isms ein blick hinter die kulissen der iso/iec 27000 familie · iso/iec 27000 familie security...

ISMS – Ein Blick hinterdie Kulissen derISO/IEC 27000 FamilieSecurity Podium, 12. Mai 2011, Dr. Peter Weiss

Dr. Peter Weiss | 12.5.2011 | Security Podium 2

Swiss Re - We enable risk-taking that isessential to enterprise and progress

Examples

We educate andconsult on risks

Over 50 risk-related publicationsduring the last 12 months

We transfer andtrade risks

Securitisation of earthquake andhurricane risks

We identify andevaluate risks

Climate change identified asemerging risk almost 20 years ago

We select andtake risks

Insurance of mostindustrial risks

Dr. Peter Weiss | 12.5.2011 | Security Podium

ISO/IEC SC 27 Standards Committee

ISO/IEC 27000 ISMS Family of Standards

ISMS Certification

Acknowledgment: many thanks to Prof. Edward Humphreys, Convenor of SC27 WG1, for sharingsome ideas from his presentation given in Singapore in April 2011

3

Agenda


ISO/IEC SC 27Standards Committee

4


Slide 5

ISO/IEC JTC1 and SNV

ISO: International Organization for StandardizationIEC: International Electrotechnical CommissionJoint Technical Committee 1,

"Information Technology Standards"

SC 27 - IT SecurityTechniques

Schweizerische Normen-Vereinigung

INB NK149 –InformationstechnologieUK 07 - Sicherheitstechniken

MirrorCommittee

P-Members: 44O-Members: 17


ISO/IEC JTC1 –Standards Development Cycle

DRAFTStandard

Disposition ofComments

WorkgroupMeeting

Vote &Comments

½ year

InternationalStandard

Task: resolve all comments in aconsensus process


ISO/IEC 27000 Family

7

Overview and Development

Revision of ISO/IEC 27001 and ISO/IEC 27002


ISO/IEC 27000 Family - Overview

GuidelineStandardsGuidelineStandards

RequirementsStandardsSector-

specificGuidelines

ISMSsupportingGuidelines

GeneralRequirements

Terminology27000

Overview and Vocabulary27000

Overview and Vocabulary

27002Code of Practice

IS Controls

27002Code of Practice

IS Controls

TR 27008Auditing IS Controls

TR 27008Auditing IS Controls

27005IS Risk Management

27005IS Risk Management

27003ISMS Implementation Guidance

27003ISMS Implementation Guidance

27004IS Measurements

27004IS Measurements

27011Telecommunications

Organizations

27011Telecommunications

Organizations

27799Health Organizations

27799Health Organizations

27015Financial Sector

27015Financial Sector

27010Inter-sector communications (Crit. Infra.)

27010Inter-sector communications (Crit. Infra.)

27001ISMS Requirements

27006 CertificationBody Requirements

27007ISMS Audit Guidelines

27007ISMS Audit Guidelines


ISO/IEC 27000 Family –Other ISMS related Guidelines

Guidelines on the integrated implementation ofISO/IEC 20000-1 (IT service management) andISO/IEC 27001

ISO/IEC 27013

Information security governance frameworkISO/IEC 27014

Information security economicsISO/IEC 27016ISO/IEC 27016


ISO/IEC 27000 Family – ScheduleISO/IEC Current published

versionCurrent status(April 2011 WG Meeting)

Next versionExpected *

27000 2009 Revision - definitions update 2012

27001 2005 Revision 2013

27002 2005 Revision 2013

27003 2010

27004 2009

27005 2008 Revision – minor alignment to ISO 31000 2011

27006 2007 Revision – alignment to new ISO 17021 early 2012

27007 Final alignment to new ISO 19011 2012

27008 To be published 2011

27010 FCD 2012

27011 2008

27013 CD 2012/13

27014 CD 2013?

27015 CD 2013/14?

27016 WD (TR) 2013/14?* Author's estimation status April 2011


Joint work between SC27 Workgroups 1 (Requirements, Audit,Governance), 4 (Security technologies) and 5 (Identity management andprivacy technologies)

Study period Oct 2010 – April 2011

New Work Item Proposal - Guidelines on Information security controls forthe use of cloud computing services based on ISO/IEC 27002 (April 2011)

Extended study period April 2011 – Oct 2011

11

New and Future Work – Cloud ComputingSecurity


ISMS requirements

ISMS Processes toimplement the Plan,

Do, Check, Act.Continuous

improvement model

This is a certificationstandard

Annex A

Catalogue of securitycontrols (matching

those in 27002) 27002 ‘should’ controls27001 Annex A ‘shall’ controls

2005 version now under revision - estimated date for the new edition is 2013

Until the new edition is published the 2005 version is the only legal version

ISO/IEC 27001 Revision


Harmonisation and structural alignment with other management systemstandards

Improvements in wording, concepts and ideas

Further alignment with ISO 31000:2009, Risk Management

13

ISO/IEC 27001 Revision –Revision highlights


Requirements for harmonisation andstructural alignment with othermanagement system standardsshould become clear by end of 2011:

– Common structure

– Common text

– Common definitions

ISO/IEC 27001 adopted commonstructure (SC27 meeting Oct 2010)

Common text partially adopted, partiallymodified and other common text stillunder discussion

Common definitions under discussion

14

ISO/IEC 27001 Revision –Harmonised structure

HARMONISATION OFMANAGEMENT SYSTEMSTANDARDS

Quality

Environment

Food safety

Information security management

Records Management

Energy

Supply chains

IT services

Business continuity

…

ISO

TM

BS

C 2

7 W

G1


Draft High Level Structure MSS

Introduction

1. Scope

2. Normative References

3. Terms and definitions

4. Context of the organization

5. Leadership

6. Planning

7. Support

8. Operation

9. Performance Evaluation

10. Improvement

Annex A

15

ISO/IEC 27001 Revision –Harmonised structure

ISO/IEC 27001:2005

Introduction

1. Scope

2. Normative references

3. Terms and definitions

4. Information securitymanagement system

5. Management responsibility

6. Internal ISMS Audits

7. Management review of the ISMS

8. ISMS Improvement

Annex A (normative) Controlobjectives and controls


Code of practice forinformation security

management

Set of ISM controlobjectives and

controls

Implementationguidance for controls

This is not acertification standard

27002 ‘should’ controls27001 Annex A ‘shall’ controls

The 2005 version is now under revision - estimated date for the new editionis 2013 (earliest)

Until the new edition is published the 2005 version is the only legal version

ISO/IEC 27002 Revision


Revision objectives:

– modernize

– remove outdated controls

– content and terminology

– reduce redundancies

– remove technical detail

– add missing controls

– review in context of entire 27000 family and other ISO Standards

General style and layout remain

Some re-structuring of Sections and relocation of controls necessary

Your suggestions are welcome!

17

ISO/IEC 27002 Revision - Highlights


ISMS Certification

18

Certification

Accreditation

Stakeholders and Conflicts


ISMS certification audits are performed to verify the effectiveness ofan ISMS in compliance with ISO/IEC 27001:

19

3rd Party ISMS Audits (Certification)

• to verify the existence of objective evidence of ISMSprocesses

• to assess how successfully processes have beenimplemented

• for judging the effectiveness of achieving any definedISMS target levels, providing evidence concerningreduction and elimination of ISMS problems

• a management tool for achieving continual improvementin an organization


Currently there are 10,000+ ISMS certificates world-wide

www.iso27001certificates shows 7300+ examples of thesecertifications

– leading nation is Japan

– Different sectors across countries

– CH: we have >30 certifications registered on the SAS site (i.e. certificates fromSwiss CAs) http://www.seco.admin.ch/sas

ISMS Certificates Status

http://www.iso27001certificates/

http://www.seco.admin.ch/sas


Competitive advantage

Meeting/supporting legislative requirements (e.g. SOX 404,SAS/70; HIPAA, Data Protection)

Reduce third party auditing

Demonstrate information security management capability andgood corporate governance, both to external and internalstakeholders

Create internal awareness / obtain budget for information securitygovernance program

21

ISMS – Certificates: Drivers to get certified


0 Non-existent — Complete lack of any recognisable processes. The enterprise has not evenrecognised that there is an issue to be addressed.

1 Initial/ Ad Hoc — There is evidence that the enterprise has recognised that the issues exist and needto be addressed. There are, however, no standardised processes; instead, there are ad hoc approaches thattend to be applied on an individual or case-by-case basis. The overall approach to management isdisorganised.

2 Repeatable but Intuitive — Processes have developed to the stage where similar procedures arefollowed by different people undertaking the same task. There is no formal training or communication ofstandard procedures, and responsibility is left to the individual. There is a high degree of reliance on theknowledge of individuals and, therefore, errors are likely.

3 Defined Process — Procedures have been standardised and documented, and communicatedthrough training. It is mandated that these processes should be followed; however, it is unlikely thatdeviations will be detected. The procedures themselves are not sophisticated but are the formalisation ofexisting practices.

4 Managed and Measurable — Management monitors and measures compliance with proceduresand takes action where processes appear not to be working effectively. Processes are under constantimprovement and provide good practice. Automation and tools are used in a limited or fragmented way.

5 Optimised — Processes have been refined to a level of good practice, based on the results ofcontinuous improvement and maturity modelling with other enterprises. IT is used in an integrated way toautomate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick toadapt.

22

ISMS vs. COBIT 4 Maturity Levels

© 1996-2007 IT Governance Institute, "COBiT 4.1 Executive Summary – Framework"

ISMSISMS

CurrentStatus

CurrentStatus


ISMS Accreditation of Certification Bodies

SAS (Swiss AccreditationSystem), Bern

Accreditation body (AB)

Certificationbody (CB)

• Accreditation of CertificationBodies is the internationallyrecognized way to createtrust in certification

EA-1/08 — Multi and BilateralAgreement Signatories

accreditation


ISMS Accreditation of Certification Bodies

SAS (Swiss AccreditationSystem), Bern

Accreditation body (AB)


• AB checks the systems,processes and documen-tation at the HQ of the CB

• AB witnesses on-site auditscarried out by the CB

• Initial assessment by the ABas well as surveillanceassessments(every 6-12 months)

• Accreditation lasts for3 years and then are-accreditation processtakes placeISO 19011:2002

(& ISO/IEC 27007:2012)

ISO/IEC 17021:2006 — Requirements forbodies providing audit and certification ofmanagement systems

ISO/IEC 27006:2007 — Requirements forbodies providing audit and certification ofinformation security management systems

SAS 521.dw

ISO Committeeon conformityassessment(CASCO)

SAS Sektorkomitee


ISMS Certification


Organisation’sISMS

• CB checks the systems, processes anddocumentation of the implementedISMS at the HQ of the organisation

• CB does on-site audits

• Initial assessment by the CB as well assurveillance audits/assessments (every6-12 months)

• Certification lasts for 3 years and thena full re-certification process takesplace

• Auditing of controls varies across CBsand countries (depending on AB)

ISO 19011:2002 — Guidelines forquality and/or environmentalmanagement systems auditing

(ISO/IEC 27007:2012) — Guidelinesfor information security managementsystems auditing

ISO/IEC 27001:2005—Information securitymanagement systems —Requirements


Annex

26

Links

ISO/IEC SC27 Workgroup Structure


ISO www.iso.org

SC27 www.jtc1sc27.din.de/en

SNV www.snv.ch

SAS www.seco.admin.ch/sas

ISMS Certificates http://www.iso27001certificates.com

CH CBs SQS: www.sqs.chKPMG: www.kpmg.chSGS: www.ch.sgs.com

Peter Weiss peter_weiss (at) swissre.com

27

Links


WG 1 "Information security management systems"– ISMS standards and guidelines

WG 2 "Cryptography and security mechanisms"– terminology, general models and standards for IT Security techniques and

mechanisms for use in security services (both cryptographic and non-cryptographictechniques and mechanisms)

WG 3 "Security evaluation criteria"– standards for IT Security evaluation and certification of IT systems, components,

and products

WG4 "Security controls and services“– standards and guidelines addressing services and applications supporting the

implementation of control objectives and controls as defined in ISO/IEC 27002

WG 5 "Identity management and privacy technologies"– standards and guidelines addressing security aspects of identity management,

biometrics and the protection of personal data

28

ISO/IEC SC27 Workgroup Structure


Legal notice

©2011 Swiss Re. All rights reserved. You are not permitted to create anymodifications or derivatives of this presentation or to use it for commercialor other public purposes without the prior written permission of Swiss Re.

Although all the information used was taken from reliable sources, Swiss Redoes not accept any responsibility for the accuracy or comprehensiveness ofthe details given. All liability for the accuracy and completeness thereof orfor any damage resulting from the use of the information contained in thispresentation is expressly excluded. Under no circumstances shall Swiss Reor its Group companies be liable for any financial and/or consequential lossrelating to this presentation.

29

isms ein blick hinter die kulissen der iso/iec 27000 familie · iso/iec 27000 familie security...

Documents