Upload
marwen-ben-rached
View
217
Download
0
Embed Size (px)
Citation preview
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 1/34
© copyright AEXIS Security Consultants, 2000-2009
ISMS and
27000 Family of Standards –
Dr Angelika Plate
www.aexis.de
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 2/34
© copyright AEXIS Security Consultants, 2000-20092
WG1ISMS Standards
Chair Ted HumphreysVice Chair Angelika Plate WG4ISMS Services
Chair Meng-Chow Kang
WG2
Security Techniques
Chair Kenji Namura
WG3Security
EvaluationChair Mats Ohlin
WG5Privacy,
ID managementand Biometrics
Chair Kai Rannenberg
ISO/IEC J TC1 SC27Chair Walter Fumy
Vice Chair Marijike de SoeteSecretary Krystyna Passia (DIN)
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 3/34
© copyright AEXIS Security Consultants, 2000-2009
Information security
management system (ISMS) [27001]
Information security
management system (ISMS) [27001]
I S M S I m p l e m e
n t a t i o n g u i d e
[ 2 7 0
0 3 ]
I S M S I m p l e m e
n t a t i o n g u i d e
[ 2 7 0
0 3 ]
I n f o r m a t i o n s e c u r i t y c o n t r o l s
( e x 1 7 7 9 9 ) [ 2 7 0 0 2 ]
I n f o r m a t i o n s e
c u r i t y c o n t r o l s
( e x 1 7 7 9 9
) [ 2 7 0 0 2 ]
I S M S O v e r v i e w
&
t e r m i n o l o
g y [ 2 7 0 0 0 ]
I S M S O v e r v i e w
&
t e r m i n o l o
g y [ 2 7 0 0 0 ]
I n f o r m a t i o
n s e c u r i t y
m a n a g e m e n t m e a s u r e m e n t s
[ 2 7 0 0 4 ]
I n f o r m a t i o
n s e c u r i t y
m a n a g e m e n t m e a s u r e m e n t s
[ 2 7 0 0 4 ]
I S M S R i s k m a n a g e m e n t
[ 2 7
0 0 5 ]
I S M S R i s k m a n a g e m e n t
[ 2 7
0 0 5 ]
27001 supporting
guidance material
Accreditation requirements
for ISMS [27006]
Accreditation requirements
for ISMS [27006]
ISMS audit guidelines
[27007]
ISMS audit guidelines
[27007]
Accreditation and
certification
ISMS for Telecoms
[27011]
ISMS for Telecoms
[27011]
Other sector-specific
developments
Other sector-specific
developments
Sector-Specific developments
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 4/34
© copyright AEXIS Security Consultants, 2000-20094
WDISMS Audit guidelines27007
StatusTitleStandard
WDGuidance on auditing ISMS controls27008
Published Accreditation requirements for certificationbodies
27006
PublishedISMS Risk management27005
2nd FCDISM Measurements27004
FCDISMS Implementation guide27003
Published – now revisedInformation security management Code ofPractice27002
Published –
now revisedISMS requirements27001
FDISOverview and vocabulary27000
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 5/34
© copyright AEXIS Security Consultants, 2000-20095
On its way to
publication
Information security management guidelines
for telecommunications based on ISO/IEC
27002
27011
StatusTitleStandard
--Information security governance frameworkNP
--ISMS for service managementNP
--ISMS for the financial and insurance service
sector NP
WDISMS guidelines for e-government27012
WDNew NP: Sector to sector interworking and
communications for industry and government27010
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 6/34
© copyright AEXIS Security Consultants, 2000-2009
• Highlights and features
– Risk management approach
• risk assessment
• risk treatment• management decision making
– Continuous improvement model
– Measures of effectiveness
– Auditable specification (internal and externalISMS auditing)
– Now under revision
IS0/IEC 27001 ISMSRequirements
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 7/34
© copyright AEXIS Security Consultants, 2000-2009
Topics for Revision
• ONLY necessary changes – no changes forthe sake of change
• Simple corrections:
– 4.2.1 b) Confusion between ISMS policy andinformation security policy in 27002
– 4.2.3 g) Update security plans…. These securityplans are not mentioned anywhere else
• More fundamental issues:
– What about the Statement of Applicability – shallit stay or shall it go?
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 8/34
© copyright AEXIS Security Consultants, 2000-2009
• Code of Practice forinformation securitymanagement
• From Spring 2007 ISO/IEC17799 was renumbered as27002
• The standard is now underrevision
IS0/IEC 27002(prev. ISO/IEC 17799)
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 9/34
© copyright AEXIS Security Consultants, 2000-2009
ISO/IEC 27002 Code of practice forinformation security management
A catalogue of Best Practice
Suggesting a holistic set of controls Not a certification or auditable standard
Security policy
Organising information security
Asset management
Human resources securityPhysical & environmental security
Communications & operations management
Access control
Information systems acquisition, developmentand maintenance
Business continuity management
Compliance
Information security incident management
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 10/34
© copyright AEXIS Security Consultants, 2000-2009
Topics for Revision
• Some people want to change the structure – myview is to only change the structure where newcontent yields changes – no changes just for thesake of it
• Example: if controls on application security will beincluded, a re-structuring of Clause 10 might beuseful
• More controls on– Application security
– Business continuity
– Awareness– ….
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 11/34
© copyright AEXIS Security Consultants, 2000-2009
Revision of 27001 & 27002
• A “design specification” for the revision ofthe two documents is needed
• My view:– Necessary changes and useful improvements –
YES– Changes without good reasons – NO
• Meeting with the 27002 editor to discuss thestrategy for Beijing
• Recommendation: Comment not only wonchanges, but also on what you would like tokeep
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 12/34
© copyright AEXIS Security Consultants, 2000-2009
• Implementation guidance – to helporganisations implementing the ISMSrequirements
• Design agreements:– No specification of minimal content or
definition of requirements for implementation
– No particular ways of implementing an ISMS
– Examples, case studies– No overlap with 27004, 27005
ISO/IEC 27003 - Overview
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 13/34
© copyright AEXIS Security Consultants, 2000-2009
• Describing the workflow toimplement an ISMS– Obtaining management approval for
the ISMS– Conducting an analysis of the
organization
– Conducting risk assessment &
treatment– Designing the ISMS
Structure of ISO/IEC 27003
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 14/34
© copyright AEXIS Security Consultants, 2000-2009
• Activity - Defines what is necessary to satisfy
all or part of the objectives
• Input - Describes the starting point, such as the
existence of documented decisions or outputsfrom other ISMS implementation activities
• Guidance -Provides detailed information to
enable the objectives to be met
• Output - Describes the result or deliverable,
upon completion of the activity
• Other information
Clause Structure
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 15/34
© copyright AEXIS Security Consultants, 2000-2009
Diagrams
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 16/34
© copyright AEXIS Security Consultants, 2000-2009
• In principle not a bad document, alot of useful information
• Development is too rushed, it needsa careful review
• Now already at FCD stage – options:
– Have an untidy document
– Have no document at all
My View of ISO/IEC 27003
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 17/34
© copyright AEXIS Security Consultants, 2000-2009
• Scope– Providing guidance on the development and
use of measures in order to assess theeffectiveness of ISMS processes, control
objectives and controls as specified inISO/IEC 27001
• Introduction explaining the main parts ofthe measurement programme
• Management overview to ease the
understanding, especially for SMEs
ISO/IEC 27004 - Overview
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 18/34
© copyright AEXIS Security Consultants, 2000-2009
Relationship with the ISMS
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 19/34
© copyright AEXIS Security Consultants, 2000-2009
Information security measurementmodel
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 20/34
© copyright AEXIS Security Consultants, 2000-2009
• Information security measurementoverview
• Management responsibilities
• Measures and measurementdevelopment
• Measurement operation
• Reporting of measurement results• Evaluation and improvements ofmeasurements
Clause Structure
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 21/34
© copyright AEXIS Security Consultants, 2000-2009
• ISMS overall effectiveness
• ISMS Training – ISMS-trained personnel
– Information Security Training
– Information Security Awareness Compliance
• Password Policies – Password Quality - manual
– Password Quality - automated
• ISMS Review Process
• ISMS Continual Improvement – ISMS Incidents and effectiveness
– Corrective Action Implementation
• Management Commitment
• Protection Against Malicious Code
• Physical Entry Controls• Log Files Review
• Manage Periodic Maintenance
• Security in Third Party Agreements
Annex B – MeasurementExamples
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 22/34
© copyright AEXIS Security Consultants, 2000-2009
My View of ISO/IEC 27004
• Very detailed consideration of measurements
• Feedback: – Large organisations: we use base and derived
measures, but not necessarily in such a complex
matter – Small organisations: far too complex for us
• Annexes give useful examples
• Downsizing is often necessary
• More information needed on
– How to select ‘good’ measures – How to condense results of measurements
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 23/34
© copyright AEXIS Security Consultants, 2000-2009
ISO/IEC 27005
• ISO/IEC 27005 – Information securityrisk management– Provides guidance for information
security risk management as laid out inISO/IEC 27001
– Is applicable for all organizations (size,type of business, etc.) that need tomanage information security risks
• Published: Summer 2008
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 24/34
© copyright AEXIS Security Consultants, 2000-2009
• ISO/IEC 27006 is the “Requirements forthe accreditation of bodies providingcertification of ISMSs”– J oint initiative from ISO, IAF and CASCO
• Based on– ISO/IEC 17021
– ISO/IEC 27001
• Published since February 2006
• Your view about audit time, etc?
ISO/IEC 27006
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 25/34
© copyright AEXIS Security Consultants, 2000-2009
ISO/IEC 27007
• ISMS Auditor Guidelines
• Specific ISMS guidance to complement
ISO 19011
• Following the revision of ISO 19011
• Dealing with guidance for auditors on
subjects such as• ISMS Scopes
• Risk assessment reports
• Measurements
25
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 26/34
© copyright AEXIS Security Consultants, 2000-2009
ISO/IEC 27008
• New WD on auditing ISMS controls
• Issues with that scope:
– If this became part of ISMS certification
audits, there is inconsistency with other MSaudits
– The ISMS should give information about the
well-functioning of controls
• One way out: focusing on internal ISMSaudits
26
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 27/34
© copyright AEXIS Security Consultants, 2000-2009
ISO/IEC 27010
• New WD on sector to sector interworking and
communications for industry and government
• Result of a Study Period on Critical
Infrastructures
• Confusion at the last meeting – no new draftavailable, only a Dispo of Comments
• Scope: This International Standard provides guidance for information
security interworking and communications between industries in the same
sectors, in different industry sectors and with governments, either in times
of crisis and to protect critical infrastructure or for mutual recognition undernormal business circumstances to meet legal, regulatory and contractual
obligations.
27
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 28/34
© copyright AEXIS Security Consultants, 2000-2009
ISO/IEC 27011
• The ITU-T standards group Question7/17 developed the standard X.1051“Information security management
guidelines for telecommunicationsbased on ISO/IEC 27002”
• The aim is to support the
implementation of ISO/IEC 27002 inthe telecommunications sector
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 29/34
© copyright AEXIS Security Consultants, 2000-2009
ISO/IEC 27011
• The standard contains
– An overview giving the framework inwhich it operates
– Extended versions of the controls fromISO/IEC 27002 to address telecoms
• This standard has been adopted bySC 27 as ISO/IEC 27011 (on its way topublication)
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 30/34
© copyright AEXIS Security Consultants, 2000-2009
ISO/IEC 27012
• A new standard containing ISMSguidelines for e-government – 1st WD
• The scope of this Standard is to define guidelines
supporting the implementation of Information SecurityManagement (ISM) in e-government services
• To provide guidance to the Public Administration on
how to adapt 27002 controls and processes to specific
e-government services and legally binding procedures
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 31/34
© copyright AEXIS Security Consultants, 2000-2009
NP Financial services
• A NWIP for financial and insuranceservices
• Scope: This international standard provides guidance
for supporting the implementation of informationsecurity management in financial and insurance
services sectors
• This standard is intended to provide guidance on how
to adapt the 2700x ISMS Framework. It aims to support
in fulfilling sector specific information security relatedlegal and regulatory requirements through an
internationally agreed and well-accepted framework
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 32/34
© copyright AEXIS Security Consultants, 2000-2009
NP Integrated 20000 and 27001
• A NWIP for the integratedimplementation of ISO/IEC 20000-1 andISO/IEC 27001
• Scope: To provide guidance on implementing anintegrated information security and IT service
management system
• This includes implementation advice on adopting an
integrated management system, i.e. to
– Implement ISO/IEC 27001 when ISO/IEC 20000-1 is alreadyadopted, or vice versa;
– Implement both ISO/IEC 27001 and ISO/IEC 20000-1 together;
– Align already existing ISO/IEC 27001 and ISO/IEC 20000-1management systems implementations.
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 33/34
© copyright AEXIS Security Consultants, 2000-2009
NP Information security governanceframework
• A NWIP for IS governance• Scope:
– Help meet corporate governance requirements related toinformation security
– Align information security objectives with business objectives
– Ensure a risk-based approach is adopted for information securitymanagement
– Implement effective management controls for information securitymanagement
– Evaluate, direct, and monitor an information security management
system
– Safeguard information of all types, including electronic, paper, andspoken
– Ensure good conduct of people when using information
8/12/2019 présentation_normes_iso
http://slidepdf.com/reader/full/presentationnormesiso 34/34
© copyright AEXIS Security Consultants, 2000-2009
Thank you for listening
Q&A
Thank you for listening
Q&A