iso 27001 lead implementer student handbook

Certified ISO/IEC 27001

Lead Implementer

Participant Handbook

Information Security Training

Copyright ISO 27001 Lead Implementer, Classroom course, release 5.0.0

Copyright and Trademark Information for Partners/Stakeholders.

ITpreneurs Nederland B.V. is affiliated to Veridion.

Copyright © 2013 ITpreneurs. All rights reserved.

Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.

The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 1

Follow Us

Before you start the course, please take a moment to:

“Like us” on Facebook

http://www.facebook.com/ITpreneurs

“Follow us” on Twitter

http://twitter.com/ITpreneurs

"Add us in your circle" on Google Plus

http://gplus.to/ITpreneurs

"Link with us" on Linkedin

http://www.linkedin.com/company/ITpreneurs

"Watch us" on YouTube

http://www.youtube.com/user/ITpreneurs

This

page

has b

een l

eft bl

ank i

ntenti

onall

y



Contents

Certified ISO/IEC 27001 Lead Implementer

Day 1 ------------------------------------------------------------ 5 Day 2 ------------------------------------------------------------ 65 Day 3 ------------------------------------------------------------ 133 Day 4 ------------------------------------------------------------ 201 Appendix A: Case Study ------------------------------------ 263 Appendix B: Exercises List ---------------------------------- 271 Appendix C: Correction Key ---------------------------------- 289 Appendix D: Release Notes ---------------------------------- 305

This

page

has b

een l

eft bl

ank i

ntenti

onall

y



Day 1

ISO 27001 Lead Implementer



DAY 1

Certified ISO 27001Lead Implementer

2

Certified ISO 27001 Lead Implementer Training

Section 1

a. Meet and greet

b. General points

c. Training objectives

d. Educational approach

e. Examination and certification

f. PECB

g. Schedule for the training

Course objectives and structure



3

Activity

Meet and greet

4

General Information

Smoking area

MealsTimetable and breaks

Use of mobile phones and recording devices

Absences

Use of a computer and access to the Internet



5

Understand the components and the operation of an Information Security Management System based on ISO 27001 and its principal processes

Understand the goal, content and correlation between ISO 27001 and ISO 27002 as well as with other standards and regulatory frameworks

Master the concepts, approaches, standards, methods and techniques for the implementation and effective management of an ISMS

1

2

3

Training Objectives

Acquiring knowledge

6

Training Objectives

Development of competencies

Interpret the ISO 27001 requirements in the specific context of an organization

Develop the expertise to support an organization to plan, implement, manage, monitor and maintain an ISMS as specified in ISO 27001

Acquire the expertise to advise an organization on information security management best practices

Strengthen the personal qualities necessary to act with due professional care when conducting a compliance projectSpr

1

2

3

4



7

Educational Approach

Students at the center

8

Examination

Competency domains

1 Fundamental principles of information security

2 Information security control best practice based on ISO 27002

3 Planning an ISMS based on ISO 27001

4 Implementing an ISMS based on ISO 27001

5 Performance evaluation, monitoring and measurement of an ISMS based on ISO 27001

6 Continual improvement of an ISMS based on ISO 27001

7 Preparing for an ISMS certification audit

1

2

3

4

5

6

7



9

Certified ISO 27001 Lead Implementer

Prerequisites for certification

Pass the exam

Adhere to the PECB Code of Ethics

5 years professional experience

2 years information security experience

300 hours activity

123456

Professional references

Certified ISO 27001Lead Implementer

10

Certificate

Candidates who met all the prerequisites forcertification will receive a certificate:



11

What is PECB?

Professional Evaluation and Certification Board

Main services: 1. Certification of personnel

(Auditor and Implementer)2. Certification of training organizations 3. Certification of trainers

12

Personnel Certification Bodies

ISO 17024

ISO 17024 specifies the criteria for an organization thatconducts certification of persons in relation to specificrequirements, including developing and maintaining acertification scheme for persons

PECB is accredited by ANSI under ISO/IEC 17024

Most of the organizations proposing certifications ofprofessionals are not accredited certification bodies



13

Qualifying oneself to manage an ISMS project

Formal and independent recognition of personal competencies

Certified professionals usually earn salaries higher than those of non-certified professionals

Why becoming Certified Implementer?

Advantages

14

Customer Service

Comments, questions and complaints

TrainingProviderTrainingParticipant

2. Answer in writing

Answer

1. Submit a complaint

Submit a

3. Appeal 4. Finalarbitration

PECB



1515

Schedule for the Week

16

Questions?



17


Section 2

a. ISO structure

b. Fundamental ISO principles

c. Information Security Standards

d. ISO 27000 family

e. Integrated normative framework

f. Project Management Standards

Standard and regulatory framework

18

What is ISO?

ISO is a network of national standardization bodies from over 160 countries

The final results of ISO works are published as international standards

Over 19 000 standards have been published since 1947



19

1. Equal representation: 1 vote per country

2. Voluntary membership: ISO does not have the authority to force adoption of its standards

3. Business orientation: ISO only develops standards for which a market demand exists

4. Consensus approach: looking for a large consensus among the different stakeholders

5. International cooperation: over 160 member countries plus liaison bodies

1. Equ

2. Vauth

3.sta

4. Ccon

5. Intercountri

Basic principles of

ISO standards

Basic Principles – ISO Standards

20

Eight ISO Management Principles



21

Management System StandardsPrimary standards against which an organization can be certified

ISO 9001Quality

ISO 14001Environment

OHSAS 18001Health and Safety

at work

ISO 20000IT Service

ISO 22000Food Safety

ISO 22301Business continuity

ISO 27001Information

security

ISO 28000Supply Chain

Security

22

Integrated Management System

Common structure of ISO standards

Requirements ISO9001:2008

ISO 14001:2004

ISO20000:2011

ISO22301:2012

ISO 27001:2005

Objectives of the management system 5.4.1 4.3.3 4.5.2 6.2 4.2.1

Policy of the management system 5.3 4. 2 4.1.2 5.3 4.2.1

Management commitment 5.1 4.4.1 4.1 5.2 5

Documentation requirements 4.2 4.4 4.3 7.5 4.3

Internal audit 8.2.2 4.5.5 4.5.4.2 9.2 6

Continual improvement 8.5.1 4.5.3 4.5.5 10 8

Management review 5.6 4.6 4.5.4.3 9.3 7



23

Other Information Security Standards

Examples

24

19901995

20002007 2008+

ISO 27006

Certification organization requirements

Publication ofother standards

of the 27000 family

Revision toISO 27001 &ISO 27002in progress

BS7799-1

Code of best practices

BS7799-2 ISMS

certification schema

Code of best practises

(Published by a group of

companies)

ISO 17799

Best practices code

New Version of ISO 17799 ISO 27001 publication

History of the ISO 27001 Series

Important dates

19982005



25

ISO 27000 Family

Voca

bula

ryR

equi

rem

ents

Gen

eral

guid

esIn

dust

ry

guid

es

ISO 27001ISMS

requirements

ISO 27006Certification organization requirements

ISO 27005Risk

management

ISO 27004Metrics

ISO 27003Implementation

guide

ISO 27002Code of

practices

ISO 27007-27008Audit guides

ISO 27011Telecommunications

ISO 27799Health

ISO 270XXothers

ISO 27000Vocabulary

26

ISO 27001

Specifies requirements for ISMS management (Clause 4 to 8)

Requirements (clauses) are written using the imperative verb “shall”Annex A: 11 clauses containing 39 control objectives and 133 controlsOrganization can obtain certification against this standard



27

ISO 27002

Guide for code of practice for information security management (Reference document)Clause written using the verb “should”Composed of 11 clauses, 39 control objectives and 133 controlsOrganization can not obtain certification against this standardA.k.a. ISO 17799

28

ISO 27003

Code of practice for the implementation of an ISMS

Reference document to be used with the ISO 27001 and ISO 27002 standards

Consisting of 9 clauses which define 28 stages to implement an ISMS

Certification against this standard is not possible



29

ISO 27009+

Within the 27000 series, ISO 27009 and the subsequent numbers are reserved for the creation of domain-specific standards:

For industries: – Telecommunication– Health– Finance and insurance…

For specific sectors related to information security:

– Application security – Cyber security– Security incident management – Privacy protection...

30

Questions?



31


Section 3

a. Definition of an ISMS

b. Process approach

c. Overview – Clauses 4 to 8

d. Annex A

Information Security Management System (ISMS)

32

Definition of ISMS

ISO 27001, clause 3.7

The part of the overall management system, basedon a risk-based approach, to establish, implement,operate, monitor, review, maintain and improveinformation security

Note: The management system includes organizational structure, policies, planning activities, responsibilities,

practices, procedures, processes and resources



33

Process Approach


Maintain and Improve the ISMS

Implement the ISMS

Establish an ISMS

Monitor and review the ISMS

Interested Parties

Managed information

security

Interested Parties

Information security

requirements and

expectations

Establish an ISMS

Plan

Check

Maintain and

ActImplllem ttent thththe

Do

34

Process Approach

The application of the process approach willvary from one organization to the nextdepending on its size, complexity and activitiesOrganizations often identify too many processes

Input Activities Output

Control



35

Structure of the ISO 27001 Standard

Annex AControl objectives and controls

Clause 4.2.1Establishthe ISMS

Clause 4.2.3 Monitor and

review the ISMS

Clause 4.2.4 Maintain and

improve the ISMS

Clause 4.2.2Implement and

operate the ISMS

Clause 7 Management

review

Clause 8 ISMS

improvement

Clause 6 Internal ISMS

audits

Clause 5 Management responsibility

36

Establish the ISMS

ISO 27001, clauses 4.2.1 a-j

b) Define an ISMSpolicy

c) Define the risk assessment

approach

f) Identify and evaluate risk

treatment options

e) Analyze and evaluatethe risks

i) Have management approve the ISMS

g) Select control objectives

and controls

d) Identify the risks

h) Approve residual risks

a) Define scope and boundaries

of the ISMS

j) Prepare the statement

of applicability



37

Implementation of the ISMS

ISO 27001, clause 4.2.2

Implement the controls and define how to measure the effectiveness of the selected controls

Manage ISMS operations daily

Define the plan (actions, resources, responsibilities, priorities, objectives) and put it in place

Set in place a training and awareness programme

Set in place an incident management process to detect and treat them rapidly

RiskTreatment Plan

Implementation of controls

ISMS Management

Incident Management

Training & Awareness

38

2. Regular review of the effectiveness of the ISMS taking into account the feedback and suggestions of the stakeholders

4. Review of risk assessments

1. Monitoring and review of detection and security event prevention procedures

3. Measurement of the effectiveness of controls

6. Management review and update of security plans

5. Conducting the internal audits

ISMS monitoring and review

ISMS Monitoring and Review

ISO 27001, clause 4.2.3

Note: Each of these actions must be documented and recorded



39

Documentation Requirements


Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and ensure that the recorded results are reproducibleIt is important to be able to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives

ISO 27001, clause 4.3.1

ISMS Policy and Objectives

40

Management Responsibility

ISO 27001, clause 5

5.1. Management commitment

Management shall provide evidence of its commitment to the ISMS

5.2.1 Make resources available

5.2.2 Training, awareness & competency

Management shall determine and provide the necessary resources for the ISMS

Management shall ensure that personnel who have been assigned responsibilities defined in the ISMS have the necessary competencies to perform the required tasks



41

ISMS Internal Audits

ISO 27001, clause 6

The organization shall conduct ISMS internalaudits at regular intervals

An audit programme must be planned taking intoaccount the importance of processes andscopes to audit, as well as previous audit results

42

ISMS Management Review

ISO 27001, clause 7Management review input elements Management review output elements

1. Results of ISMS audits and reviews2. Feedback from stakeholders3. Techniques, products or procedures, which

could be used in the organization to improve the ISMS performance and effectiveness

4. Status of preventive and corrective actions5. Vulnerabilities or threats that have not

been adequately assigned during the previous risk assessment

6. Results from effectiveness measurements7. follow-up actions from previous

management reviews8. Any change that can affect the ISMS9. Recommendations for improvement

1. Improvement of the effectiveness of the ISMS

2. Update of the risk assessment and the risk treatment plan

3. Modification of information security procedures and controls

4. Resource needs

5. Improvement in the way efficiency of controls is measured



43

ISMS Improvement


The organization shall continually improve theeffectiveness of the ISMS using the informationsecurity policy, information security objectives,audit results, event analysis, corrective andpreventive actions, and the managementreview

44

Security Objectives and Controls

ISO 27001, Annex A

Important note: in theory, taking into account the 27002 best practices is not a requirement to obtain a 27001 certification

Annex A(List of the security

objectives and controls)

Objectives and controls

Recommendationsfor implementation

ISO 27002

Supplementary Information

ISO 27001



45

ISO 27002 Clauses

ISO 27001, Annex A

A 5 Security policyA 6 Organization of information securityA 7 Asset managementA 8 Human resources securityA 9 Physical and environmental securityA 10 Communications and operations managementA 11 Access controlA 12 Information systems acquisition, development and maintenanceA 13 Information security incident managementA 14 Business continuity managementA 15 Compliance

46

Exercise 1

Reasons to adopt ISO 27001



47

1. Improvement of security

2. Good governance

3. Conformity

4. Cost reduction

5. Marketing

1. Imp

2. G

3.

4. C

5. Ma

ADVANTAGES

ISO 27001 Advantages

48

Questions?



49


Section 4

a. Asset and information asset

b. Information security

c. Confidentiality, integrity and availability

d. Vulnerability, threat and impact

e. Information security risk

f. Security objectives and controls

g. Classification of security controls

Fundamental Principles of Information Security

50

Asset and Information Asset

ISO 9000, clause 7.3.1; ISO 27000, clause 2.3 & 2.8

Information: meaningful dataAsset: All elements having value for the organization Information asset: Knowledge or data that has value to the organization

50



51

Document

Specification

Record

Document stating requirements

Document stating results achieved or providing evidence of activities performed

Information and its supporting medium

Document – Specification – Record


52

Information Security


Information security is the protection of information

from a wide range of threats in order to ensure

business continuity, minimize business risk, and

maximize return on investments and business

opportunities



53



Preservation of confidentiality, integrity and

availability of information

Note: In addition, other properties, such as

authenticity, accountability, non-repudiation, and

reliability can also be involved

54


Covers information of all kinds

Printed or hand written

Recorded using technical support

Transmitted by email or electronically

Included in a website

Shown on corporate videos

Mentioned during conversations

Etc.



55

Confidentiality


Property that information is not madeavailable or disclosed to unauthorizedindividuals, entities, or processes

55

56

Integrity


Property of protecting the accuracy andcompleteness of assets



57

Availability


Property of being accessible and usableupon demand by an authorized entity

57

58

Vulnerability


Weakness of an asset or a security control that can be exploited by a threat



59

Types of Vulnerabilities

ISO 27005, Annex D

Type of vulnerability Examples1 Hardware Insufficient maintenance

Portability

2 Software No registration logsComplicated interfaces

3 Network Lack of encryption transfersSingle Point of Access

4 Personnel Insufficient trainingLack of supervision

5 Site Unstable electrical systemSite in an area susceptible to flood

6 Organization's structure Lack of segregation of dutiesNo job descriptions

60

Threats


Potential cause of an unwanted incident which may result in harm to a system or an organization



61

Types of Threats

ISO 27005, Annex C

Threat type Example1 Physical damage Fire

Water damage

2 Natural disaster EarthquakeFlooding

3 Loss of essential service Failure of air conditioningPower outage

4 Disruption caused by radiation Electromagnetic radiationThermal radiation

5 Information compromised WiretapsTheft of documents

6 Technical failure Equipment failureNetwork overload

7 Unauthorized action Unauthorized accessUse of pirated software

62

Relationship: Vulnerability and Threat

Examples

Vulnerabilities ThreatsWarehouse unprotected and without surveillance

Theft

Complicated data processing procedures Data input error by personnel

No segregation of duties Fraud, unauthorized use of a system

Unencrypted data Information theftUse of pirated software Lawsuit, virus

No review of access rights Unauthorized access by persons who have left the organization

No backup procedures Loss of information



63

Impact


Adverse change to the level of businessobjectives achieved

Examples of impacts on availability

Examples of impacts on integrity

Examples of impacts on confidentiality

Performance degradationService interruptionUnavailability of serviceDisruption of operations

Accidental changeDeliberate changeIncorrect resultsIncomplete resultsLoss of data

Invasion of privacy of users or customersInvasion of privacy of employeesConfidential information leakage

64

Information Security Risk


Potential that a given threat will exploitvulnerabilities of an asset or group of assets andthereby cause harm to the organizationNote: It is measured in terms of a combination of the likelihood of anevent and its consequence



65

Risk Scenario

Example

United KingdomCorruption of several websites of the Conservative Party(Vital Security 01/03/2010)

The text of the corruption encourages Web site visitors to vote for the LabourParty. Messages left by the attackers include security evaluation of the site andpolitical slogans.

Information assetOther assetSecurity aspectVulnerabilityThreatImpact

Content of the Conservative party website

IntegritySecurity holes in the Web server

Server hosting the Conservative party website

Image of the Conservative partyHackers

66

Control Objective

Statement describing what is to be achieved as a result of implementing controls

Control Objective and Control

ISO 27000, clause 2.10-11

ControlMethods to manage a riskInclude policies, procedures, guidelines and practices or organizational structuresSynonym: measure, counter-measure, security device

Technical control

Administrative control

Legal controlManagerial

control

iso 27001 lead implementer student handbook

Documents

lead implementer day

contents certified isoiec

structurecertified isoiec

internetcertified isoiec

us english

twitter http

linkedin http

youtube http