international security management standards. bs iso/iec 17799:2005 bs iso/iec 27001:2005 first...

International Security Management Standards

BS ISO/IEC 17799:2005BS ISO/IEC 27001:2005BS ISO/IEC 17799:2005BS ISO/IEC 27001:2005First edition – ISO/IEC 17799:2000Second edition ISO/IEC 17799:2005

ISO/IEC 17799 takes the form of guidance notes and recommendations, which has been produced following consultation with leading companies.

ISO/IEC 27001:2005 provides requirements for Information Security Management and is relevant to those responsible for initiating, implementing or maintaining security in their organization.

Organizations

ISO – International Organization for Standardization

IEC – International electrotechnical Commission

BSI – British Standards Institute

BS7799-Part2:2002 BS 7799:Part 2 has been updated and was released as

ISO/IEC 27001:2005 on October 15th 2005.

The new international version of the standard clarifies and strengthens the requirements of the original British standard, and includes changes to the following areas:

risk assessment, contractual obligations, scope, management decisions, measuring the effectiveness of selected controls.

Corporate

Information Security Policy

Information Security Management

Policies / Standards framework

Education & awareness

people

Existing Processes

Pro

cesse

s

Technical Control

Tech

nolo

gy

Information Security Risk

Information Security Management System - Key Principles based on BS 7799

POLICYPOLICY

Establish the context

-Define Information Security policy and objectives-ISMS scope and policy-Security Organization-Risk identification and assessment - Identify risks - Analyse risks - Evaluate

Manage the risk- Identify and evaluate options for managing the risks

- Select controls and objectives for the treatment and management of risk

- Implement selected controls

- Statement of applicability

Monitor The ProgressCreate Monitoring RulesMonitor and review ISMS

Improve ISMS

- Identify improvements in the ISMS and implement them

- Take appropriate Corrective and preventive actions

- Communicate and consult (management,stakeholders, users etc.)

ISMS ImplementationISMS Implementation

• The standard for Information Security Management System (ISMS), BS 7799 (now ISO/IEC 27001:2005), has fast become one of the world's established standards for information security

• An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information and information entrusted to companies by third parties so that it remains secure.

• It encompasses people, processes and IT systems.

What is an Information Security Management System (ISMS)?

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information and information entrusted to companies by third parties so that it remains secure. It encompasses people, processes and IT systems.

What is BS 7799?

BS 7799 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimize the range of threats to which information is regularly subjected.

BS 7799 is organized into 10 sections:

1. Security policy2. Organization of assets and resources3. Asset classification and control4. Personnel security5. Physical and environmental security6. Communications and operations management 7. Access control 8. Systems development and maintenance 9. Business continuity management 10. Compliance

ISO27001:2005

The present standard has :- 11 Domains- 39 Control Objectives- 133 Controls

ISO 27001:2005The 11 domains are:

1. Security Policy2. Organization of Information Security3. Asset Management4. Human Resources Security5. Physical and Environmental Security6. Communications and Operations Management7. Access Control8. Information systems acquisition, development

and maintenance9. Information security Incident Management10. Business Continuity Management11. Compliance

Domain, control obj. & controls – Example

5 Physical and Environmental Security 5.1 Secure Areas

5.1.1 Physical Security Perimeter 5.1.2 Physical Entry Controls 5.1.3 Security Offices, rooms and facilities 5.1.4 Protecting against external and environmental

threats 5.1.5 Working in Secure Areas 5.1.6 Public Access, delivery and loading areas

5.2 Equipment Security5.2.1 Equipment siting and protection

5.2.2 Supporting Utilities5.2.3 Cabling Security5.2.4 Equipment Maintenance5.2.5 Security equipment off-premises5.2.6 Secure disposal or reuse of equipment5.2.7 Removal of property

Domain, control obj. & controls - Example

11 Compliance 11.1 Compliance with legal requirements

6 controls 11.2 Compliance with security standards and

technical compliance- 2 controls

11.3 Information Systems Audit Considerations 2 controls

. Formulation of security requirements and objectives; To ensure that security risks are cost effectively managed;TTo ensure compliance with laws and regulations; As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met; •IIdentification and clarification of existing information security management processes;

To be used by management to determine the status of information security management activities;

To be used by internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization;

To provide relevant information about information security policies, directives, standards and procedures to trading partners;

To provide relevant information about information security to customers.

Laws and Regulations

Regulatory requirements

Establishment Organization Responsibilities Correlation to financial,

operational and IT audit functions

Laws and Regulations Steps to determine compliance with

external requirements: Identify external requirements Document pertinent laws and regulations Assess whether management and the IS function

have considered the relevant external requirements

Review internal IS department documents that address adherence to applicable laws

Determine adherence to established procedures

ISACA Standards and Guidelines for IS Auditing

ISACA IS Auditing Standards

ISACA IS Auditing Guidelines

ISACA Code of Professional Ethics


Objectives of ISACA IS Auditing Standards

• Inform management and other interested parties of the profession’s expectations concerning the work of audit practitioners

• Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code of Professional Ethics


Framework for the ISACA’s Information Systems Auditing Standards:Standards

Guidelines

Procedures



• Audit charter

• Independence

• Professional Ethics and Standards

• Competence


ISACA Standards and Guidelines for IS Auditing Continued...

•Planning

•Performance of audit work

•Reporting

•Follow-up activities

• Audit charter


Responsibility, authority and accountability


• Independence

Professional independence

Organizational relationship

• Professional Ethics and Standards


Code of Professional Ethics

Due professional care


• Competence

Skills and knowledge

Continuing professional education


• Planning

Audit planning


• Performance of audit work

Supervision

Evidence


• Reporting

Report content and form


• Follow-up Activities Review previous conclusions and

recommendations

Review previous relevant findings

Determine whether appropriate actions have been implemented in a timely basis


Use of ISACA Guidelines

• Consider the guidelines in determining how to implement the standards

• Use professional judgment in applying these guidelines

• Be able to justify any departure

international security management standards. bs iso/iec 17799:2005 bs iso/iec 27001:2005 first...

Documents

information security

management of risk

management decisions

sensitive company information

isms implementationestablish

edition isoiec

objectivesisms scope

review ismsimprove isms