iso 27000 presented by : miss vrindah chaundee. agenda overview of iso 27000 series history why...
TRANSCRIPT
ISO 27000
Presented by :
Miss Vrindah Chaundee
Agenda
Overview of ISO 27000 Series History Why apply ISO 27000? Areas in ISO 27000 Statistics Examples
ISO 27000 Series ISO 27000 is the generic name assigned for
standards related to information security issues and topics.
The ISO/IEC 27000 series includes information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The ISO 27000 series comprises of a family of information security standards that include the ISO 27001 and the ISO 27002 among others.
History 1992 : The Department of Trade and Industry (DTI),
which is part of the UK Government, publish a 'Code of Practice for Information Security Management‘
1995 : This document is amended and re-published by the British Standards Institute (BSI) in 1995 as BS7799
1999 : The first major revision of BS7799 was published. This included many major enhancements
2000 : In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It becomes ISO 17799 (or more formally, ISO/IEC 17799)
History 2002 : A second part to the standard is published:
BS7799-2. This is an Information Security Management Specification, rather than a code of practice. It begins the process of alignment with other management standards such as ISO 9000
2005 : A new version of ISO 17799 is published. This includes two new sections, and closer alignment with BS7799-2 processes ISO 27001/ ISO 27002 is published, replacing BS7799-2, which is withdrawn.
2005+ : The framework keeps evolving
Why is ISO 27000 such an important standard in the world of information security?
Confidentiality: protecting sensitive information from unauthorized disclosure
Integrity: safeguarding the accuracy and completeness of information/data
Availability: ensuring that information and associated services are available to users when required
The ISO 27000 series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS). The ISMS concept integrates continuous feedback and improvement activities summarized by a ―Plan-Do-Check-Act (PDCA) approach.
The ISO 27000 standards are applicable to organizations of all types, across industries, and sizes.
PDCA Model
Areas in ISO 27000
10 Domains : To have and to hold Security Policy : Provides guidelines and management
advice for improving information security Organization Security : It is the management structure
for security including appointment of qualified personnel, definition and assignment of roles and responsibilities
Asset Classification and Control : It facilitates the process of carrying out an inventory and the assessment of organization’s information assets.
Personnel Security : It minimizes the risks of human error, theft, fraud or the abusive use of equipment by setting expectations in job responsibilities.
Physical and Environmental Security : It include measures to prevent the violation, deterioration or disruption of industrial facilities and data.
Communications and Operations Management : It ensures that adequate and reliable operation of information processing devices prevails within the organisation using preventive measures of various kinds.
Access Control : It forms the underlying structure for securing information using access controls to network, systems and application resources.
Systems Development and Maintenance : It ensures that security is incorporated into information systems and that security forms an integral part of any network and systems expansion.
Business Continuity Management : It focuses on the planning activities for disaster recovery.
Compliance : It complies with relevant statutory, regulatory and contractual requirements.
10 Domains : To have and to hold
IT Security Policy Analysis
Analysis of security programs and training practices
Analysis of compliance with established standards
Analysis of reasons for non-compliance with information security policy
Examples
Keep Clean Ltd Mauritius Mesh & Steel Hinduja TMT