iso 27001 foundation course student handbook
DESCRIPTION
ÂTRANSCRIPT
llllllllll
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
Certified ISO/IEC 27001
Foundation
Participant Handbook
Information Security Training
Copyright ISO 27001 Foundation, Classroom course, release 2.0.0
Copyright and Trademark Information for Partners/Stakeholders.
ITpreneurs Nederland B.V. is affiliated to Veridion.
Copyright © 2013 ITpreneurs. All rights reserved.
Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.
The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 1
Follow Us Before you start the course, please take a moment to:
“Like us” on Facebook
http://www.facebook.com/ITpreneurs
“Follow us” on Twitter
http://twitter.com/ITpreneurs
"Add us in your circle" on Google Plus
http://gplus.to/ITpreneurs
"Link with us" on Linkedin
http://www.linkedin.com/company/ITpreneurs
"Watch us" on YouTube
http://www.youtube.com/user/ITpreneurs
This
page
has b
een l
eft bl
ank i
ntenti
onall
y
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 3
Contents Certified ISO/IEC 27001 Foundation Day 1 ------------------------------------------------------------ 2 Day 2 ------------------------------------------------------------ 56 Appendix A: Exercises List ---------------------------------- 102 Appendix B: Correction Key ---------------------------------- 114 Appendix C: Release Notes ----------------------------------- 121
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 4
Day 1
ISO 27001 Foundation
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 5
DAY 1
ISO 27001Foundation
2
ISO 27001 Foundation Training
Section 1Course objective and structure
1. Meet and greet
2. General points
3. Training objectives and structure
4. Instructional approach
5. Learning assessment
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 6
3
ActivityMeet and greet
4
Smoking Meals Timetable and breaks
Mobiles Absences
General Information
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 7
5
Explain the components of an Information Security Management System based on ISO/IEC 27001:2005 and its principal processes
Explain the goal, content and correlation between ISO/IEC 27001:2005 and ISO/IEC 27002:2005 as well as with other standards and regulatory frameworks
Understand the concepts, approaches, standards, methods and techniques for the implementation and effective management of an ISMS
1
2
3
Training ObjectivesAcquiring Knowledge
6
Educational ApproachStudents at the center
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 8
7
The objective of the exam is to assure that candidate has the basic knowledge and skills to participate in the implementation of an Information Security Management System (ISMS) based on ISO 27001.The exam only contains essay questionsThe participants have the right to use all their documentationThe exam lasts 1 hourMinimum passing score: 70%
7
Examination and CertificationExam
8
ISO 27001 FoundationPrerequisites for Certification
Pass the exam
Adhere to the PECB Code of Ethics
No professional experience required
No security experience required
1234
ISO 27001 Foundation
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 9
9
Certificates
Candidates who met all the prerequisites forcertification will receive a certificate:
10
What is PECB ?
Main services: 1. Certification of personnel
(Auditor and Consultant)2. Certification of training organizations 3. Certification of trainers
Professional Evaluation and Certification Board
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 10
11
Customer ServiceComments, questions and complaints
TrainingProviderTrainingParticipant
2. Answer in writing
Answer
1. Submit a complaint
Submit a
3. Appeal 4. Finalarbitration
PECB
1212
Schedule for the training
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 11
13
QUESTIONS?
14
ISO 27001 Foundation Training
Section 2 Standard and regulatory framework
1. ISO structure
2. Fundamental ISO principles
3. Main ISO standards
4. Integrated normative framework
5. Information Security Standards
6. ISO 27000 family
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 12
15
What is ISO?
ISO is a network of national standardization bodies of over 160 countries
The final results of ISO works are published as international standards
Over 17,000 standards have been published since 1947
16
1. Equal representation: 1 vote per country
2. Voluntary membership: ISO does not have the authority to implement its standards
3. Business orientation: only develops standards that fill market needs
4. Consensus approach: looking for a large consensus among the different stakeholders
5. International cooperation: over 160 member countries
1. Equ
2. Vauth
3. tha
4. Ccon
5. Intercountri
Basic principles of ISO standards
Basic Principles – ISO Standards
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 13
17
Eight ISO Management Principles
18
Management System StandardsMain standards that an organization can get certification
ISO 9001Quality
ISO 14001Environment
ISO 18001Health and Safety
at work
ISO 20000IT Service
ISO 22000Food Safety
BS 25999Business continuity
ISO 27001Information
security
ISO 28000Physical Safety
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 14
19
Integrated management systemPAS 99:2006, Annex B
PAS 99:2006 ISO9001:2000
ISO 14001:2004
ISO20000:2005
ISO 27001:2005
4.1 General requirements
4.1 4.1 3 4.1, 4.2
4.2 Management system policy 5.1, 5.3 4. 2 3.1, 4..4.1 5.1
4.3 Planning 5.2, 5.3(b), 5.4.1, 5.4.2, 5.5, 7.2.1, 7.2.2,
8.34.3, 4.4.1, 4.4.7 4.1, 4.2, 5.0, 8.2 4.2
4.4 Implementation and operation
4.2, 5.3(d), 5.5.1, 5.5.3, 6, 7
4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6,
4.5.4
4.2, 6.0, 3.1, 3.2, 3.3, 7
4.2.2, 4.2.4(c), 4.3, 5.2.1, 5.2.2
4.5 Performance evaluation 8.1, 8.2.2, 8.2.4, 8.3 4.5.1, 4.5.2, 4.5.3,
4.5.5 4.3 4.2.3, 4.2.4, 6
4.6 Improvement 8.5.1, 8.5.2, 8.5.3 4.5.3 4.4, 4.2.4(b), 8.2, 8.3 4.2.4, 8.1, 8.2, 8.3
4.7 Management review 5.6.1, 5.6.2, 5.6.3 4.6 3.1(g) 7.1, 7.2, 7.3
20
Security StandardsExamples
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 15
21
ISO/IEC 27000 Family
Voca
bula
ryRe
quire
men
tsG
ener
algu
ides
Indu
stry
guid
es
ISO 27001ISMS requirements
ISO 27006Certification organization requirements
ISO 27005Risk management
ISO 27004Metrics
ISO 27003Implementationguide
ISO 27002Code of practices
ISO 27007-27008Audit guides
ISO 27011Telecommunications
ISO 27799Health
ISO 270XXothers
ISO 27000Vocabulary
22
Legal Conformity
The organization must comply to the applicable laws and regulationsIn most countries, the implementation of an ISO standard is a voluntary decision of the organization, not a legal conditionIn all cases, laws take precedence over standards
ISO 27001 can be used to comply to several laws and regulations
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 16
23
Certification Schema
Accreditation authoritiesEx: ANAB (USA) – SCC (Canada) – UKAS (UK) COFRAC (France) – BELAC (Belgium) – SAS (Switzerland)
Certification bodiesEx: SGS – Bureau Veritas – DNV – Swiss TS
Personnel certification bodies Ex: PECB/IRCA/RABQSA
Auditee AuditorsTraining organizationsEx: Behaviour
Certify organizations
Certify auditors
Hire auditors Certifytrainers
Train the auditors
Audit the auditees
Accredit
24
Certification Process
1. ISMS implementation
2. Internal audit and review of ISMS (by the auditee)
3. Selection of a certification body
5. Stage 1 audit4. Pre-evaluation audit (optional)
7. Follow-up audit(if applicable)
8. Confirmation of registration
6. Stage 2 audit(on-site audit)
9. Continualimprovement and surveillance audit
Befo
re th
e au
dit
Initi
al a
udit
Follo
win
g th
e au
dit
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 17
25
ISO 27001 Foundation Training
Section 3 Information Security Management System (ISMS)
1. Definition of an ISMS
2. Process approach
3. Structure of the ISO 27001 standard
4. Overview – Clauses 4 to 8
5. Annex A
6. Implementation methodology
26
Information Security Management System
ISO 27001, clause 3.7
“ That part of the overall management system,based on a business risk approach, to establish,implement, operate, monitor, review, maintain andimprove information security ”
Note : The management system includesorganizational structure, policies, planning activities,
responsibilities, practices, procedures, processes and resources
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 18
27
Structure of the ISO/IEC 27001:2005 standard
Annex AControl objectives and controls
Clause 4.2.1Establishthe ISMS
Clause 4.2.3 Monitor and
review the ISMS
Clause 4.2.4 Maintain and
improve the ISMS
Clause 4.2.2Implement and
operate the ISMS
Clause 7 Management
review
Clause 8 ISMS
improvement
Clause 6 Internal ISMS
audits
Clause 5 Management responsability
28
Establish the ISMSISO 27001, clause 4.2.1 a to j
a) Define scope and boundaries of the ISMS
b) Define an ISMSpolicy
c) Define the risk assessmentapproach
f) Identify and evaluate risk treatment options
e) Analyze and evaluatethe risks
i) Obtain management approval
g) Select control objectives and controls
j) Prepare the statement of applicability
d) Identify the risks
h) Approve residual risks
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 19
29
ISO 27001, clause 4.2.2
Implement the controls and define how to measure the effectiveness of the selected controls
Manage ISMS operations daily
Define the plan (actions, resources, responsibilities, priorities, objectives) and put it in place
Set in place a training and awareness program
Set in place an incident management process to detect and treat them rapidly
RiskTreatment
Plan
Implement the
controls
ISMS Management
Incident Management
Training & Awareness
Implement the ISMS
30
Documentation requirementsISO 27001, clause 4.3
Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and ensure that the recorded results are reproducibleIt is important to be able to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives
ISO 27001, clause 4.3.1
ISMS Policy and Objectives
Slide 31
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 20
31
2. Regular review of the effectiveness of the ISMS taking into account the feedback and suggestions of interested partied
4. Review of risk assessments
1. Monitoring and review of detection and security event prevention procedures
3. Measurement of the effectiveness of controls
6. Management review and update of security plans
5. Conducting the internal audits
ISMS Monitoring and ReviewISO 27001, clause 4.2.3
Note: Each of these actions must be documented and recorded
ISMS monitoring and review
32
Management responsibilityISO 27001, clause 5
5.1. Management commitmentManagement shall provide evidence of its commitment to the ISMS
5.2.1 Make resources available
5.2.2 Training, awareness & competency
Management shall determine and provide the necessary resources for the ISMS
Management shall ensure that personnel who have been assigned responsibilities defined in the ISMS have the necessary competencies to perform the required tasks
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 21
33
ISMS Internal AuditsISO 27001, clause 6
The organization shall conduct ISMS internalaudits at regular intervals
An audit program must be planned taking intoaccount the importance of processes andscopes to audit, as well as previous audit results
34
ISMS Management ReviewISO 27001, clause 7
Management review input elements Management review output elements
1. Results of ISMS audits and reviews2. Feedback of interested parties3. Suggestion to improve the performance
and effectiveness of the ISMS4. Status of preventive and corrective
actions5. Vulnerabilities or threats that have not
been adequately assigned during the previous risk evaluation
6. Results from effectiveness measurements
7. Follow-up actions from previous management reviews
8. Any change that can affect the ISMS9. Recommendations for improvement
1. Improvement of the effectiveness of the ISMS
2. Update of the risk evaluation and the risk treatment plan
3. Modification of information security procedures and controls
4. Resource needs
5. Improvement in the way efficiency of controls is measured
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 22
35
ISMS ImprovementISO 27001, clause 8.1
The organization shall continually improvethe effectiveness of the ISMS through theuse of the information security policy,information security objectives, audit results,analysis of monitored events, corrective andpreventive actions, and management reviewemmmmmmmmmmmmmmmmmmmmmmeeeeeeeeeennnnnnnnntttttttttt rrrrrrrrreeeeeeeeevvvvvvvvviiiiiiiiieeeeeeeeeewwwwwwwww
36
ISO 27001, Annex A
A 5 Security policyA 6 Organization of information securityA 7 Asset managementA 8 Human resources securityA 9 Physical and environmental securityA 10 Communications and operations managementA 11 Access controlA 12 Information systems acquisition, development and maintenanceA 13 Information security incident managementA 14 Business continuity managementA 15 Compliance
ISO 27002 Domains
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 23
37
Exercise 1Reasons to adopt ISO 27001
38
1. Improvement of security
2. Good governance
3. Conformity
4. Cost reduction
5. Marketing
1. Imp
2. G
3.
4. C
5. Ma
ADVANTAGES
ISO 27001 Advantages
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 24
39
Plan Do Check Act
Proposed methodology
Understanding the organization
Analyze the existing system
Scope
Security and ISMS Policy
Risk Assessment
Statement of applicability
Organizational structure
Document management
Concept of controls & procedures
Implementation of concepts & procedures
Training, Awareness & communication
Incident management
Operations management
Monitoring and review
Performance measurement
Internal audit
Management review
Identification of non-conformities
Treatment of non-conformities
Continuous improvement
C
40
ISO 27001 Foundation TrainingSection 4Understanding the organization, analyze of the existing system and security policies
1. Understanding the organization
2. Identification and analysis of interested parties
3. Determination of objectives
4. Gap analysis
5. Definition of the scope
6. ISMS Policy and Security Policies
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 25
41
Understanding the organization and clarifying the information security objectivesISO 27003, clause 5.2 and ISO 27005, clause 7
Input
General information about the organizationStrategic objectives of the organizationList of applicable laws, contracts and signed agreements
ActionsEstablish and analyze the external and internal environmentClarify the objectives of information securityIdentify and analyze the applicable requirements of the ISMS
Output
Brief description of the organizationList of stake-holdersObjectives, priorities and requirements related to ISMSList of applicable legal, regulatory and contractual obligationsPreliminary Scope
42
List of activitiesUnderstanding the organization, determination of the objectives and security policies
Initiatingthe ISMS
1. Mission, objectives,
values, strategies
5. IT Infrastructure4. Key processes and activities
9. Definition of scope
6. Interested parties
3. Internalenvironment
7. Legal, regulatory & contractual
requirements
11. Security and ISMS Policy
8. Clarification of the objectives
2. External environment
10. Gap Analysis
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 26
43
Financial institutions
Interest groups
Board of Directors
UnionsEmployees
Management Team
Organization
oard of
Suppliers Customers
Media Public
Em
Legislator
s
Shareholders
Identification and analysis of interested parties
44
Legal and Regulatory
All laws and regulations that the organization must
comply to
StandardsInternational standards and codes of practices related to the industry
sector that are voluntary implemented by the
organization
Internal policies
All requirements inside the organization: internal policies, code of ethics,
work rules, etc.
Market
All contractual obligations that the organization has
signed with its stakeholders
Exte
rnal
Inte
rnal
VoluntaryMandatory
Identification and analysis of requirements
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 27
45
Determine the objectivesISO 27003, clause 5.2
Improved risk management• Can the ISMS improve risk
management?
Effective security management• Can the ISMS improve the
effectiveness of information security management ?
Business advantageDoes the implementation of an ISMS can provide competitive advantages?
Determine the objectives
1 2 3
46
Definition of the ISMS scopeISO 27003, clause 6.2
A key process
A department
The organization as a whole
The organization and its stakeholders
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 28
47
Gap analysis and level of maturity
Gap analysisTechnique to determine the steps to move from current state to a desired future state
1. Comparison of the current performance of the security management system with the ISO 27001 requirements
2. Identifying the improvement needs3. Basis for drafting the ISMS project
plan
48
Definition of Security and ISMS PoliciesISO 27003, annex D
High Level Topic-specific Policies
Specific guidance on a topic
Detailed Policies
Specifies the internal requirements of another policyUsually covers a very specific and / or target audience
Policy on access control
Policy on cryptography
Policy on Continuity of
activities
Incident Management
Policy
Information Security Policy ISMS Policy
Security Policy
High level General Policies
General guidelines for the management of a sector of activities: procurement & supply, human resources, sales, marketing, etc.
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 29
49
Example of the ISMS policyModel (extract)
2. Introduction•The information and processes, systems and networks that enable the treatment of important assets for [ABC] in carrying out i ts business mission.• [ABC] should ensure respect for the integrity, confidentiality and availability of information generated or stored within the scope of the
ISMS.• [ABC] shall ensure the protection of its information assets against threats internal or external, accidental or deliberate.
3. Scope of the ISMS• This policy supports the security policy and the information security policy.• This policy applies to all activities of [ABC] shall included in the scope of the management system of information security.
4. Objectives of the policy• Ensure continuity of critical business activities.• Ensure that all information processed, stored, traded or released by the organization is of absolute integrity.• Ensure that all information relevant to the organization will be monitored and stored according to procedures for maintaining
appropriate confidentiality.• Ensure the selection of appropriate and proportionate security controls to protect the assets and give confidence to the interested
parties.• Ensure effective and efficient management of information security.
5. Principles of the ISMS policy• [ABC] shall establish, implement, operate, monitor, review, maintain and improve an ISMS based on a documented approach to risk
related with the activity and compliance with all requirements of ISO/IEC 27001.• [ABC] should take into account all legal, regulatory and contractual requirements in the management of the ISMS in order to avoid
breaching its legal, statutory, regulatory or contractual obligations and security requirements.• The legal and regulatory requirements will be met in priority, even if they are inconsistent with the policy described here.• [ABC] shall establish and implement a risk management program documented in accordance with the requirements of ISO/IEC
27001. Criteria for evaluation and acceptance of risk must be established, formalized and approved by management.• This policy has been approved by management and is subject to an annual review.
50
Example of the Information Security PolicyModel (extract)
1. Policy Summary • Information should always be protected, whatever its form and however it is shared, communicated or stored.
2. Introduction • Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or
by using electronic means, shown on films, or spoken in conversation. • Information security is the protection of information from a wide range of threats in order to ensure business
continuity, minimize business risk, and maximize return on investments and business opportunities. 3. Scope
• This policy supports the organization’s general security policy. • This policy applies to all of the organization.
4. Information Security Objectives • Strategic and operational information security risks are understood and treated to be acceptable to the organization. • The confidentiality of customer information, product development and marketing plans is protected. • The integrity of accounting records is preserved. • Public web services and internal networks meet specified availability standards.
5. Information Security Principles • This organization encourages risk-taking and tolerates risks that might not be tolerated in conservatively managed
organizations provided that information risks are understood, monitored and treated when necessary. Details of the approach taken to risk assessment and treatment are found in the ISMS policy.
• All staff will be made aware and accountable for information security as relevant to their job-role. • Provision will be made for funding information security controls in operational and project management
processes. • Possibilities for fraud associated with abuse of information systems will be taken into account in the overall
management of information systems. • Information security status reports will be available. • Information security risks will be monitored and action taken when changes result in risks that are not acceptable. • Criteria for risk classification and risk acceptability are found in the ISMS policy. • Situations that could place the organization in breach of laws and statutory regulations will not be tolerated .
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 30
51
Example of specific policiesExample of a policy on e-mail use
1. Policy Summary • The email system is a resource belonging to the company and is available to users for business purposes.• The occasional and not abusive emails for personal use are tolerated only insofar as they are made during the free time of the user
and only if they do not impair the performance of his work.2. Introduction • All outgoing email from the company may be identified as part of its public image, so an email management is necessary
to avoid that users will eventually tarnish this image.• This policy aims to regulate the use of emails for all users as part of their work.3. Scope • This policy covers appropriate use of any email sent with the email address of the company.• This policy applies to all employees, members of management and contract personnel using a corporate email address
provided by the company.4. Information Security Objectives • Preventing the public image of the company being tainted by improper use or inadequate corporate email addresses made
available to stakeholders.• To prevent the risks of junk email (spam) arising from improper use of email both internally and by third parties related to
the company or even outside bodies.5. Information Security Principles • Prohibited Use: The corporate email address will not be used for purposes being offensive, insulting or racism. Any user
who finds this type of use in the hands of one of his colleagues should immediately inform the directly responsible.• Personal: The reasonable use of company resources for personal purposes is acceptable but not professional emails will
be saved and filed in directories different from those used for business purposes. It is also forbidden to pass on chain emails or jokes. This prohibition also applies to relay emails that were received from colleagues.
• Monitoring: Users know they have no privacy about the work emails stored or sent through their systems. The company will monitor the messages circulating on its infrastructure without prior notification without being obliged to make this continuous surveillance or even obligatory.
• Penalties: Any user who violates this policy using the email may be subject to disciplinary action including dismissal or final termination of his contract in the case of contract personnel
52
ISO 27001 Foundation trainingSection 5Selection of the approach and methodology for risk assessment and identification of risk
1. Approach to risk assessment
2. Methodology for risk assessment
3. Identification of assets with their owners
4. Identification of threats
5. Identification of existing security controls
6. Identifying vulnerabilities
7. Identifying the consequences
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 31
53
Selection of the approach and methodology for risk assessmentISO 27001, clause 4.2.1c and 27005, clause 7
Input
• All relevant information on the organizationfor the implementation of risk management
• Scope• ISMS Policy
Activities• Choose the risk
assessment approach
• Choose the risk assessment methodology
• Define criteria for risk acceptance
• Identify acceptable levels of risk
• Plan the activities
Output• Description of the
risk assessment approach
• Description of the risk assessment methodology
• Criteria for risk acceptance
• Description of levels of acceptable risk
• Activity Planning
54
Information security riskISO 27005, clause 3.2 and ISO 27000, clause 2.24
Potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organizationNote: it is measured in terms of a combination of the likelihood of an event and its consequence.
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 32
55
The relation between ISO 27001 and ISO 27005
Important note: It is not required to refer to ISO 27005to obtain ISO 27001 certification
ISO 27001, clause 4.2.1 c to h
and 4.2.3 d
ISO/IEC27005
56
Information security risk management process according to ISO 27005
Risk Assessment
Ris
k C
omm
unic
atio
nR
isk Monitoring and R
eview
Risk Identification
Risk Estimation
Risk Evaluation
Risk Treatment
Risk Acceptance
Context Establishment
yesAssessment satisfactory?
Treatment satisfactory?yes
no
no
Risk Analysis
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 33
57
List of activitiesSelecting an approach and methodology for risk assessment
Understanding the organization
3. Riskassessmentcriteria
1. Riskassessment approach
Identify the risks
2. Riskassessmentmethodology
Scope
4. Acceptablerisk levels
58
1. Selecting an approach to risk estimationISO 27005, clause 8.2.2.1
Qualitative estimation:Qualitative estimation uses a scale of qualifying attributes to describe the magnitude of potential consequences (e.g. Low, Medium and High) and the likelihood that those consequences will occur.
Quantitative estimation: Quantitative estimation uses a scale with numerical values (rather than the descriptive scales used in qualitative estimation) for both consequences and likelihood, using data from a variety of sources.
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 34
59
2. Selecting a risk assessment methodologyCriteria to take in account
1 Compatibility with all criteria required by ISO 27001
2 Language of the method - it is essential to master the vocabulary used
3 Existence of software tools facilitating the use
4 Documentation, training, support, skilled personnel available
5 Ease and pragmatic use of the method
6 Cost of utilization
7 Existence of comparison material (metrics, case studies, etc.)
60
Risk Management MethodologiesList of the most used tools available
Method Origin Brief description of the phases
OCTAVE U.S.(CERT)
The profiling of the security needs, the study of vulnerabilities and development strategy and security plan
CRAMM U.K.(SIEMENS)
The definition of assets put at risk, risk analysis and vulnerability and the identification and selection of security controls
MICROSOFT U.S.(Microsoft)
The assessment of risk, decision support, the establishment of controls and measurement of program effectiveness
EBIOS France(DCSSI )
The study of the context, defining the security needs, the study of threats and identifying security objectives and determining the security requirements
MEHARI France (CLUSIF)
The analysis and classification of the critical assets, the diagnosis of security services, risk analysis and definition of security plans
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 35
61
3. Determination of the basic criteriaISO 27005, clause 7.2
1. Risk evaluation
2. Impacts
3. Risk acceptance
62
4. Threshold of risk acceptanceExample - Qualitative Analysis
Asset value
Likelihood of occurrence - threat
Low Medium HighVulnerability Level
L M H L M H L M H0 0 1 2 1 2 3 2 3 4
1 1 2 3 2 3 4 3 4 5
2 2 3 4 3 4 5 4 5 6
3 3 4 5 4 5 6 5 6 74 4 5 6 5 6 7 6 7 8
3-5: Acceptable Risk 0-2 Risk not significant 6+ Risk not acceptable
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 36
63
1.Identification of assets
2.Identification of threats
3. Identification of existing controls
4. Identification of vulnerabilities
5. Identification of impacts
Impact assessment
Assessing the likelihood of an incident
Risk level estilmation
Risk level evaluation
based on risk criteria
Risk level evaluation
based on risk acceptance
Risk treatment options
Risk treatment plan
Evaluation of residual risk
Risk assessment
List of activities
Risk Treatment
Risk Acceptance
Risk analysisC
onte
xt E
stab
lishm
ent
Monitoring and review of risk
Risk Identification
Risk Estimation
Risk Evaluation
Risk treatment
plan acceptance
Risidual risk acceptance
64
1. Identification of assets27005, clause 8.2.1.2
Assetcategory
Supportingasset
Primaryasset
Businessprocess
Informationasset
Hardware
Software
Network
Personnel
Site
Organization’sstructure
Definition of assetAnything that has value to the organization(ISO 27000, 2.3)
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 37
65
2. Identification of threats27005, clause 8.2.1.3
Definition of threats
potential cause of an unwanted incident, which may result in harm to a system or organization(ISO 27000, 2.45)
66
Types of threatsISO 27005, annex C
Threat type Example1. Physical damage Fire
Water damage
2. Natural events Earth quakeFlooding
3. Loss of essential service Failure of air-conditioningPower Outage
4. Disturbance due to radiation Electromagnetic radiation Thermal radiation
5. Compromise of information Wire tapTheft of documents
6. Compromise of functions Equipment failureNetwork overload
7. Unauthorized action Non-authorized actionUse of pirate software
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 38
67
3. Identification of existing controls 27005, clause 8.2.1.4
In the initiation phase of ISMS, if the organization, has conducted agap analysis, it already has data on existing security controls.To gather the appropriate information in the organization, thefollowing may be helpful:1. Examination of documents containing information on security controls
(security management process, procedures, description of security controls, safety reports, etc.)
2. Interview with the people responsible for information security and persons who manage the daily operations related to security controls
3. On site review of the physical security controls4. Reviewing results
68
4. Identification of vulnerabilities27005, clause 8.2.1.5
Definition of vulnerability
Weakness of an asset or control that can be exploited by a threat (ISO 27000, 2.46)