iso27001 information security management standard. experiences of gaining accreditation randy banks...
TRANSCRIPT
ISO27001 Information Security Management Standard. Experiences of gaining accreditation
Randy Banks ([email protected])Institute for Social and Economic Researchhttp://www.iser.essex.ac.uk @iseressex
Presented to an RSS Social Statistics Section/ASC Meeting, 20 May 2014
Data Privacy. Protecting Participant Identities.
RSS/ASS Meeting Data Privacy 20 May 2014
ISER Description of ISO27001 Effects of achieving ISO27001 certification
Costs Benefits
Caveats Concluding thoughts
Outline
2
RSS/ASS Meeting Data Privacy 20 May 2014
Interdisciplinary socio-economic research department at the University of Essex
~80 staff, ~40 PhD students Specialise in longitudinal research and methodology Large number and variety of projects ranging from small, ad
hoc studies to large, relatively permanent fixtures, e.g.: British Household Panel Survey Understanding Society ESRC Research Centre on Micro-Social Change EUROMOD
Completely dependent on research income from clients and funders. ESRC, EC, Government Departments, foundations, commercial and
charitable organisations, etc. Certified to ISO27001 in April 2013
Institute for Social and Economic Research
3
RSS/ASS Meeting Data Privacy 20 May 2014
ISO/IEC 27001. Information technology – Security Techniques – Information security management systems – Requirements. Second Edition. 2013-10-01.
Information security – ‘preservation of confidentiality, integrity and availability [the CIA] of information’ (ISO27000) Confidentiality important, but not everything
An information security management standard, not an information security standard Framework and process for developing an information security
management system (ISMS) Tells you how to go about protecting your information, not
what you should do to protect it Wide applicability
ISO27002 provides implementation guidance BS ISO/IEC 27002:2013. Information technology. Security
techniques. Code of practice for information security controls
ISO27001. What is it?
4
RSS/ASS Meeting Data Privacy 20 May 2014
Preliminary clauses Mandatory clauses Information security controls
Structure
5
RSS/ASS Meeting Data Privacy 20 May 2014
N = 7 Common to other ISO management standards
Mandatory Clauses
6
Clause Coverage
4 Context of the organisation
Understanding the organisation and its context, and Interested parties, defining the ISMS scope
5 Leadership Demonstrate management commitment, create information security policy, determination of roles and responsibilities
6 Planning Requirements for risk assessment and treatment, information security objectives and planning to achieve them
7 Support Resourcing, competence, awareness, documentation and communication
8 Operation Operations, implementation of risk assessment and treatment
9 Performance evaluation Assessing the effectiveness of ISMS, internal audit and management review
10 Improvement Addressing non-conformities, continual improvement
RSS/ASS Meeting Data Privacy 20 May 2014
Annex A. Reference control objectives and controls
N = 114 grouped into 14 sections Maps to controls and references described in ISO
27002 A.5.* to A.18.*
Selected as a result of the risk assessment process and recorded as applicable or not in Statement of Applicability (SOA) – clause 6.1.3
Information Security Controls
7
RSS/ASS Meeting Data Privacy 20 May 2014
ISO 27001. Annex A
8
Ref Section Controls
Content
A.5 Information security policies 2 Management direction
A.6 Organization of information security
7 Internal organisation
A.7 Human resource security 6 Prior to, during employment; termination and change
A.8 Asset management 10 Responsibilities, information classification, media handling
A.9 Access control 14 Business requirements, user management and responsibilities, systems and application access control
A.10 Cryptography 2 Cryptographic controls
A.11 Physical and environmental security
15 Secure areas, equipment
A.12 Operations security 14 Procedures and responsibilities, malware protection, backup, logging and monitoring, operational software, technical vulnerabilities, systems audits
A.13 Communications security 7 Network security, information transfer,
A.14 Systems acquisition, development and maintenance
13 Security requirements, development and support, test data
A.15 Supplier relationships 5 Information security in supplier relationships, service delivery,
A.16 Information security incident management
7 Management of incidents, improvement (of ISMS)
A.17 Information security aspects of business continuity
4 Continuity, redundancy (of facilities)
A.18 Compliance 8 Legal and contractual compliance, reviews
RSS/ASS Meeting Data Privacy 20 May 2014
The standard(s) 27001 is crucial, but also 27002 and others in 27* series From British Standards Institute (50% discount for members)
Personnel Designated person with overall IS responsibilities and other
personnel with newly defined responsibilities Additional meetings, e.g. regular management review,
internal/external audits Regular access/operational reviews, risk assessments Training New procedures created/some procedures now more
formalised - more time consuming Consultants (Continued re-) Certification
(re) Certification Audit(s) Certificate(s) Surveillance audits
ISO27001. Costs
9
RSS/ASS Meeting Data Privacy 20 May 2014
Competitive advantage ISO27001 certification is increasingly required or
positively encouraged by potential clients Assists in establishing compliance with other standards
and requirements, e.g. HMG Security Policy Framework Culture change
Increasing awareness of importance of information security in an interconnected world
Expenditure on information security increasingly seen as business investment and enabler rather than technical overhead that inhibits achievement of business goals
Information security management increasingly seen as everyone’s responsibility and not solely within the purview of the IT department
More confidence that we are meeting our ethical, legal and contractual responsibilities
ISO27001. Benefits
10
RSS/ASS Meeting Data Privacy 20 May 2014
Improved – and continually improving - business and technical processes Forced into better understanding of organisational
functions and operations Impossible not to improve – 27001 forces you to
continually reassess and requires you to demonstrate improvement
ISO27001. Benefits (continued)
11
RSS/ASS Meeting Data Privacy 20 May 2014
Can’t completely distinguish marginal costs of achieving ISO27001 certification from: Costs of achieving good information security
practice and contribution of 27001 certification to that end
Efficiency gains from the formalisation and regular review of procedures
Costs of implementing contractual requirements (other than 27001 certification) that would otherwise be required
ISO27001. What are the costs?
12
RSS/ASS Meeting Data Privacy 20 May 2014
When speaking to suppliers ISO27001 is not last word in information security
Certification verifies compliance with the standard, not with specific measures that you might feel necessary
Scope and SOA are critical Beware of excessive claims by suppliers about the relevance of
ISO27001 certification Beware of compliance claims not backed up by (plans for)
certification Certification is marginal cost after achieving compliance and
When working towards certification Beware of template solutions and consultants who offer them
Leads to unnecessary and irrelevant documentation Don’t aim for perfection
ISO27001 expects continual improvement Certification is long-term commitment
Initial certification is followed by (bi)annual surveillance audits and recertification every 3 years
Losing certification will cost a lot more than acquiring it in the first place
Caveats
13
RSS/ASS Meeting Data Privacy 20 May 2014
1. Jump before you’re pushed
Concluding Thoughts
14
RSS/ASS Meeting Data Privacy 20 May 2014
Online resources BSI – ISO/IEC 27001 Information Security resources
(http://www.bsigroup.com/en-GB/iso-27001-information-security/Resources-for-ISO-27001/)
ECSC – ISO 27001 Executive Brief and email briefings (http://www.ecsc.co.uk/papers.cgi?id=3)
Information Security Standards (http://www.iso27001security.com/)
And others … Training
BSI (http://www.bsigroup.com/) SGS (http://www.sgs.co.uk/) And others …
Getting Help
15
RSS/ASS Meeting Data Privacy 20 May 2014
Thank you for listening.
16