implementation guidance of information security based on iso 27003

7/28/2019 Implementation Guidance of Information Security Based on ISO 27003

http://slidepdf.com/reader/full/implementation-guidance-of-information-security-based-on-iso-27003 1/60

Implementation Guidance ofInformation SecurityManagement System

based on ISO/IEC 27003:2010

By:HALIZA IBRAHIM



Getting your ISMS right

My primary focus isto constantlyincrease

shareholder value

Depend on:Customerretention &

acquisition

Depends on:TRUST

Depends on:Continuousavailability of

services

Depends on:Continuous availabilityof information andinformation systems



Information securityinfluences the way

and buy your brand



Purpose of the standard

1. Provide Practical guidance indeveloping the implementation plan

for an ISMS project

2. Applicable to all type of

organ za ons o a s zes



FIVE (5) PHASES

Phase 1: Obtaining managementapproval for initiating an ISMS project

Phase 2: Defining ISMS Scope andISMS Policy

Phase 3: Conducting information

Phase 4: Conducting Risk Assessmentand planning Risk Treatment

Phase 5: Designing the ISMS



Phase 1: Obtaining management approval forinitiating an ISMS project

Objectives:To obtain management approval to start the ISMS

project by defining a business case and the project plan.

Activities

2. Develop the preliminary ISMSscope

4. Create the business case andthe project plan for managementapproval

1. Clarify the organization’spriorities to develop an ISMS

3. Define roles & responsibilitiesfor the preliminary ISMS scope



INPUT

* Strategic objectives

* Existing management systems

* A list of legal, regulatory, and contractualinformation security requirements

PHASE 1 ACTIVITIES 1

Clarify the organization’s priorities todevelop an ISMS

OUTPUT

*Objectives, priorities, and requirements for an ISMS.

*A list of regulatory, contractual, and industryrequirements

*Outlined characteristics of the business, the

organization, its location, assets, and technology.



Factors to Consider:

• critical businesses and organization areas

• sensitive or valuable information

• laws which mandate information security measures

•

information security

• industry requirements which specify particularinformation security controls or measures

• The threat environment• Competitive Drivers

• Business continuity requirements



INPUT

* Output from Clarify the organization’s priorities todevelop an ISMS.


Define the preliminary ISMS scope

OUTPUT

*The deliverable is a document which describes thepreliminary scope of the ISMS.



INPUT

* output from Develop the preliminary ISMS scope

* list of stakeholders who will benefit from results of

the ISMS project.


the preliminary ISMS scope

OUTPUT

*a document describing the roles andresponsibilities



• Overall responsibility for the tasks remains at the

management level• One person is appointed to promote and co-ordinate the

information security process

Roles & responsibilities for the preliminaryISMS scope

• Each employee is equally responsible for his or heroriginal task and for maintaining information security inthe workplace.

• Information Security forum could facilitate collaboration

within roles for managing information security



INPUT

* output from Clarify the organization’s priorities todevelop an ISMS

*output from Define the preliminary ISMS scope


Create the business case and the projectplan for management approval

OUTPUT

*a documented approval by management

*a documented business case

*an initial ISMS Project Proposal



The business case should cover the followingsubjects:

Goals and specific objectives Benefit to the organization

Preliminary scope of ISMS

reaching the ISMS objectives

High-level project overview

Initial implementation plan



The business case should cover the followingsubjects:

Defined roles and responsibilities Required resources (both technology and people)

Implementation considerations including existinginformation security

Timeline with key milestones Expected costs

Critical success factors

Quantify the benefits to the organization



Phase 2: Defining ISMS scope, boundariesand ISMS policy (Clause:4.2.1a),4.2.1b))

Objectives:To define the detailed scope and boundaries of the ISMS anddevelop the ISMS policy, and obtain endorsement from

management

2. Define information

communication technology (ICT)scope and boundaries

4. Integrate each scope andboundaries to obtain the ISMSscope and boundaries

1. Define organizational scopeand boundaries

3. Define physical scope andboundaries

5. Develop the ISMS policy andobtain approval from

management



INPUT

* output from Clarify the organization’s priorities to developan ISMS


Define organizational scope and boundaries

Phase 2 Activity 1

OUTPUT

*description of organizational boundaries

*functions and structure of the organization

*identification of information exchanged

*organization processes and the responsibilities

*process for the hierarchy of decision making



Define organizational scope and boundaries

• The amount of effort required to implement an ISMSis dependent on the magnitude of the scope to whichit is to be applied.

•

account in the risk assessment, and to address therisks that might arise through these boundaries.

• If some processes within the scope are outsourced tothe third parties those dependencies should be clearlydocumented.



INPUT*output from Define the preliminary ISMS scope

*output from Define organizational scope and boundaries

PHASE 2 ACTIVITY 2

Define information communication technology (ICT)scope and boundaries

OUTPUT

*information exchanged

*ICT boundaries for the ISMS

*the information systems and telecommunication networks



ICT boundaries should include a description ofthe following when applicable:

Communications infrastructure

Software within the organizational boundaries

ICT hardware required by the network ornetworks, applications or production systems

Roles and responsibilities regarding ICThardware, network and software



INPUT



* output from Define information communication technology(ICT) scope and boundaries


Define physical scope and boundaries

OUTPUT

*description of physical boundaries for the ISMS

*description of the organization and their geographicalcharacteristics



Physical boundaries should include adescription of the following:

Functions or process description taking into

account their physical location and extent theorganization controls them

Special facilities used for storing/containing ICT

hardware or in-scope data (e.g. on back-up tapes)based upon the coverage of the ICT boundaries

Any third party dependencies should be

documented



INPUT*output from Define the preliminary ISMS scope


* output from Define information communication technology

(ICT) scope and boundaries*output from Define physical scope and boundaries

PHASE 2 ACTIVITY 4

Integrate each scope and boundaries to obtain the ISMS scopeand boundaries

OUTPUT

*document describing the scope and boundaries of the ISMS



Key characteristics of the organization

In-scope organizational processes

Configuration of in-scope equipment and networks

Preliminary list of in-scope information assets

The scope and boundaries of the ISMS,containing the following information:

List of in-scope ICT assetsMap of in-scope sites, indicating the physical boundaries

Roles and responsibilities descriptions

Details of and justification for any exclusions from the

ISMS scope



INPUT

*output from Integrate each scope and boundaries to obtainthe ISMS scope and boundaries

*output from Clarify the organization’s priorities to develop an

ISMS*output from Create the business case and the project plan for

management approval


Develop the ISMS policy and obtain approval from management

OUTPUT

*the documented management-approved ISMS policy.



While defining the ISMS policy, the followingaspects should be considered:

• establish the ISMS objectives

• establish the general focus and guide to action toachieve the ISMS objectives

• ’ ,

regulatory and contractual obligations• Risk management context within the organization

• establish the criteria for evaluating risks and defining a

risk assessment structure• clarify high-level management responsibilities with

regard to the ISMS

• obtain management approval.



Phase 3: Conducting information securityrequirements analysis (4.2.1c)1),4.2.1d),4.2.1e)

Objectives:To define the relevant requirements to be supportedby the ISMS, identify the information assets, andobtain the current information security status within

scope

Activities

2. Identify assets within theISMS scope

1. Define information securityrequirements for the ISMS

process

3. Conduct an informationsecurity assessment



INPUT*output from Clarify the organization’s priorities to develop an ISMS

*output from Integrate each scope and boundaries to obtain theISMS scope and boundaries

*output from Develop the ISMS policy and obtain approval frommanagement

PHASE 3 ACTIVITY

Define information security requirements for the ISMS process

OUTPUT

*identification of the main processes, functions, locations, informationsystems, communication networks, information assets

*information security requirements

*list of publicly known vulnerabilities

*organization information security training and educationrequirements



The following should be addressed:

• Preliminary identification of important informationassets and their current information securityprotection.

• Identify visions of the organization and determine theeffect of identified visions on future information

processing requirements.• Analyze the current forms of information processing,

system applications, communication networks

• Identify all essential requirements

• Identify the level of information security awareness



INPUT*output from Integrate each scope and boundaries to obtain

the ISMS scope and boundaries

*output from Develop the ISMS policy and obtain approvalfrom management

*output from Define information security requirements forthe ISMS process

PHASE 3 ACTIVITY 2

Identify assets within the ISMS scope

OUTPUT

*identified information assets of the main processes of theorganization within the ISMS scope

*Information security classification of critical processes andinformation assets



To identify the assets within the ISMS scopethe following information should be identifiedand listed:

• Unique name of the process

• Process description and associated activities

• Cri icali of he rocess o he or aniza ion cri ical

important, supporting)• Process owner (organization unit)

• Processes providing input and outputs from this

process• IT applications supporting the process

• Information classification



INPUT

*output from Integrate each scope and boundaries to obtainthe ISMS scope and boundaries

*output from Develop the ISMS policy and obtain approval

from management*output from Define information security requirements for

the ISMS process

* out ut from Identif assets within the ISMS sco e

PHASE 3 ACTIVITY 3

Conduct an information security assessment

OUTPUT

*a document summarizing the assessed security status of the

organization, and evaluated vulnerabilities.



Information security assessment

• Activity for identifying the existing level of

information security• Purpose: To provide information supporting

the description required for the

and guidelines.



The following actions are important forsuccessful information security assessment:

• Identify and list the relevant standards of theorganization

• Identify known control requirements that arise from, ,

contractual obligations, findings from past audits, orfindings from risk assessments done in the past.

• Use these as reference documents in order for a

rough estimation to be made of the organization'scurrent requirements concerning its level ofinformation security.



• Select the important organizational business

processes and process steps• Create a comprehensive flow chart covering the

organization’s main processes including infrastructure

The approach for conducting the informationsecurity assessment is as follows:

og ca an tec n ca .

• Discuss with suitable key personnel and analyze theorganization’s current situation in relation to theinformation security requirements.

• Determine control deficiencies by comparing existingcontrols with previously identified controlrequirements.

• Complete and document the current status.

Phase 4: Conducting risk assessment and



Phase 4: Conducting risk assessment andplanning risk treatment (4.2.1c) to 4.2.1j))

Objectives:To define the risk assessment methodology,identify, analyze and evaluate the information

security risks for selecting risk treatment optionsand selecting control objectives and controls

Activities

2. Select the control objectives

and controls

1. Conduct risk assessment

3. Obtain managementauthorization for implementingand operating an ISMS



INPUT

*ISO/IEC 27005:2008 Guidelines for Information SecurityRisk Management

*output from Defining ISMS scope, boundaries and ISMSpolicy

* outputs from Conducting information securityrequirements analysis

PHASE 4 ACTIVITY 1

Conduct risk assessment

OUTPUT

*the description of risk assessment methodologies

*the results of the risk assessment



The risk assessment should:• Identify threats and their sources

• Identify existing and planned controls

• Identify vulnerabilities that can be exploited by threats, tocause harm to assets or to the organization

• Identif the conse uences that losses of confidentialit ,

integrity, availability, non-repudiation, and other securityrequirements may have on the assets

• Assess the business impact that might result fromanticipated or actual information security incidents

• Assess the likelihood of the incident scenarios

• Estimate the level of risk

• Compare levels of risk against risk evaluation criteria and

risk acceptance criteria



INPUT*output from Conduct risk assessment

*ISO/IEC 27005:2008 Information Security Risk Management

*ISO/IEC 27002:2005 Code of practise for information security

management

PHASE 4 ACTIVITY 2

Select the control objectives and controls

OUTPUT

*a list with selected controls and control objectives

*the Risk Treatment Plan



PHASE 4 ACTIVITY 3



INPUT*output from Create the business case and the project plan for

management approval

*outputs from Defining ISMS scope, boundaries and ISMSpolicy

*output from Conduct risk assessment

*output from Select the control objectives and controls

PHASE 4 ACTIVITY 3

Obtain management authorization for implementing andoperating an ISMS

OUTPUT

*written notice of management approval

*management acceptance of residual risks.

*statement of applicability

Phase 5 Designing the ISMS (4 2 2a) e) h)



Phase 5: Designing the ISMS (4.2.2a)-e),h)

Objectives:Designing organizational security based on theselected risk treatment options, as well asrequirements regarding recording and documents

Designing the controls integrating security provisionsfor ICT, physical and organizational processes,Designing the ISMS-specific requirements

Activities

2. Design ICT and physical


4. Produce the final ISMS projectplan

1. Design organizational


3. Design ISMS specificinformation security

PHASE 5 ACTIVITY 1 1



INPUT

*output from Define roles & responsibilities

*output from Integrate each scope and boundaries

*output from Develop the ISMS policy

*output from Define information security requirements for the ISMS

process*output from Identify assets within the ISMS scope

*output from Conduct an information security assessment

*

PHASE 5 ACTIVITY 1-1

*output from Select the control objectives and controls*ISO/IEC 27002:2005

Design of the final organizational structure for informationsecurity

OUTPUT

*a document summarizing:

organization structure, and its roles and responsibilities

PHASE 5 ACTIVITY 1 2



INPUT*output from Integrate each scope and boundaries

*ISMS Scope and boundary definition

*output from Develop the ISMS policy

*output from Obtain management authorization for implementingand operating an ISMS

*output from Design of the final organizational structure forinformation security


7 : 5

Design a framework for documentation of the ISMS

OUTPUT

*a document summarizing:

- the requirements for ISMS records and documentation control

- repositories and templates for records



Design a framework for documentation of theISMS

• The ISMS documentation should include records of

management decisions; ensure that actions aretraceable to management decisions and policies, andthat the recorded results are reproducible.

• ocuments s ou prov e t e ev ence t at

controls are selected based on the results of riskassessment and risk treatment, and that suchprocesses are implemented along with the ISMS policy

and objectives.



Design a framework for documentation of theISMS

• Records should be created, maintained and controlled

as evidence that the ISMS of the organization conformsto ISO/IEC 27001:2005, and to show the effectivenessof operations.

• t s a so requ re to eep recor s o mp ementat on

status for the entire PDCA phase, as well as records ofinformation security incidents and events, records ofeducation, training, skills, experience and qualifications,

internal ISMS audits, corrective and preventive actions,and organizational records.




INPUT*output from Clarify the organization’s priorities to develop an ISMS

*output from Create the business case and the project plan for managementapproval

*output from Integrate each scope and boundaries to obtain the ISMS scopeand boundaries

*output from Develop the ISMS policy and obtain approval from management

*output from Define information security requirements for the ISMS process

*output from Identify assets within the ISMS scope


ou pu rom on uc an n orma on secur y assessmen

*output from Conduct risk assessment*output from Design of the final organizational structure for information

security

*output from Design a framework for documentation of the ISMS

*ISO/IEC 27002:2005 reference 5.1.1

Design the information security policy

OUTPUT

a document of the information security policy.



The information security policy

• Documents the organization’s strategic position withrespect to the information security objectives throughout

the organization.

• Established within the organization by the operationalmana er.

• Approved• Communicated to everyone in the organization in such a

way that it is relevant, accessible and understandablefor its readers.



Develop information security standards andprocedures

• Information security standards as well as the set of

applicable legal and regulatory requirements should beavailable to those who need to know

• Representatives of different parts of the organizationcovere y t e scope o t e s ou part c pate n

the process of developing standards and procedures.

• Those participating should have authority and berepresentative of the organization.




INPUT

*output from Integrate each scope and boundaries to obtain the ISMSscope and boundaries


*output from Define information security requirements for the ISMSprocess

*output from Identify assets within the ISMS scope

*output from Conduct an information security assessment


*output from Obtain management authorization for implementing andoperating an ISMS

*ISO/IEC 27002:2005

Design ICT and physical informationsecurity

OUTPUT

*a detailed implementation plan for controls relatingto ICT and physical security



In this activity the following should bedocumented for each control, which should bea part of the ISMS project plan:

• Person responsible for implementation of a control

• Priority of the control to be implemented

•

• Statement of the time by which the control should havebeen implemented

• Person to whom implementation of the control should be

reported, once complete• Resources for implementation (manpower, resource

requirements, space requirements, costs)




INPUT

*output from Integrate each scope and boundaries to obtain theISMS scope and boundaries


*output from Obtain management authorization for implementing and

operating an ISMS*output from Design the information security policy

*ISO/IEC 27004:2009: Information Security Mgmt Measurements

Plan for management reviews

OUTPUT

*a document which summarizes the plan needed for themanagement review addressing:

- inputs required to perform an ISMS management review

- procedures for the management review covering the auditing

and monitoring and measuring aspects



Plan for management reviews

• A plan should be developed to ensure managementinvolvement and the commitment to review of the

ISMS operation and ongoing improvement.• Planning of management reviews includes

establishing when and how Management reviewsshould be based upon results from ISMSmeasurements and other information collectedduring the operation of the ISMS.

• Results of the internal ISMS audit are important

inputs of ISMS management review.




INPUT

*output from Integrate each scope and boundaries to obtain the ISMS scope andboundaries

*output from Develop the ISMS policy and obtain approval from management

*output from Define information security requirements for the ISMS process*output from Obtain management authorization for implementing and operating an

ISMS


output rom es gn t e n ormat on secur ty po cy

*output from Develop information security standards and procedures*overview of the organization s general education and training program

Design information security awareness, training and educationprogram

OUTPUT

*plans for information security awareness, education and training



Design information security awareness,training and education program

• Management is responsible for carrying out education

and training to ensure that all personnel who areallocated a clearly defined role have the competence toperform the operations required.

• ea y, t e content o t e e ucat on an tra n ng

performed should help all personnel be aware of andunderstand the meaning and importance of theinformation security activities they are involved in, andhow they can contribute to achieving the goals of theISMS.

• It is important to ensure at this point that everyemployee within the ISMS scope receives the

necessary security training and/or education



Produce the final ISMS project plan• The activities required to implement selected controls

and carry out other ISMS related activities should beformalized in a detailed implementation plan as part of

the final ISMS project.

• The detailed implementation plan may also be

tools and methods.• As an ISMS Project involves many different roles in the

organization, it is important that the activities are clearlyassigned to responsible parties, and that the plan is

communicated both early in the project, and throughoutthe organization.

Implementation Roadmap



InformationSecurityContinual

improvement

Allocation of Responsibilities

RiskAssessment

ISMS Policy

Identificationof Scope

CERTIFICATION

Risk

Treatment

Implementation

Security Education & Training

Controls Incident Handling

Monitoring,

Review andMaintenance



THANK YOUTHANK YOU

SIRIM QAS International Sdn. Bhd.Building 8, No. 1, Persiaran Dato’ Menteri

Section 2, P.O. Box 7035

40911 Shah Alam

Selangor Darul Ehsan