Scribd Logo
Carica

Benvenuto in Scribd!

  • 27001intro 170109065434

    Caricato da

    PrashanthPrashanth
    15 visualizzazioni24 pagine
    27001intro-170109065434

    Titolo originale

    27001intro-170109065434

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    27001intro-170109065434

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    15 visualizzazioni24 pagine

    27001intro 170109065434

    Caricato da

    PrashanthPrashanth
    27001intro-170109065434

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 24

    ISO 27001

    M. Faisal Naqvi, CISSP, CISA, 27001 LA & MI, AMBCI


    Senior Consultant – Information Security

    © 2008 Netsol Technologies, Inc. All rights reserved


    Development of ISO 27001 "family"
    of Standards
    ISO/IEC Description
    Standard
    27000 Vocabulary and definitions
    27001 Specification (BS7799-2) Issued Oct. 2005
    27002 Code of Practice (ISO17799:2005)
    27003 Implementation Guidance
    27004 Metrics and Measurement
    27005 Risk Management (BS 7799-3)

    2 © 2008 NetSol Technologies, Inc. All rights reserved


    History of ISO 27001
    International ISO17799:2000 ISO17799:2005

    ISO27001:2005

    UK

    BS7799:1996 BS7799-1:1999 BS7799-1:2000

    BS7799-2:1999 BS7799-Part 2: 2002

    = copy/translation
    = revision

    3 © 2008 NetSol Technologies, Inc. All rights reserved


    Harmonization Example

    /BS-25999

    PAS 99 Integrated Management

    4 Image courtesy of BSI America © 2008 NetSol Technologies, Inc. All rights reserved
    Country wise Certified Organizations
    Source: http://www.iso27001certificates.com on September 25, 2008
    Japan 2770 Romania 16 Bahrain 4 Yemen 2
    India 426 Turkey 15 Kuwait 4 Armenia 1
    UK 368 UAE 14 Norway 4 Bangladesh 1
    Taiwan 183 Thailand 13 Sri Lanka 4 Belgium 1
    China 161 Iceland 11 Switzerland 4 Egypt 1
    Germany 108 Netherlands 11 Canada 3 Iran 1
    USA 77 Singapore 11 Chile 3 Kazakhstan 1
    Hungary 74 Pakistan 10 Croatia 3 Kyrgyzstan 1
    Czech Republic 66 France 10 Indonesia 3 Lebanon 1
    Korea 58 Russian Federation 10 Macau 3 Lithuania 1
    Italy 54 Saudi Arabia 10 Peru 3 Luxembourg 1
    Poland 34 Philippines 10 Portugal 3 Macedonia 1
    Hong Kong 30 Mexico 8 Vietnam 3 Moldova 1
    Australia 28 Colombia 7 Bulgaria 2 New Zealand 1
    Ireland 26 Sweden 7 Gibraltar 2 Ukraine 1
    Malaysia 26 Slovakia 6 Isle of Man 2 Uruguay 1
    Spain 25 Slovenia 6 Morocco 2
    Austria 21 Greece 5 Oman 2 Relative Total 4813
    5
    Brazil 20 South Africa
    © 2008 NetSol Technologies, Inc. All rights reserved
    5 Qatar 2 Absolute Total 4803
    ISO 27001
     Not a technical standard
     Not product or technology driven
     Not an equipment evaluation
    methodology such as the Common
    Criteria/ISO 15408
     Butmay require utilization of a Common
    Criteria Equipment Assurance Level (EAL)

    6 © 2008 NetSol Technologies, Inc. All rights reserved


    Information Security Management System

     Information System Security


    Security of Information Systems/Computers
     Information Security System

    Any form of Information, Soft / Hard

    7 © 2008 NetSol Technologies, Inc. All rights reserved


    Strength of Overall Security
     Strength of Overall state-of-the-art
    Security is not more than its weakest
    element
     Comprehensive Security Model in all
    Aspects is needed

    8 © 2008 NetSol Technologies, Inc. All rights reserved


    Asset, Vulnerability, Threat, Risk
    & Control
     Asset= anything has value to the
    organization
     Vulnerability= any Weakness of Asset
     Threat= any possible Danger
     Risk= Vulnerability exposed to Threat

    Risk= Vulnerability X Threat


     Control= Countermeasure to reduce Risk

    9 © 2008 NetSol Technologies, Inc. All rights reserved


    Asset, Vulnerability, Threat, Risk

    10 © 2008 NetSol Technologies, Inc. All rights reserved


    Control

    11 © 2008 NetSol Technologies, Inc. All rights reserved


    ISO 27001
     Deals with every possible Vulnerability
    and Threat to Information
     11 major categories of controls/
    countermeasures called domains
     133 countermeasures to control
    Vulnerabilities and Threats

    12 © 2008 NetSol Technologies, Inc. All rights reserved


    11 Domains of ISO 27001

    2. InfoSec 1. Security 11. 10. Business Threats


    Organization Policy Compliance Continuity
    Mgmt
    3. Asset INFORMATION
    Mgmt.
    Availability 9. InfoSec
    4. HR Integrity Incident
    Security Confidentiality Mgmt
    Vulnerabilities
    5. Physical & 8. Info Sys
    Environment 6. Comm & 7. Access Dev. &
    Security Opr Mgmt Control Maintenance
    Threats

    13 © 2008 NetSol Technologies, Inc. All rights reserved


    ISO-27001 Domains & Controls
    S. No. Domain Controls
    1 Security Policy 2
    2 Organization of Information Security 11
    3 Asset Management 5
    4 Human Resources Security 9
    5 Physical and Environmental Security 13
    6 Communications and Operations Management 32
    7 Access Control 25
    8 Information Systems Acquisition, Development and 16
    Maintenance
    9 Information Security Incident Management 5
    10 Business Continuity Management 5
    11 Compliance 10
    14 Total
    © 2008 NetSol Technologies, Inc. All rights reserved 133
    Why Policies & Standards?
    Attacks through Attacks through People:
    Technology:
    Abuse of Privileges
    Virus, Worm, Trojan
    Social Engineering
    (D-)DOS attacks
    Physical access
    SQL injection to bypass controls
    Information
    Buffer overflow Misuse of Systems

    Brute force attack Password guessing

    Password cracking Theft of laptops


    / Storage media

    15 © 2008 NetSol Technologies, Inc. All rights reserved


    Domain Area
    Management Policy

    Organization of
    Information Security

    Asset Mgmt. Access Ctrl

    Compliance InfoSec Incident Mgmt

    Operations
    HR Security Biz Continuity Mgmt

    Info Systems Acquisition, Dev & Maintenance

    Comm. & Operations Mgmt Physical & Env Security

    16 © 2008 NetSol Technologies, Inc. All rights reserved


    Plan-Do-Check-Act (PDCA)
    Plan

    Establish the
    ISMS

    Interested Implement and Maintain and Interested


    operate the ISMS improve the ISMS
    parties parties

    Do Act

    Information
    security Monitor and
    requirements review the ISMS
    Managed
    and expectations
    information
    Check security

    17 © 2008 NetSol Technologies, Inc. All rights reserved


    PDCA
    Establish the ISMS
     Scope of the ISMS
     ISMS policy (objectives, requirements)
     Systematic approach to risk management
     Risks Identification
     Risks Assessment
     Risks Evaluation & treatment
     Control objectives and controls for risks treatment
     Statement of Applicability
     Management approval for residual risks
     Authorization to implement and operate

    18 © 2008 NetSol Technologies, Inc. All rights reserved


    PDCA
    Implement and operate the ISMS
     Formulate a risk treatment plan
     Implement the risk treatment plan
     Implement the controls selected
     Implement training and awareness programs
     Manage operations
     Manage resources
     Implement procedures and controls to detect
    and response to security incidents
    19 © 2008 NetSol Technologies, Inc. All rights reserved
    PDCA
    Monitor and review the ISMS
     Execute monitoring procedures
     Undertake regular reviews
     Review, level of residual risk
     Conduct internal audits
     Undertake a management review
     Record actions and events

    20 © 2008 NetSol Technologies, Inc. All rights reserved


    PDCA
    Maintain and improve the ISMS
     Implement the identified improvements
     Take appropriate corrective and preventive
    actions
     Communicate results
     Ensure effectiveness

    21 © 2008 NetSol Technologies, Inc. All rights reserved


    Documentation Requirements
     Policies
     Objectives
     Scope
     Procedures
     Controls
     risk assessment methodologies
     risk treatment plan.
     Documents protection and control
    22 © 2008 NetSol Technologies, Inc. All rights reserved
    ISO 27001 Management Framework

    23 © 2008 NetSol Technologies, Inc. All rights reserved


    Management Responsibilities
     Commitment:
     Establishment
     Implementation
     Operation
     Monitoring
     Review
     Maintenance
     and Improvement of the ISMS
     Resource management
     Training, Awareness and Competence
     Internal Audit
     Review of the ISMS
    24 © 2008 NetSol Technologies, Inc. All rights reserved

    Potrebbero piacerti anche