access–Access can be requested using one or any number of mechanisms.

 A standard request
 A request for change
 A service requests

Verification–It needs to verify every request for access to a service from two perspectives:-

Who are the users those are requesting access for?


That they have a legitimate requirement for that service
System Change Control

Change control is a systematic approach to managing all


changes made to a product or system. The purpose is to
ensure that no unnecessary changes are made, that all
changes are documented, that services are not
unnecessarily disrupted and that resources are use
deficiently. Within information technology(IT), change
control is a component of change management. Following
Checklist can be used to assure that the project has
completed the activates related to effective change
Management control.
Incident
An incident is an event that could lead to loss of, or disruption to, an organization's operations, services or
functions.
Understanding incidents
Breach in C,I,A (Confidentiality, Integrity & Availability)

Different Types of incidents


 Denial of Service (DoS)
 Malicious Code
 Unauthorised Access
 Inappropriate Usage
 Multiple Component

Abzooba has implemented the following mechanisms as a part of incident management program in the
Organization
An incident can be reported through
●Email
●Telephone
●Incident Management system in JIRA

Records of all Incidents are maintained in JIRA –INCIDENTS project. All Abzooba associates , contractors, third
Benefits of ISO 27001

By achieving certification to ISO 27001 your organisation will be able to reap numerous and consistent
benefits including:
•Keeps confidential information secure
•Provides customers and stakeholders with confidence in how you manage risk
•Allows for secure exchange of information
•Enhanced customer satisfaction that improves client retention
•Consistency in the delivery of your service or product
•Manages and minimises risk exposure
•Builds a culture of security
•Protects the company, assets, shareholders and directors
•Improved Customer Confidence
•Competitive Advantage
•Improved Security
•Decreased Risk of Incident
•Increased Revenue
•Improved Employee Engagement

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy