Introduction to ISO/IEC 27001:2005

Prepared by

Endre P. Bihari JP

of

Performance Resources

For ISACA Melbourne Chapter

Technical Session

18th of July 2006 AD

2/20

©20

06 P

erfor

manc

e Res

ource

s

What is ISO/IEC 17799?• Aim:

– Creating a common basis for organisational security standards development

– Enhance security management practice– Provide best practice guidance based on practical industry

experience– Provide a structured framework for an organisation to examine &

improve security

• Consists of Two Parts– Part 1 – Code of Practice for Information Security Management– Part 2 – Specification for Information Security Management Systems

3/20

©20

06 P

erfor

manc

e Res

ource

s

History of ISO/IEC 17799:2005• Early 1990s

– Department of Trade and Industry (UK) produced an “Information security management code of practice” by a working group comprising experienced information security managers

• 1995– Code of Practice is published as a British Standard (BS 7799)

• 1999– Revised and updated (BS 7799-1:1999)– BS7799-2 is published

• Late 1990s– BS7799 is translated to different languages– Adopted by several countries

• 2000– ISO/IEC 17799-1:2000 is published

• 2003– ISO/IEC 17799-2:2003 is published

• 2005– Revised and updated (ISO/IEC 17799-1:2005)

• 2006– BS 7799-3 is published

4/20

©20

06 P

erfor

manc

e Res

ource

s

The ISO/IEC 27000 Standard FamilyISO/IEC 27000

Information security management system

– fundamentals and vocabularyISO/IEC 27001:2005

Information securitymanagement

— requirementsAS/NZS 7799-2:2003

ISO/IEC 27002:2007?Code of practice for information security

managementISO/IEC 17799:2005

ISO/IEC 27003:2008?Implementation guide?

ISO/IEC 27004:2006?Information security

management metrics and measurement

ISO/IEC 27005Information security

risk management BS 7799-3:2006

ISO/IEC 27006:2007?Guidelines for

information and communications technology

disaster recovery servicesSS507

ISO/IEC 27007-27010Allocation for

future use

5/20

©20

06 P

erfor

manc

e Res

ource

s

Structure and Relationship to Other StandardsISO 9001:2000, ISO 14001:2004, ISO/IEC 27000

Alignment with other quality standards’ structure0. Introduction1. Scope2. Normative References3. Terms and Definitions4. Management System5. Management Responsibility6. Audit7. Management Review8. Improvement9. Annexes

6/20

©20

06 P

erfor

manc

e Res

ource

s

ISO/IEC 27001:2005 StructureThe PDCA (Based on Deming’s) Model (for every ISMS Process)

• PLAN (establish the ISMS) Section 4• DO (implement and operate the ISMS) Section 5• CHECK (monitor and review the ISMS) Section 6 & 7• ACT (maintain and improve the ISMS) Section 8

Control Objectives and Controls (from 17799:2005) Annex AOECD Principles Annex B

• Awareness• Responsibility• Response• Risk Assessment• Security Design and Implementation• Security Management• Reassessment

7/20

©20

06 P

erfor

manc

e Res

ource

s

Benefits of ISO/IEC 27001:2005• Improvement in

– Understanding of the value of organisational information– Confidence, confidence, satisfaction and TRUST

• Customer, business partner– e.g. Handling their sensitive information

– Assurance level of organisational security & QUALITY– Legal and regulatory compliance– Organisational effectiveness of communicating security

requirements– Employee motivation and participation in security– Management and handling of security incidents– Ability to differentiate organisation for competitive

advantage– Credibility & reputation profitability

8/20

©20

06 P

erfor

manc

e Res

ource

s

Why are there changes to ISO/IEC 17799:2003 ?

Emerging trends new threats

Governance increased call for senior management commitment

Assurance global call for more detailed assurance measures

Compliance legal & regulatory pressures

Managing risks whole risk management approach is now clearly understood and requires evidencing increased emphasis on continuous review

9/20

©20

06 P

erfor

manc

e Res

ource

s

Improved Clarity

NEW Control TextOLD Control Text

CONTROL

+

Someimplementation

guidance &other

supportinginformation

CONTROLCONTROL

IMPLEMENTATION IMPLEMENTATION GUIDANCEGUIDANCE

OTHER OTHER INFORMATIONINFORMATION

Specific control statementthat satisfies the control objective

Specific control statementthat satisfies the control objective

List of more detailed implementation controlsand related guidance

that satisfies the control objectiveother implementation methods might exist and may be more appropriate

List of more detailed implementation controlsand related guidance

that satisfies the control objectiveother implementation methods might exist and may be more appropriate

Further explanation and information that might need to be considered at implementationother, related standards

Further explanation and information that might need to be considered at implementationother, related standards

10/20

©20

06 P

erfor

manc

e Res

ource

s

AS

3806

1548

9-2

1548

9-1

1802

8-5

1802

8-4

1802

8-3

1794

415

945

1540

8

1356

9

2000

0-2

1333

5-4

1333

5-1

1333

5-1

1581

6

2000

0-1

1333

5-3

1802

8-2

1581

6

2500

0

1804

4

SS 50

7

1804

3

HB 22

1

1804

5

ISO Standards Related to ISO/IEC 17799:2005Se

curit

y Pol

icy

Secu

rity

Orga

nisa

tion

Asse

t Ma

nage

men

t

Hum

an

Reso

urce

s Se

curit

y

Phys

ical a

nd

Envir

onm

enta

l Se

curit

y

Com

mun

icatio

ns

and

Oper

atio

ns

Mana

gem

ent

Acce

ss C

ontro

l

Info

rmat

ion

Syst

ems

Acqu

isitio

n,

Deve

lopm

ent a

nd

Main

tena

nce

Info

rmat

ion

Secu

rity I

ncid

ent

Mana

gem

ent

Busin

ess

Cont

inui

ty

Mana

gem

ent

Com

plian

ce15

443-

3

1802

8-1

1451

6

1544

3-2

1544

3-1

1594

5

1594

7

NFPA

16

00

1333

5-2

ISO/IEC 17799:2005

11/20

©20

06 P

erfor

manc

e Res

ource

s

Demystifying ISO/IEC 17799:2005

• 11 Clauses (or domains)

• 39 Control objectives– functional requirement specification for ISM architecture

• 134 Specific controls– Not mandated – but Statement of Applicability!– To be treated as a generic control menu to select from– The “Auditor’s Standard”

• Hundreds of best practice control measures– Offering implementation guidance

• Not complete – what is missing?

12/20

©20

06 P

erfor

manc

e Res

ource

s

Steps Towards Certification

Development Implementation Stage 1 Audit Stage 2 AuditSurveillance& Re-assessment:Follow Up

ISMS WG 3rd Party Auditor(s)

13/20

©20

06 P

erfor

manc

e Res

ource

s

Strategic(More

generic)

Tactical(More

specific)

Recommended Policy / Standards Hierarchy Laws, Regulations& Requirements

Laws, Regulations& Requirements

WHAT IS REQUIREDLaws and LegislationsISO/IEC StandardsBusiness Objectives

WHAT IS REQUIREDLaws and LegislationsISO/IEC StandardsBusiness Objectives

CORE DIRECTIONStatements of commitment

CORE DIRECTIONStatements of commitment

STATEMENT OF INTENTSpecifies what to do and why

STATEMENT OF INTENTSpecifies what to do and why

CONTROL SPECIFICATIONStatement and description of how resources are to be used

CONTROL SPECIFICATIONStatement and description of how resources are to be used

KNOW HOWA written description of a course of action to be taken to perform a given task. [IEEE610]

KNOW HOWA written description of a course of action to be taken to perform a given task. [IEEE610]

SHOW HOWDescribes application and usage of controls

SHOW HOWDescribes application and usage of controls

KNOW WHATProvides the minimum level of requirements

KNOW WHATProvides the minimum level of requirements

Source: Performance Resources, used by permission

PolicyPolicy

StandardsStandards

Procedures,Processes

Procedures,Processes BaselinesBaselines Guidelines,

PracticesGuidelines,Practices

PrinciplesPrinciples

14/20

©20

06 P

erfor

manc

e Res

ource

s

Recommended Policy Framework (Extended)

Source: Performance Resources, used by permission

15/20

©20

06 P

erfor

manc

e Res

ource

s

Sample Documents 1

Policy Statements

16/20

©20

06 P

erfor

manc

e Res

ource

s

Sample Documents 2

Domain Standard

17/20

©20

06 P

erfor

manc

e Res

ource

s

Sample Documents 3

Purpose Specific Standards

18/20

©20

06 P

erfor

manc

e Res

ource

s

What Constitutes a Good Policy?

• Content over form– Just because a document is called “policy” it does

not mean it is a policy indeed• Alignment with business needs• Clarity• Comprehensiveness • Simple and practical

– Easy to maintain– Accessible

• Supportive environment– Enforceable and enforced

19/20

©20

06 P

erfor

manc

e Res

ource

s

Development Consideration• Skills

– Knowledge of RFCs, ISO and other standards– Clear and precise communication– Intimate knowledge of information security (both

technical and managerial)• Time – Cost – Quality

– 10-13 days (policy)– 5-7 days (standards)– $800 - $1,600 per day

– Licensing – immediate, for less than half of this cost!• (available through Performance Resources)

20/20

©20

06 P

erfor

manc

e Res

ource

s

Further InformationFurther information is available athttp://www.perfres.net/methodology.asp

Or contact me

Endre BihariMobile: 0414 35 15 58Email: endreb@mail2me.com.au