iso/iec 27001 implementation – challenges and practical...
TRANSCRIPT
ISO/IEC 27001 implementation – challenges and practical solutions October 2015
Copyright © 2015 Accenture All rights reserved.
About Presenter
Intars Garbovskis, Information Security Lead Accenture Latvia Intars is leading the Accenture Latvia Security Practice and acting as the Information Security Lead for delivery centers in Latvia, Mauritius, Morocco, France, the Netherlands. He is Certified Information Systems Auditor, ISO 27001 Lead Auditor with more than 10 years of professional IT consulting, project management, information systems' auditing and ISMS implementation experience. Specialties: ISO 27001 implementation, IT Governance and project management, IS Auditing, Business Analysis, ISO/IEC 20000, ITIL, CobIT, Business Continuity/Disaster Recovery.
Copyright © 2015 Accenture All rights reserved.
• ISO/IEC 27001:2013: Information Security Management System
• Key chellanges
• Effective solutions and tactics
• Why ISO/IEC 27001:2013?
Agenda
Copyright © 2015 Accenture All rights reserved.
The standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). The main objective of ISMS – preserve the confidentiality, integrity and availablility of information.
Applicable to all organizations, regardless of type, size or nature.
Structure of the standard: • 7 mandatory clauses. • 114 controls spread across 14 domains and 35 control objectives.
ISO/IEC 27001:2013: Information Security Management System
Copyright © 2015 Accenture All rights reserved.
Key chellanges
Top management commitment and support
Raise awareness and build security culture
Systematically follow
implemented ISMS
processes
Ensure continual
improvement of ISMS
Copyright © 2015 Accenture All rights reserved.
Effective solutions and tactics (1)
Communication to ALL
interested parties
Continual and natural
management example (role
model)
Formally assigned
responsibilities and authority
Provided the needed
resources (with required
competences!) Management approved ISMS implementation
and maintenance plan
Clearly defined ISMS scope,
objectives and benefits
Copyright © 2015 Accenture All rights reserved.
Effective solutions and tactics (2)
Effective security awareness programs*
• Set a clear goal, define metrics and measure the progress
• Involve the right audience
• Choose the relevant topics and most effective communication channels
• Plan for long-term culture
Living ISMS maintenance and improvement plan
• Assign an owner of the ISMS maintenance and improvement plan
• Regular reporting to the top management (use a simple dashboard)
• Ensure regular follow-ups with the interested parties to ensure implemented ISMS processes are followed, identified risks are closed, new risks are identified
Evaluation of ISMS effectiveness
• Define performance evaluation metrics that will monitored
• Define when and who will analyse the metrics
• Use the meseament results to evaluate effectiveness and make decisions for continual ISMS improvement
Source: https://securitycultureframework.net
Copyright © 2015 Accenture All rights reserved.
Why ISO/IEC 27001:2013?
Holistic, structured and risk-based IS
management approach ->
Improved IS across the whole
organisation.
Demonstrates credibility and trust. Provides customers
and stakeholders with confidence that
IS is adequately managed.
Competitive advantage in the
market.
Increased awareness of interested parties.
Improved security culture within the
organisation.
Cost savings through reduction in security
incidents.
Benefits:
Copyright © 2015 Accenture All rights reserved.
IT Governance research ISO 27001 Global Report 2015: Drivers based on survey findings
96% Feel ISO 27001 plays an important role
in improving cyber security defence.
70% Reveal improving information security as the biggest driver for implementing
ISO 27001.
66% Were asked by their clients about their ISO 27001 status in the past 12 months.
Improving IS across the whole organisation is the single most important benefit. Others include: meeting industry requirements to comply with best practice, and gaining a competitive advantage.
Implementing an ISMS allows an organisation to define and monitor risk levels internally, thus driving management decisions to balance expenditure against potential business harm.
Respondents reveal that ISO 27001 is a regular requirement for contracts and tendering for new business.
This activity is generally delegated to various other roles within the organisation (e.g. IT Managers). 44% admit that the person managing their ISMS does not have formal ISO 27001 qualifications.
Drivers
23% Have full time ISMS Managers employed at their company.
Source: ISO 27001 Global Report 2015 by IT Governance
Copyright © 2015 Accenture All rights reserved.
IT Governance research ISO 27001 Global Report 2015: Challenges based on survey findings
Reasons behind this challenge include securing sufficient budget allowance, gaining permission to employ sufficient resources and having Leadership agree to complete certification.
Engaging staff with the right level of competence and expertise is fundamental to the success and the long-term effectiveness of an ISMS. Increasing IS awareness among non-technical staff is essential – employees are the weakest link.
The absence of full time staff and formal training for ISMS management may contribute to this result. Large organisations with dedicated ISMS staff still benefit from external help and advice as implementation can be more complex.
Challenges
State “obtaining employee buy-in and raising staff awareness” is one of the biggest challenges in implementing
ISO 27001.
45%
20% Find it a challenge “convincing the board that information security is a critical
business issue”.
40% Seek external help for certification.
Source: ISO 27001 Global Report 2015 by IT Governance
Copyright © 2015 Accenture All rights reserved.
Thank you!
Copyright © 2015 Accenture All rights reserved.
Accenture Security Services