présentation_normes_iso

8/12/2019 présentation_normes_iso

http://slidepdf.com/reader/full/presentationnormesiso 1/34

© copyright AEXIS Security Consultants, 2000-2009

ISMS and

27000 Family of Standards –

Dr Angelika Plate

www.aexis.de




WG1ISMS Standards

Chair Ted HumphreysVice Chair Angelika Plate WG4ISMS Services

Chair Meng-Chow Kang

WG2

Security Techniques

Chair Kenji Namura

WG3Security

EvaluationChair Mats Ohlin

WG5Privacy,

ID managementand Biometrics

Chair Kai Rannenberg

ISO/IEC J TC1 SC27Chair Walter Fumy

Vice Chair Marijike de SoeteSecretary Krystyna Passia (DIN)




Information security

management system (ISMS) [27001]

Information security

management system (ISMS) [27001]

I S M S I m p l e m e

n t a t i o n g u i d e

[ 2 7 0

0 3 ]

I S M S I m p l e m e

n t a t i o n g u i d e

[ 2 7 0

0 3 ]

I n f o r m a t i o n s e c u r i t y c o n t r o l s

( e x 1 7 7 9 9 ) [ 2 7 0 0 2 ]

I n f o r m a t i o n s e

c u r i t y c o n t r o l s

( e x 1 7 7 9 9

) [ 2 7 0 0 2 ]

I S M S O v e r v i e w

&

t e r m i n o l o

g y [ 2 7 0 0 0 ]

I S M S O v e r v i e w

&

t e r m i n o l o

g y [ 2 7 0 0 0 ]

I n f o r m a t i o

n s e c u r i t y

m a n a g e m e n t m e a s u r e m e n t s

[ 2 7 0 0 4 ]

I n f o r m a t i o

n s e c u r i t y

m a n a g e m e n t m e a s u r e m e n t s

[ 2 7 0 0 4 ]

I S M S R i s k m a n a g e m e n t

[ 2 7

0 0 5 ]

I S M S R i s k m a n a g e m e n t

[ 2 7

0 0 5 ]

27001 supporting

guidance material

Accreditation requirements

for ISMS [27006]

Accreditation requirements

for ISMS [27006]

ISMS audit guidelines

[27007]

ISMS audit guidelines

[27007]

Accreditation and

certification

ISMS for Telecoms

[27011]

ISMS for Telecoms

[27011]

Other sector-specific

developments

Other sector-specific

developments

Sector-Specific developments




WDISMS Audit guidelines27007

StatusTitleStandard

WDGuidance on auditing ISMS controls27008

Published Accreditation requirements for certificationbodies

27006

PublishedISMS Risk management27005

2nd FCDISM Measurements27004

FCDISMS Implementation guide27003

Published – now revisedInformation security management Code ofPractice27002

Published –

now revisedISMS requirements27001

FDISOverview and vocabulary27000




On its way to

publication

Information security management guidelines

for telecommunications based on ISO/IEC

27002

27011

StatusTitleStandard

--Information security governance frameworkNP

--ISMS for service managementNP

--ISMS for the financial and insurance service

sector NP

WDISMS guidelines for e-government27012

WDNew NP: Sector to sector interworking and

communications for industry and government27010




• Highlights and features

– Risk management approach

• risk assessment

• risk treatment• management decision making

– Continuous improvement model

– Measures of effectiveness

– Auditable specification (internal and externalISMS auditing)

– Now under revision

IS0/IEC 27001 ISMSRequirements




Topics for Revision

• ONLY necessary changes – no changes forthe sake of change

• Simple corrections:

– 4.2.1 b) Confusion between ISMS policy andinformation security policy in 27002

– 4.2.3 g) Update security plans…. These securityplans are not mentioned anywhere else

• More fundamental issues:

– What about the Statement of Applicability – shallit stay or shall it go?




• Code of Practice forinformation securitymanagement

• From Spring 2007 ISO/IEC17799 was renumbered as27002

• The standard is now underrevision

IS0/IEC 27002(prev. ISO/IEC 17799)




ISO/IEC 27002 Code of practice forinformation security management

A catalogue of Best Practice

Suggesting a holistic set of controls Not a certification or auditable standard

Security policy

Organising information security

Asset management

Human resources securityPhysical & environmental security

Communications & operations management

Access control

Information systems acquisition, developmentand maintenance

Business continuity management

Compliance

Information security incident management




Topics for Revision

• Some people want to change the structure – myview is to only change the structure where newcontent yields changes – no changes just for thesake of it

• Example: if controls on application security will beincluded, a re-structuring of Clause 10 might beuseful

• More controls on– Application security

– Business continuity

– Awareness– ….




Revision of 27001 & 27002

• A “design specification” for the revision ofthe two documents is needed

• My view:– Necessary changes and useful improvements –

YES– Changes without good reasons – NO

• Meeting with the 27002 editor to discuss thestrategy for Beijing

• Recommendation: Comment not only wonchanges, but also on what you would like tokeep




• Implementation guidance – to helporganisations implementing the ISMSrequirements

• Design agreements:– No specification of minimal content or

definition of requirements for implementation

– No particular ways of implementing an ISMS

– Examples, case studies– No overlap with 27004, 27005

ISO/IEC 27003 - Overview




• Describing the workflow toimplement an ISMS– Obtaining management approval for

the ISMS– Conducting an analysis of the

organization

– Conducting risk assessment &

treatment– Designing the ISMS

Structure of ISO/IEC 27003




• Activity - Defines what is necessary to satisfy

all or part of the objectives

• Input - Describes the starting point, such as the

existence of documented decisions or outputsfrom other ISMS implementation activities

• Guidance -Provides detailed information to

enable the objectives to be met

• Output - Describes the result or deliverable,

upon completion of the activity

• Other information

Clause Structure




Diagrams




• In principle not a bad document, alot of useful information

• Development is too rushed, it needsa careful review

• Now already at FCD stage – options:

– Have an untidy document

– Have no document at all

My View of ISO/IEC 27003




• Scope– Providing guidance on the development and

use of measures in order to assess theeffectiveness of ISMS processes, control

objectives and controls as specified inISO/IEC 27001

• Introduction explaining the main parts ofthe measurement programme

• Management overview to ease the

understanding, especially for SMEs

ISO/IEC 27004 - Overview




Relationship with the ISMS




Information security measurementmodel




• Information security measurementoverview

• Management responsibilities

• Measures and measurementdevelopment

• Measurement operation

• Reporting of measurement results• Evaluation and improvements ofmeasurements

Clause Structure




• ISMS overall effectiveness

• ISMS Training – ISMS-trained personnel

– Information Security Training

– Information Security Awareness Compliance

• Password Policies – Password Quality - manual

– Password Quality - automated

• ISMS Review Process

• ISMS Continual Improvement – ISMS Incidents and effectiveness

– Corrective Action Implementation

• Management Commitment

• Protection Against Malicious Code

• Physical Entry Controls• Log Files Review

• Manage Periodic Maintenance

• Security in Third Party Agreements

Annex B – MeasurementExamples




My View of ISO/IEC 27004

• Very detailed consideration of measurements

• Feedback: – Large organisations: we use base and derived

measures, but not necessarily in such a complex

matter – Small organisations: far too complex for us

• Annexes give useful examples

• Downsizing is often necessary

• More information needed on

– How to select ‘good’ measures – How to condense results of measurements




ISO/IEC 27005

• ISO/IEC 27005 – Information securityrisk management– Provides guidance for information

security risk management as laid out inISO/IEC 27001

– Is applicable for all organizations (size,type of business, etc.) that need tomanage information security risks

• Published: Summer 2008




• ISO/IEC 27006 is the “Requirements forthe accreditation of bodies providingcertification of ISMSs”– J oint initiative from ISO, IAF and CASCO

• Based on– ISO/IEC 17021

– ISO/IEC 27001

• Published since February 2006

• Your view about audit time, etc?

ISO/IEC 27006




ISO/IEC 27007

• ISMS Auditor Guidelines

• Specific ISMS guidance to complement

ISO 19011

• Following the revision of ISO 19011

• Dealing with guidance for auditors on

subjects such as• ISMS Scopes

• Risk assessment reports

• Measurements

25




ISO/IEC 27008

• New WD on auditing ISMS controls

• Issues with that scope:

– If this became part of ISMS certification

audits, there is inconsistency with other MSaudits

– The ISMS should give information about the

well-functioning of controls

• One way out: focusing on internal ISMSaudits

26




ISO/IEC 27010

• New WD on sector to sector interworking and

communications for industry and government

• Result of a Study Period on Critical

Infrastructures

• Confusion at the last meeting – no new draftavailable, only a Dispo of Comments

• Scope: This International Standard provides guidance for information

security interworking and communications between industries in the same

sectors, in different industry sectors and with governments, either in times

of crisis and to protect critical infrastructure or for mutual recognition undernormal business circumstances to meet legal, regulatory and contractual

obligations.

27




ISO/IEC 27011

• The ITU-T standards group Question7/17 developed the standard X.1051“Information security management

guidelines for telecommunicationsbased on ISO/IEC 27002”

• The aim is to support the

implementation of ISO/IEC 27002 inthe telecommunications sector




ISO/IEC 27011

• The standard contains

– An overview giving the framework inwhich it operates

– Extended versions of the controls fromISO/IEC 27002 to address telecoms

• This standard has been adopted bySC 27 as ISO/IEC 27011 (on its way topublication)




ISO/IEC 27012

• A new standard containing ISMSguidelines for e-government – 1st WD

• The scope of this Standard is to define guidelines

supporting the implementation of Information SecurityManagement (ISM) in e-government services

• To provide guidance to the Public Administration on

how to adapt 27002 controls and processes to specific

e-government services and legally binding procedures




NP Financial services

• A NWIP for financial and insuranceservices

• Scope: This international standard provides guidance

for supporting the implementation of informationsecurity management in financial and insurance

services sectors

• This standard is intended to provide guidance on how

to adapt the 2700x ISMS Framework. It aims to support

in fulfilling sector specific information security relatedlegal and regulatory requirements through an

internationally agreed and well-accepted framework




NP Integrated 20000 and 27001

• A NWIP for the integratedimplementation of ISO/IEC 20000-1 andISO/IEC 27001

• Scope: To provide guidance on implementing anintegrated information security and IT service

management system

• This includes implementation advice on adopting an

integrated management system, i.e. to

– Implement ISO/IEC 27001 when ISO/IEC 20000-1 is alreadyadopted, or vice versa;

– Implement both ISO/IEC 27001 and ISO/IEC 20000-1 together;

– Align already existing ISO/IEC 27001 and ISO/IEC 20000-1management systems implementations.




NP Information security governanceframework

• A NWIP for IS governance• Scope:

– Help meet corporate governance requirements related toinformation security

– Align information security objectives with business objectives

– Ensure a risk-based approach is adopted for information securitymanagement

– Implement effective management controls for information securitymanagement

– Evaluate, direct, and monitor an information security management

system

– Safeguard information of all types, including electronic, paper, andspoken

– Ensure good conduct of people when using information




Thank you for listening

Q&A

Thank you for listening

Q&A

Documents

présentation_normes_iso