iso 27001/27002: what can they do for...
TRANSCRIPT
ISO 27001/27002:What Can They Do For Me?
TECH11
3:30 PM
30 August 2012
Today’s Session
• Gain a real understanding of the value of ISO27001/27002 as those who have gonethrough the process
• Discuss strategies for success, best• Discuss strategies for success, bestpractices and a guide on how to get starteddown the road to achieving the ISO27001/27002 standards for internalsecurity management systems
Renee MurphyManager, Technology AuditLatham & Watkins
Today’s Panelists
Paul McKayInformation Security Officer
Brian LynchDirector, Risk Practice GroupIntApp
Andrew RosePrincipal AnalystForrester Research
Information Security OfficerBond Pearce
“Is this just aLondon thing?”
“ISO27000” is a term which encompassesISO27001 and ISO27002
What is ISO27000?
ISO27001 and ISO27002ISO27001 and ISO27002
Global standard relating toInformation Security
Management
“ISO27000” is a term which encompassesISO27001 and ISO27002
What is ISO27000?
ISO27001 ISO27002ISO27001
process
ISO27002
technical
What is ISO27000?
ISO27001
This describes the Information
ISO27002
This describes the InformationSecurity Management System
(ISMS)
The only section of ISO that you getcertified against
This drives a risk based approachto controls which are selected from
ISO27002
A list of technical controls
Not all are compulsory
You may need to supplement thislist if your risks require (e.g. Cloud,
SAAS, consumerization etc)
Why ISO27001?
Global Flexible IndependentlyAudited
ISO has become a popular standard for several reasons
Gives clientsassurance
Ensures you arethinking about
information risk
It’s aboutprocess nottechnology
What is involved in theprocess?
• I’ve heard it’s a lot of work
• Does life becomeeasier?easier?
• What’s the differencebetween “certification”and “alignment?”
© 2011 Forrester Research, Inc. Reproduction Prohibited
A Key Decision –Scope
“The management ofsecurity relating to theprovision of the documentmanagement system andWAN.”
“The provision,development, managementand support of theElectronic DocumentManagement System“
© 2011 Forrester Research, Inc. Reproduction Prohibited
“Design, Development andprovision of InformationCommunications TechnologyServices for Irwin Mitchell,within a secure environment;in accordance with the latestStatement of Applicability. “
How Much Effort?
Lessons Learned
• If I could have interviewed myself a yearago…
– Repeatable successes
– Pitfalls to avoid– Pitfalls to avoid
– Expectations
Commonly Expected Benefits
Primary Secondary
Demonstrate quality to
clients/client demand
Win new business
Prepare for
technology revolution
Increase staff
awareness Positive press coverage
Reduction in risk
Industry recognition
Low cost initiative
awareness
Stay at cutting edge of
legal market
Insurance reduction
Commonly Realised Benefits
Primary Secondary Unexpected
Standardised riskassessment model
Enhanced metrics
IT Audit process drives
Demonstrate quality to
clients/ client demand
Win new business
Prepare for technology
revolution
Increase staffIT Audit process drives
continual improvement
IT Risk team becomesmuch more effective
Business leadersbecome more engaged inIT
Fewer incidents
Positive press coverage
Reduction in risk
Industry recognition
Low cost initiative
awareness
Stay at cutting edge of
legal market
Insurance reduction
Q&A
Renee MurphyManager, Technology AuditLatham & [email protected]
Contact Us
Paul McKayInformation Security OfficerBond Pearce
Brian LynchDirector, Risk Practice [email protected]
Andrew RosePrincipal AnalystForrester [email protected]
Bond [email protected]