iso 27001 lead implementer student handbook
DESCRIPTION
ÂTRANSCRIPT
Certified ISO/IEC 27001
Lead Implementer
Participant Handbook
Information Security Training
Copyright ISO 27001 Lead Implementer, Classroom course, release 5.0.0
Copyright and Trademark Information for Partners/Stakeholders.
ITpreneurs Nederland B.V. is affiliated to Veridion.
Copyright © 2013 ITpreneurs. All rights reserved.
Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.
The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 1
Follow Us
Before you start the course, please take a moment to:
“Like us” on Facebook
http://www.facebook.com/ITpreneurs
“Follow us” on Twitter
http://twitter.com/ITpreneurs
"Add us in your circle" on Google Plus
http://gplus.to/ITpreneurs
"Link with us" on Linkedin
http://www.linkedin.com/company/ITpreneurs
"Watch us" on YouTube
http://www.youtube.com/user/ITpreneurs
This
page
has b
een l
eft bl
ank i
ntenti
onall
y
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 3
Contents
Certified ISO/IEC 27001 Lead Implementer
Day 1 ------------------------------------------------------------ 5 Day 2 ------------------------------------------------------------ 65 Day 3 ------------------------------------------------------------ 133 Day 4 ------------------------------------------------------------ 201 Appendix A: Case Study ------------------------------------ 263 Appendix B: Exercises List ---------------------------------- 271 Appendix C: Correction Key ---------------------------------- 289 Appendix D: Release Notes ---------------------------------- 305
This
page
has b
een l
eft bl
ank i
ntenti
onall
y
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 5
Day 1
ISO 27001 Lead Implementer
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 6
DAY 1
Certified ISO 27001Lead Implementer
2
Certified ISO 27001 Lead Implementer Training
Section 1
a. Meet and greet
b. General points
c. Training objectives
d. Educational approach
e. Examination and certification
f. PECB
g. Schedule for the training
Course objectives and structure
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 7
3
Activity
Meet and greet
4
General Information
Smoking area
MealsTimetable and breaks
Use of mobile phones and recording devices
Absences
Use of a computer and access to the Internet
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 8
5
Understand the components and the operation of an Information Security Management System based on ISO 27001 and its principal processes
Understand the goal, content and correlation between ISO 27001 and ISO 27002 as well as with other standards and regulatory frameworks
Master the concepts, approaches, standards, methods and techniques for the implementation and effective management of an ISMS
1
2
3
Training Objectives
Acquiring knowledge
6
Training Objectives
Development of competencies
Interpret the ISO 27001 requirements in the specific context of an organization
Develop the expertise to support an organization to plan, implement, manage, monitor and maintain an ISMS as specified in ISO 27001
Acquire the expertise to advise an organization on information security management best practices
Strengthen the personal qualities necessary to act with due professional care when conducting a compliance projectSpr
1
2
3
4
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 9
7
Educational Approach
Students at the center
8
Examination
Competency domains
1 Fundamental principles of information security
2 Information security control best practice based on ISO 27002
3 Planning an ISMS based on ISO 27001
4 Implementing an ISMS based on ISO 27001
5 Performance evaluation, monitoring and measurement of an ISMS based on ISO 27001
6 Continual improvement of an ISMS based on ISO 27001
7 Preparing for an ISMS certification audit
1
2
3
4
5
6
7
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 10
9
Certified ISO 27001 Lead Implementer
Prerequisites for certification
Pass the exam
Adhere to the PECB Code of Ethics
5 years professional experience
2 years information security experience
300 hours activity
123456
Professional references
Certified ISO 27001Lead Implementer
10
Certificate
Candidates who met all the prerequisites forcertification will receive a certificate:
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 11
11
What is PECB?
Professional Evaluation and Certification Board
Main services: 1. Certification of personnel
(Auditor and Implementer)2. Certification of training organizations 3. Certification of trainers
12
Personnel Certification Bodies
ISO 17024
ISO 17024 specifies the criteria for an organization thatconducts certification of persons in relation to specificrequirements, including developing and maintaining acertification scheme for persons
PECB is accredited by ANSI under ISO/IEC 17024
Most of the organizations proposing certifications ofprofessionals are not accredited certification bodies
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 12
13
Qualifying oneself to manage an ISMS project
Formal and independent recognition of personal competencies
Certified professionals usually earn salaries higher than those of non-certified professionals
Why becoming Certified Implementer?
Advantages
14
Customer Service
Comments, questions and complaints
TrainingProviderTrainingParticipant
2. Answer in writing
Answer
1. Submit a complaint
Submit a
3. Appeal 4. Finalarbitration
PECB
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 13
1515
Schedule for the Week
16
Questions?
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 14
17
Certified ISO 27001 Lead Implementer Training
Section 2
a. ISO structure
b. Fundamental ISO principles
c. Information Security Standards
d. ISO 27000 family
e. Integrated normative framework
f. Project Management Standards
Standard and regulatory framework
18
What is ISO?
ISO is a network of national standardization bodies from over 160 countries
The final results of ISO works are published as international standards
Over 19 000 standards have been published since 1947
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 15
19
1. Equal representation: 1 vote per country
2. Voluntary membership: ISO does not have the authority to force adoption of its standards
3. Business orientation: ISO only develops standards for which a market demand exists
4. Consensus approach: looking for a large consensus among the different stakeholders
5. International cooperation: over 160 member countries plus liaison bodies
1. Equ
2. Vauth
3.sta
4. Ccon
5. Intercountri
Basic principles of
ISO standards
Basic Principles – ISO Standards
20
Eight ISO Management Principles
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 16
21
Management System StandardsPrimary standards against which an organization can be certified
ISO 9001Quality
ISO 14001Environment
OHSAS 18001Health and Safety
at work
ISO 20000IT Service
ISO 22000Food Safety
ISO 22301Business continuity
ISO 27001Information
security
ISO 28000Supply Chain
Security
22
Integrated Management System
Common structure of ISO standards
Requirements ISO9001:2008
ISO 14001:2004
ISO20000:2011
ISO22301:2012
ISO 27001:2005
Objectives of the management system 5.4.1 4.3.3 4.5.2 6.2 4.2.1
Policy of the management system 5.3 4. 2 4.1.2 5.3 4.2.1
Management commitment 5.1 4.4.1 4.1 5.2 5
Documentation requirements 4.2 4.4 4.3 7.5 4.3
Internal audit 8.2.2 4.5.5 4.5.4.2 9.2 6
Continual improvement 8.5.1 4.5.3 4.5.5 10 8
Management review 5.6 4.6 4.5.4.3 9.3 7
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 17
23
Other Information Security Standards
Examples
24
19901995
20002007 2008+
ISO 27006
Certification organization requirements
Publication ofother standards
of the 27000 family
Revision toISO 27001 &ISO 27002in progress
BS7799-1
Code of best practices
BS7799-2 ISMS
certification schema
Code of best practises
(Published by a group of
companies)
ISO 17799
Best practices code
New Version of ISO 17799 ISO 27001 publication
History of the ISO 27001 Series
Important dates
19982005
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 18
25
ISO 27000 Family
Voca
bula
ryR
equi
rem
ents
Gen
eral
guid
esIn
dust
ry
guid
es
ISO 27001ISMS
requirements
ISO 27006Certification organization requirements
ISO 27005Risk
management
ISO 27004Metrics
ISO 27003Implementation
guide
ISO 27002Code of
practices
ISO 27007-27008Audit guides
ISO 27011Telecommunications
ISO 27799Health
ISO 270XXothers
ISO 27000Vocabulary
26
ISO 27001
Specifies requirements for ISMS management (Clause 4 to 8)
Requirements (clauses) are written using the imperative verb “shall”Annex A: 11 clauses containing 39 control objectives and 133 controlsOrganization can obtain certification against this standard
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 19
27
ISO 27002
Guide for code of practice for information security management (Reference document)Clause written using the verb “should”Composed of 11 clauses, 39 control objectives and 133 controlsOrganization can not obtain certification against this standardA.k.a. ISO 17799
28
ISO 27003
Code of practice for the implementation of an ISMS
Reference document to be used with the ISO 27001 and ISO 27002 standards
Consisting of 9 clauses which define 28 stages to implement an ISMS
Certification against this standard is not possible
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 20
29
ISO 27009+
Within the 27000 series, ISO 27009 and the subsequent numbers are reserved for the creation of domain-specific standards:
For industries: – Telecommunication– Health– Finance and insurance…
For specific sectors related to information security:
– Application security – Cyber security– Security incident management – Privacy protection...
30
Questions?
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 21
31
Certified ISO 27001 Lead Implementer Training
Section 3
a. Definition of an ISMS
b. Process approach
c. Overview – Clauses 4 to 8
d. Annex A
Information Security Management System (ISMS)
32
Definition of ISMS
ISO 27001, clause 3.7
The part of the overall management system, basedon a risk-based approach, to establish, implement,operate, monitor, review, maintain and improveinformation security
Note: The management system includes organizational structure, policies, planning activities, responsibilities,
practices, procedures, processes and resources
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 22
33
Process Approach
ISO 27001, clause 0.2
Maintain and Improve the ISMS
Implement the ISMS
Establish an ISMS
Monitor and review the ISMS
Interested Parties
Managed information
security
Interested Parties
Information security
requirements and
expectations
Establish an ISMS
Plan
Check
Maintain and
ActImplllem ttent thththe
Do
34
Process Approach
The application of the process approach willvary from one organization to the nextdepending on its size, complexity and activitiesOrganizations often identify too many processes
Input Activities Output
Control
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 23
35
Structure of the ISO 27001 Standard
Annex AControl objectives and controls
Clause 4.2.1Establishthe ISMS
Clause 4.2.3 Monitor and
review the ISMS
Clause 4.2.4 Maintain and
improve the ISMS
Clause 4.2.2Implement and
operate the ISMS
Clause 7 Management
review
Clause 8 ISMS
improvement
Clause 6 Internal ISMS
audits
Clause 5 Management responsibility
36
Establish the ISMS
ISO 27001, clauses 4.2.1 a-j
b) Define an ISMSpolicy
c) Define the risk assessment
approach
f) Identify and evaluate risk
treatment options
e) Analyze and evaluatethe risks
i) Have management approve the ISMS
g) Select control objectives
and controls
d) Identify the risks
h) Approve residual risks
a) Define scope and boundaries
of the ISMS
j) Prepare the statement
of applicability
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 24
37
Implementation of the ISMS
ISO 27001, clause 4.2.2
Implement the controls and define how to measure the effectiveness of the selected controls
Manage ISMS operations daily
Define the plan (actions, resources, responsibilities, priorities, objectives) and put it in place
Set in place a training and awareness programme
Set in place an incident management process to detect and treat them rapidly
RiskTreatment Plan
Implementation of controls
ISMS Management
Incident Management
Training & Awareness
38
2. Regular review of the effectiveness of the ISMS taking into account the feedback and suggestions of the stakeholders
4. Review of risk assessments
1. Monitoring and review of detection and security event prevention procedures
3. Measurement of the effectiveness of controls
6. Management review and update of security plans
5. Conducting the internal audits
ISMS monitoring and review
ISMS Monitoring and Review
ISO 27001, clause 4.2.3
Note: Each of these actions must be documented and recorded
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 25
39
Documentation Requirements
ISO 27001, clause 4.3
Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and ensure that the recorded results are reproducibleIt is important to be able to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives
ISO 27001, clause 4.3.1
ISMS Policy and Objectives
40
Management Responsibility
ISO 27001, clause 5
5.1. Management commitment
Management shall provide evidence of its commitment to the ISMS
5.2.1 Make resources available
5.2.2 Training, awareness & competency
Management shall determine and provide the necessary resources for the ISMS
Management shall ensure that personnel who have been assigned responsibilities defined in the ISMS have the necessary competencies to perform the required tasks
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 26
41
ISMS Internal Audits
ISO 27001, clause 6
The organization shall conduct ISMS internalaudits at regular intervals
An audit programme must be planned taking intoaccount the importance of processes andscopes to audit, as well as previous audit results
42
ISMS Management Review
ISO 27001, clause 7Management review input elements Management review output elements
1. Results of ISMS audits and reviews2. Feedback from stakeholders3. Techniques, products or procedures, which
could be used in the organization to improve the ISMS performance and effectiveness
4. Status of preventive and corrective actions5. Vulnerabilities or threats that have not
been adequately assigned during the previous risk assessment
6. Results from effectiveness measurements7. follow-up actions from previous
management reviews8. Any change that can affect the ISMS9. Recommendations for improvement
1. Improvement of the effectiveness of the ISMS
2. Update of the risk assessment and the risk treatment plan
3. Modification of information security procedures and controls
4. Resource needs
5. Improvement in the way efficiency of controls is measured
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 27
43
ISMS Improvement
ISO 27001, clause 8.1
The organization shall continually improve theeffectiveness of the ISMS using the informationsecurity policy, information security objectives,audit results, event analysis, corrective andpreventive actions, and the managementreview
44
Security Objectives and Controls
ISO 27001, Annex A
Important note: in theory, taking into account the 27002 best practices is not a requirement to obtain a 27001 certification
Annex A(List of the security
objectives and controls)
Objectives and controls
Recommendationsfor implementation
ISO 27002
Supplementary Information
ISO 27001
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 28
45
ISO 27002 Clauses
ISO 27001, Annex A
A 5 Security policyA 6 Organization of information securityA 7 Asset managementA 8 Human resources securityA 9 Physical and environmental securityA 10 Communications and operations managementA 11 Access controlA 12 Information systems acquisition, development and maintenanceA 13 Information security incident managementA 14 Business continuity managementA 15 Compliance
46
Exercise 1
Reasons to adopt ISO 27001
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 29
47
1. Improvement of security
2. Good governance
3. Conformity
4. Cost reduction
5. Marketing
1. Imp
2. G
3.
4. C
5. Ma
ADVANTAGES
ISO 27001 Advantages
48
Questions?
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 30
49
Certified ISO 27001 Lead Implementer Training
Section 4
a. Asset and information asset
b. Information security
c. Confidentiality, integrity and availability
d. Vulnerability, threat and impact
e. Information security risk
f. Security objectives and controls
g. Classification of security controls
Fundamental Principles of Information Security
50
Asset and Information Asset
ISO 9000, clause 7.3.1; ISO 27000, clause 2.3 & 2.8
Information: meaningful dataAsset: All elements having value for the organization Information asset: Knowledge or data that has value to the organization
50
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 31
51
Document
Specification
Record
Document stating requirements
Document stating results achieved or providing evidence of activities performed
Information and its supporting medium
Document – Specification – Record
ISO 9000, clause 3.7
52
Information Security
ISO 27002, clause 0.1
Information security is the protection of information
from a wide range of threats in order to ensure
business continuity, minimize business risk, and
maximize return on investments and business
opportunities
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 32
53
Information Security
ISO 27000, clause 2.19
Preservation of confidentiality, integrity and
availability of information
Note: In addition, other properties, such as
authenticity, accountability, non-repudiation, and
reliability can also be involved
54
Information Security
Covers information of all kinds
Printed or hand written
Recorded using technical support
Transmitted by email or electronically
Included in a website
Shown on corporate videos
Mentioned during conversations
Etc.
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 33
55
Confidentiality
ISO 27000, clause 2.9
Property that information is not madeavailable or disclosed to unauthorizedindividuals, entities, or processes
55
56
Integrity
ISO 27000, clause 2.25
Property of protecting the accuracy andcompleteness of assets
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 34
57
Availability
ISO 27000, clause 2.7
Property of being accessible and usableupon demand by an authorized entity
57
58
Vulnerability
ISO 27000, clause 2.46
Weakness of an asset or a security control that can be exploited by a threat
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 35
59
Types of Vulnerabilities
ISO 27005, Annex D
Type of vulnerability Examples1 Hardware Insufficient maintenance
Portability
2 Software No registration logsComplicated interfaces
3 Network Lack of encryption transfersSingle Point of Access
4 Personnel Insufficient trainingLack of supervision
5 Site Unstable electrical systemSite in an area susceptible to flood
6 Organization's structure Lack of segregation of dutiesNo job descriptions
60
Threats
ISO 27000, clause 2.45
Potential cause of an unwanted incident which may result in harm to a system or an organization
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 36
61
Types of Threats
ISO 27005, Annex C
Threat type Example1 Physical damage Fire
Water damage
2 Natural disaster EarthquakeFlooding
3 Loss of essential service Failure of air conditioningPower outage
4 Disruption caused by radiation Electromagnetic radiationThermal radiation
5 Information compromised WiretapsTheft of documents
6 Technical failure Equipment failureNetwork overload
7 Unauthorized action Unauthorized accessUse of pirated software
62
Relationship: Vulnerability and Threat
Examples
Vulnerabilities ThreatsWarehouse unprotected and without surveillance
Theft
Complicated data processing procedures Data input error by personnel
No segregation of duties Fraud, unauthorized use of a system
Unencrypted data Information theftUse of pirated software Lawsuit, virus
No review of access rights Unauthorized access by persons who have left the organization
No backup procedures Loss of information
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 37
63
Impact
ISO 27000, clause 2.17
Adverse change to the level of businessobjectives achieved
Examples of impacts on availability
Examples of impacts on integrity
Examples of impacts on confidentiality
Performance degradationService interruptionUnavailability of serviceDisruption of operations
Accidental changeDeliberate changeIncorrect resultsIncomplete resultsLoss of data
Invasion of privacy of users or customersInvasion of privacy of employeesConfidential information leakage
64
Information Security Risk
ISO 27000, clause 2.24
Potential that a given threat will exploitvulnerabilities of an asset or group of assets andthereby cause harm to the organizationNote: It is measured in terms of a combination of the likelihood of anevent and its consequence
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 38
65
Risk Scenario
Example
United KingdomCorruption of several websites of the Conservative Party(Vital Security 01/03/2010)
The text of the corruption encourages Web site visitors to vote for the LabourParty. Messages left by the attackers include security evaluation of the site andpolitical slogans.
Information assetOther assetSecurity aspectVulnerabilityThreatImpact
Content of the Conservative party website
IntegritySecurity holes in the Web server
Server hosting the Conservative party website
Image of the Conservative partyHackers
66
Control Objective
Statement describing what is to be achieved as a result of implementing controls
Control Objective and Control
ISO 27000, clause 2.10-11
ControlMethods to manage a riskInclude policies, procedures, guidelines and practices or organizational structuresSynonym: measure, counter-measure, security device
Technical control
Administrative control
Legal controlManagerial
control