Vous êtes sur la page 1sur 1

ISO 27001

I m p l e m e n t a t i o n Ro a d m a p
Vulnerability Assessment/Penetration Test of Key Applications/Systems
Provides substantiative evidence that the net security objectives (e.g., ensuring the confidentiality of information) are being achieved. * Cost Effective * Well Regarded * Early Identification of Critical Risks

F o r c o n s u l t i n g o n I S O 2 7 0 0 1 , v i s i t u s a t w w w. p i v o t p o i n t s e c u r i t y. c o m o r c a l l 1 . 8 8 8 . P I V O T P O I N T ( 8 8 8 . 7 4 8 . 6 8 7 6 )

Address ShortTerm Attestation Requirements

Proving that you are secure while you are working towards 27001 Certification is crtical to the success of your organization. Where stronger interim attestation is required see Shared Assessment Phase below.

<1 Month

Secure Data Flow Diagram (SDFD)

Provides evidence that key client risks are being mitigated to an acceptable level by reasonable and appropriate security design. * Integral to Risk Assessment and Scoping * Facilitates Risk Identification * Evidence of Secure Design and Substantiative Test is effective attestation

Preliminary 27001 Project Plan

Where key clients have already requested 27001 compliance/certification, communicating a plan & progress towards it is critical to satisfying their requirements.

Define ISMS Scope

Assess Gaps
Optimally scoping and understanding the current gap between the desired and current state are integral to appropriately allocating the resources (personnel, third party support, expenditures, and time) necessary to ensure the project achieves objectives on time and on budget.

Logically/physically limit the scope of the ISMS to the maximum extent possible consistent with initiative objectives. Optimizes likelihood of project success (prevents boil the ocean exercises).

27005 Risk Assessment

Identifies major risks (& impacts) the ISMS intended to mitigate. * Leverages SDFD * Basis of 27001 *

Risk Treatment Plan

Establish acceptance criteria and define treatments (avoid/control/transfer/accept) for all key risks.

1- 3 Months

Conduct Gap Assessment O R

Via documentation review, ICQ's and/or surveys determine where risk treatment gaps exist in: * Existence * Appropriateness * Completeness of Documentation & ISMS support

Shared Assessment (BITS)

Same functionality as Gap Assessment except produces a Shared Assessment worksheet that may be accepted as interim attestation by clients (e.g. financial industry)

Develop & Execute the Roadmap

Prioritize and execute the work effort necessary to address the issues identified.

Prioritized Roadmap (Remediation Plan)

Develop a work plan based on a number of factors: * Risk * Ease of Mitigation to an Acceptable Level * Client Concerns *Reusability/Commonality * Resource and Skill Set Availability * Other Initiatives

3-18 Months

Execute the Plan

* Correct Design Deficiencies * Close Compliance Gaps * Update/Create Necessary Documentation * Implement New Controls

Operate the Environment

Assess efficacy of environment, monitor the ISMS, tune controls accordingly, and accumulate audit evidence for attestation and certification.

Monitor the Environment

Integral to 27001 is ongoing monitoring of the ISMS. Tune control design/output to facilitate monitoring.

Respond to Incidents
Integral to 27001 is demonstrable Incident Response. Tune Incident Response processes to facilitate ISMS improvements.

1-12 Months

Implement Continuous Improvement Principles

Integral to 27001 is demonstrable Continuous Improvement. Based on monitoring and Incident Response evolve the control environment in a demonstrable manner.

While there are many significant advantages to implementing 27001, most notably demonstrably reducing risk and simplifying Information Security, for most entities certification is the most important.

Pre-Certification Audit
"Friendly" pre-audit structured in accordance with certification audit (Tabletop Review then Compliance Review).

Certification Audit
27001 Certification Audit conducted by Certification Body resulting in issuance of ISO 27001 Certificate

and Beyond

Surveillance Audit (Year 2)

Mini-audit conducted by the Certification Body to validate ISMS efficacy. ISMS scope extension possible.

Triennial Audit (Every 3rd year)

Re-Certification Audit conducted by Certification Body

We make it simple to know youre secure and prove youre compliant