ISO 27001:2005

An introduction to Information Security Management Systems (ISMS)

Contents
Introduction Information Why information security ISMS Implications of security breaches Features of ISO 27001 PDCA Short term planning Short term benefits Long term planning Long term benefits Conclusion Questions
2/27/2013

Introduction to ISMS by Antish Baungally

Introduction
The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. It is the specification for an ISMS, an Information Security Management System The objective of the standard itself is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System". Regarding its adoption, this should be a strategic decision. Further, "The design and implementation of an organization's ISMS is influenced by their needs and objectives, security requirements, the process employed and the size and structure of the organization". The standard defines its 'process approach' as "The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management". Deming's PDCA cycle.
Introduction to ISMS by Antish Baungally

2/27/2013

Information
'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected BS ISO 27002:2005

2/27/2013

Introduction to ISMS by Antish Baungally

Why Information Security

It ensures Business continuity Reduces and prevents damage to the organisation Ensures preservation of confidentiality, integrity and availability of information and also authenticity, accountability, non-repudation, and reliability enhanced. Increases awareness among key staff and stake holders Identify, analyse and treat risks. Identify threats and vulnerabilities Minimizes financial loss
2/27/2013

Introduction to ISMS by Antish Baungally

Information Security Management System

ISMS is the part of overall management system based on business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. It is a management process with 3 key components.
Confidentiality (Authorised access to information) Integrity (Accurate and complete) Availability (Authorised access when required)
2/27/2013

Introduction to ISMS by Antish Baungally

Implications of security breaches

Reputation loss

Financial loss
Intellectual property loss Legislative Breaches leading to legal actions Loss of customer confidence Business interruption costs

2/27/2013

Introduction to ISMS by Antish Baungally

Features of ISO 27001

Plan, Do, Check, Act (PDCA) Process Model

Process Based Approach

Stress on Continual Process Improvements Scope covers Information Security not only IT Security Covers People, Process and Technology Some organisations will opt to implement the standard for a better management and security controls and to prove their commitment towards their stakeholders and confirm that they have the best practices in place.

Some organisations opt to go for certification in case they have a customer who outsources a process to the organisation and insist that the outsourced process is compliant with the standard.
Introduction to ISMS by Antish Baungally

2/27/2013

PDCA Cycle

2/27/2013

Introduction to ISMS by Antish Baungally

PDCA
Plan (establishing the ISMS)Establish the policy, the ISMS objectives, processes and procedures related to risk management and the improvement of information security to provide results in line with the global policies and objectives of the organization. Do (implementing and workings of the ISMS)Implement and exploit the ISMS policy, controls, processes and procedures. Check (monitoring and review of the ISMS)Assess and, if applicable, measure the performances of the processes against the policy, objectives and practical experience and report results to management for review

Act (update and improvement of the ISMS)Undertake corrective and preventive actions, on the basis of the results of the ISMS internal audit and management review, or other relevant information to continually improve the said system.
2/27/2013

Introduction to ISMS by Antish Baungally

10

Short term planning

Prepare a statement of applicability (SOA) Request for management approval and commitment to the implementation of ISMS and approval on residual risks. (Define a budget and a feasibility plan) Formulate and implement a risk treatment plan. Training and initiate the project with a small scope Define a team (IT, HR, Management, Audit, QA) and prepare a project plan as per the SOA. Implement and operate the ISMS. Measure effectiveness of control. Review risk assessment at planned intervals. Internal ISMS audit and management review Record actions and events Check and monitor the people, processes and technologies. Maintain and improve. Management review. Implement identified improvements Take preventive and corrective actions Communicate actions and improvements Ensure the improvements achieve intended objectives.
Introduction to ISMS by Antish Baungally
11

2/27/2013

Short term benefits

A well document process and abides to regulations. Increases awareness among staff and higher management. Enhances information security Helps to identify new risks and vulnerabilities when reviewing the processes. A clear audit scope.
2/27/2013

Introduction to ISMS by Antish Baungally

12

Long Term Planning

Define a budget and a feasibility plan Staff training and team building Effective communication and a project team. Internal Audits Management Review Corrective and preventive actions Identify a certifying body Pre certification audit Certification Audit Post certification: Semi annual review (depending on the ISMS requirement) Continual improvements and review.
2/27/2013

Introduction to ISMS by Antish Baungally

13

Long Term benefits

Recognition and ISO 27001 certification A well defined security control for People, processes and Technology. Effective communication and awareness. The certification can be used as a marketing item. Provides assurance to Stakeholders and customers It enhances information security Ensures that the organisation is compliant.
2/27/2013

Introduction to ISMS by Antish Baungally

14

Banks who have implemented ISO 27001

Burgan Bank, among the youngest and most dynamic banks in Kuwait (2010) Yes Bank (2010) Cairo Amman Bank (2012) Affin Investment Bank, Malaysia (2011)

2/27/2013

Introduction to ISMS by Antish Baungally

15

Conclusion
The ISMS ISO 27001 provides a standard to organisation to secure their organisation and is highly recommended to financial institutions. I will advise the bank to consider this international standard to enhance the current setups. The very important part of this standard is that it requires management commitment and not handled only at IT level. The Project management organisation also provides papers on implementation of ISO 27001. The cost of the project will vary on the scope and an organisation can chose the system and process they will like to certify.

2/27/2013

Introduction to ISMS by Antish Baungally

16

References
http://www.slideshare.net/discoverjkuat/informationsecurity-management-systemsisms-by-dr-wafula The User Awareness Training Of ISMS ISO/IEC 27001:2005, Mohan Kamat

http://en.wikipedia.org/wiki/ISO/IEC_27001
http://www.ameinfo.com/238843.html http://www.maxi-pedia.com/ISMS

2/27/2013

Introduction to ISMS by Antish Baungally

17

Questions

2/27/2013

Introduction to ISMS by Antish Baungally

18