Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

ISO 27001-2013

No description
by

Ming Chiang

on 7 October 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of ISO 27001-2013

ISO 27001-2013
1.1 How to Protect Information
1.2 ISO27001 Benefits
Stakeholder Analysis Table
Risk Assessment 2/2
Risk Assessment 1/2
Agenda
By Mingo Chiang
10/7/2014
5.5.1 Creating and Updating
When creating and updating documented information, the organization shall ensure appropriate:

a) Identification and description (e.g. Title, Date, Author, Or Reference Number).
b) Format (e.g. Language, Software Version, Graphics) and Media (e.g. Paper, Electronic).
c) Review and approval for suitability and adequacy.
5.5.2 Control of Documented Information
Documented information required by the ISMS and by this International Standard shall be controlled to ensure:
a) It is
available
and
suitable
for use, where and when it is needed.
b) It is
protected
(e.g. Form loss of confidentiality, improper use, or loss of integrity).
2. Introduction
1.1.1 List of Controls
1. Purpose of ISO27001
C
onfidentiality: Only authorized person can access the information.
I
ntegrity: Only the authorized person can change or edit the information.
A
vailability: Information must be available 24/7.
A.5: Information Security Policies (2 Controls).
A.6: Organization of Information Security (7 Controls).
A.7: Human Resource Security- 6 controls that are applied before, during or after employment.
A.8: Asset Management (10 Controls).
A.9: Access Control (14 Controls).
A.10: Cryptography (2 Controls).
A.11: Physical and Environmental Security (15 Controls).
A.12: Operations Security (14 Controls).
A.13: Communications Security (7 Controls).
A.14: System Acquisition, Development and Maintenance (13 Controls).
A.15: Supplier Relationship (5 Controls).
A.16: Information Security Incident Management (7 Controls).
A.17: Information Security Aspects of Business Continuity Management (4 Controls).
A.18: Compliance; with Internal Requirements
Policies, External Requirements (8 Controls).

Procedure:
S
tandard
O
peration
P
rocedure.
Password: Having the first layer of basic protection.
Encryption: Encrypted data is harder to hack.
Legal: Legal contract with employee to prevent conflict when accidents happened.
Training & Awareness: Having seminar to train your employees and also increase their awareness on security standards.

To protect your information can't be base on only one control. ISO 27001 provided 114 controls in 14 groups form Annex A. It is systematic so you won't miss any steps.
Manage Risk
Improve the Culture of Security in the Organization
Trust in Sharing Information in a Secure Manner
Framework for Achieving Legal Compliance
Competitive Advantage
Protects Organization from Brand or Reputation Damage
1. Purpose of ISO27001
1.1 How to Protect Information
1.1.1 List of Controls
1.2 ISO 27001 Benefits
2. Introduction
3. Leadership
3.1 Leadership and Commitment
3.2 Policy
3.3 Organizational Roles, Responsibilities and Authorities
4. Planning
4.1 Actions to Address Risk and Opportunities
4.2 Information Security Risk Assessment
4.3 Information Security Risk Treatment
4.4 Information Security Objective and Planning to Achieve Them

3.2 Policy
Top management shall establish an information security policy that:

a) Is appropriate to the purpose of the organization.
b) Provides the framework for setting information security objective.
c) Includes a commitment to satisfy applicable requirements related to information security.
d) Includes a commitment to continual improvement of the ISMS.

The information security policy shall:
a) Be available as documented information

b) Be communicated within the organization
c) Be available to interested parties
3.1 Leadership and Commitment
Resource can be available.
People are trained to do it.
Top management shall demonstrate leadership and commitment with respect to the ISMS by:

a) Policy and objectives are established and are compatible with the strategic direction of the organization.
b) Integration of the ISMS requirements into the organization's processes.
c) Resources needed for the ISMS are available.
d) Communication
e) ISMS can achieve its intended outcome.
f) Director can contribute to the effectiveness of the ISMS.
g) Continual improvement.
h) Supporting other relevant management roles
3. Leadership
3.3 Organizational Roles, Responsibilities and Authorities
Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated.

Top management shall assign the responsibility and authority for:
a) Ensuring the requirements meets the international standard.
b) Reporting on the performance of the ISMS to top management.
ISO27001 is an International Standard
Provide requirements for
establishing
,
implementing
,
maintaining
and
continually

improving

Information Security Management System
(ISMS)

The establishment and implementation of an organization's ISMS is influenced by the
organization's needs, objectives and security requirements
.

NOTE: Very important to think about security issues before implementing a project.
4.3 Information Security Risk Treatment
The organization shall define and apply information security risk treatment process to:
a) Select appropriate treatment options, taking account of the risk assessment results.
b) Determine all controls that are necessary to implement the treatment options.
c) Compare the controls determined in Annex A.

Risk Assessment and Treatment Plan.
Problem occurred in the organization, Such as unknown virus.
a) Produce a Statement of Applicability that contains the necessary controls.
b) Formulate an information security risk treatment plan.
c) Obtain risk owners' approval.

The organization shall retain documented information about the information security risk treatment process.
4.1 Actions to Address Risks and Opportunities
Ensure the ISMS can achieve its intended outcome.
Prevent or reduce undesired effects.
Achieve continual improvement.

The organization shall plan:
a) Actions to address these risks and opportunities.
b) How to
Integrate and implement the actions into its ISMS processes.
Evaluate the effectiveness of these actions.
4. Planning
4.4 Information Security Objective and Planning to Achieve Them
The organization shall establish information security objectives at relevant functions and levels.

The information security objectives shall:
a) Be consistent with the security policy.
b) Be measurable (if practicable).
c) Take into account on requirements and results from risk assessment and treatment.
d) Be communicated.
e) Be updated.

The organization shall determine:
a) What will be done?
b) What resources will be required?
c) Who will be responsible?
d) When it will be completed?
e) How the results will be evaluated?
4.2 Information Security Risk Assessment
The organization shall define and apply an information security risk assessment process that:
a) Established and maintains information security risk criteria that include:
1) The risk acceptance criteria.
2) Criteria for performing risk assessments.
b) Ensures that repeated assessments produce consistent, valid and comparable results.
c) Identifies and analysis the risks:
1) Assess the potential consequences that would result if the risks identified.
2) Assess the likelihood of the occurrence of the risks identified.
3) Determine the levels of risk.
d) Evaluated the information security risks.
1) Compare the results of risk analysis with the risk criteria.
2) Prioritize the analyzed risk for risk treatment.

During all processes, the organization should retain documented information about the information security risk assessment process.
5.1 Resources
The organization shall determine and provide the resources needed for the
establishment

implementation
,
maintenance
and
continual

improvement
of the ISMS.
5.2 Competence
The organization shall:
a) Determine the necessary
ability
of person doing work under its control that affects its information security
performance
.
b) Ensure that these persons are competent on the basis of appropriate
education, training
,

or
experience
.

The organization shall retain appropriate documented information as evidence of competence.
5. Support
5.4 Communication
The organization shall determine the need for internal and external communications relevant to the ISMS including:
a) On what to communicate?
b) When to communicate?
c) With whom to communicate?
d) Who shall communicate?
e) The processes by which communication shall be effected?
5.5 Documented Information
The organization's ISMS shall include:
a) Documented infomercial required by this international standard.
b) Documented information determined by the organization as being necessary for the effectiveness of the ISMS.
5.3 Awareness
Persons doing work under the organization's controls shall be aware of:
a) The information security
policy
.
b) Their
contribution
to the effectiveness of the ISMS, including the benefits of improved information security
performance
.
c) Respond when they think the requirements are wrong.
6.3 Information Security Risk Treatment
The organization shall implement the information security risk treatment plan.

The organization shall retain documented information of the results of the information security risk treatment.
6.1 Operation Planning and Control
The organization shall plan, implement and control the processes needed to meet security requirements and objectives.

Implement actions to address risk and
opportunities
.

Control planned change and
review unintended changes
.

The organization shall ensure that
outsourced
processes are determined and controlled.
6. Operation
6.2 Information Security Risk Assessment
The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur.

Are you going to take on the risk, pass it on to supplier or third party?

The organization shall retain documented information of the results of the information security risk assessments.


7.2 Internal Audit
The organization shall conduct internal audits to provide information on whether the ISMS:
a) Conforms to
1) The
organization own requirements
for its ISMS.
2) The
requirements of this International Standard
.
b) Is effectively implemented and maintained.

The organization shall:
c) Plan, establish, implement and maintain and audit program, including the frequency, methods, and responsibilities, planning requirements and reporting.
d) Define the audit criteria and scope for each audit.
e) Select auditor
f) Ensure that the results are reported

The organization shall retain documented information as evidence of the audit program and the audit results.
7.1 Monitoring, Measurement, Analysis and Evaluation
The organization shall evaluate the performance and the effectiveness of the ISMS.

The organization shall determine:
a) What needs to be monitored and measure, including processes and controls?
b) The methods for monitoring, measurement, analysis and evaluation, as applicable to ensure valid results.
c) When the monitoring and measuring shall be performed?
d) Who shall monitor and measure?
e) When the results from monitoring and measurement shall be analyzed and evaluated?
f) Who shall analyze and evaluate these results?

The organization shall retain appropriate documented information as evidence of the monitoring and measurement results.
7. Performance Evaluation
7.3 Management Review
When non-conformity occurs, the organization shall:
a) React to the non-conformity, and as applicable:
1) Take action to control and correct it.
2) Deal with the consequences.

Evaluate the need for action to eliminate the causes.
b) Making sure it does not recur or occur elsewhere by:
1) Reviewing the non-conformity.
2) Determining the causes of the non-conformity.
3) Determining if similar non-conformity exist or could potentially occur.
c) Implement and action needed.
d) Review the effectiveness of any corrective action taken.
e) Make changes to the ISMS if necessary.
8.2 Continual Improvement
The organization shall
continually improve
the
suitability
,
adequacy
and
effectiveness
of the ISMS.


8.1 Non-conformity and Corrective Action
8. Improvement
5. Support
5.1 Resources
5.2 Competence
5.3 Awareness
5.4 Communication
5.5 Documented Information
5.5.1 Creating and Updating
5.5.2 Control of Documented Information
6. Operation
6.1 Operation Planning and Control
6.2 Information Security Risk Assessment
6.3 Information Security Risk Treatment
7. Performance Evaluation
7.1 Monitoring, Measurement, Analysis and Evaluation
7.2 Internal Audit
7.3 Management Review
8. Improvement
8.1 Non-conformity and Corrective Action
8.2 Continual Improvement
Top management shall review the organization's ISMS ensure its continuing
suitability
,
adequacy
and
effectiveness
.

The management review shall include:
a) The status of actions from previous management reviews.
b) Changes in external and internal issues that are relevant to the information security management.
c) Feedback on the performance;
1) Non-conformity and corrective actions.
2) Monitoring and measurement results.
3) Audit results.
4) Fulfillment of information security objective.
d) Feedback from interested parties.
e) Results of risk assessment and status of risk treatment plan.
f) Opportunities for improvement.

The organization shall retain documented information as evidence of the results of management reviews.
Keep In Mind
ISMS can differ from one organization to another due to:
a) The size of organization and its type of activities, processes, products, and services.
b) The complexity of processes and their interactions.
c) The competence of persons.
Full transcript