iso/iec 27001 implementation – challenges and practical...

ISO/IEC 27001 implementation – challenges and practical solutions October 2015

Copyright © 2015 Accenture All rights reserved.

About Presenter

Intars Garbovskis, Information Security Lead Accenture Latvia Intars is leading the Accenture Latvia Security Practice and acting as the Information Security Lead for delivery centers in Latvia, Mauritius, Morocco, France, the Netherlands. He is Certified Information Systems Auditor, ISO 27001 Lead Auditor with more than 10 years of professional IT consulting, project management, information systems' auditing and ISMS implementation experience. Specialties: ISO 27001 implementation, IT Governance and project management, IS Auditing, Business Analysis, ISO/IEC 20000, ITIL, CobIT, Business Continuity/Disaster Recovery.

https://sites.accenture.com/publishing/ProtectingAccenture/Infrastructure/EnterpriseSecurityStandards/Pages/EnterpriseSecurityStandards.aspx


• ISO/IEC 27001:2013: Information Security Management System

• Key chellanges

• Effective solutions and tactics

• Why ISO/IEC 27001:2013?

Agenda



The standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). The main objective of ISMS – preserve the confidentiality, integrity and availablility of information.

Applicable to all organizations, regardless of type, size or nature.

Structure of the standard: • 7 mandatory clauses. • 114 controls spread across 14 domains and 35 control objectives.

ISO/IEC 27001:2013: Information Security Management System



Key chellanges

Top management commitment and support

Raise awareness and build security culture

Systematically follow

implemented ISMS

processes

Ensure continual

improvement of ISMS



Effective solutions and tactics (1)

Communication to ALL

interested parties

Continual and natural

management example (role

model)

Formally assigned

responsibilities and authority

Provided the needed

resources (with required

competences!) Management approved ISMS implementation

and maintenance plan

Clearly defined ISMS scope,

objectives and benefits



Effective solutions and tactics (2)

Effective security awareness programs*

• Set a clear goal, define metrics and measure the progress

• Involve the right audience

• Choose the relevant topics and most effective communication channels

• Plan for long-term culture

Living ISMS maintenance and improvement plan

• Assign an owner of the ISMS maintenance and improvement plan

• Regular reporting to the top management (use a simple dashboard)

• Ensure regular follow-ups with the interested parties to ensure implemented ISMS processes are followed, identified risks are closed, new risks are identified

Evaluation of ISMS effectiveness

• Define performance evaluation metrics that will monitored

• Define when and who will analyse the metrics

• Use the meseament results to evaluate effectiveness and make decisions for continual ISMS improvement

Source: https://securitycultureframework.net



Why ISO/IEC 27001:2013?

Holistic, structured and risk-based IS

management approach ->

Improved IS across the whole

organisation.

Demonstrates credibility and trust. Provides customers

and stakeholders with confidence that

IS is adequately managed.

Competitive advantage in the

market.

Increased awareness of interested parties.

Improved security culture within the

organisation.

Cost savings through reduction in security

incidents.

Benefits:



IT Governance research ISO 27001 Global Report 2015: Drivers based on survey findings

96% Feel ISO 27001 plays an important role

in improving cyber security defence.

70% Reveal improving information security as the biggest driver for implementing

ISO 27001.

66% Were asked by their clients about their ISO 27001 status in the past 12 months.

Improving IS across the whole organisation is the single most important benefit. Others include: meeting industry requirements to comply with best practice, and gaining a competitive advantage.

Implementing an ISMS allows an organisation to define and monitor risk levels internally, thus driving management decisions to balance expenditure against potential business harm.

Respondents reveal that ISO 27001 is a regular requirement for contracts and tendering for new business.

This activity is generally delegated to various other roles within the organisation (e.g. IT Managers). 44% admit that the person managing their ISMS does not have formal ISO 27001 qualifications.

Drivers

23% Have full time ISMS Managers employed at their company.

Source: ISO 27001 Global Report 2015 by IT Governance



IT Governance research ISO 27001 Global Report 2015: Challenges based on survey findings

Reasons behind this challenge include securing sufficient budget allowance, gaining permission to employ sufficient resources and having Leadership agree to complete certification.

Engaging staff with the right level of competence and expertise is fundamental to the success and the long-term effectiveness of an ISMS. Increasing IS awareness among non-technical staff is essential – employees are the weakest link.

The absence of full time staff and formal training for ISMS management may contribute to this result. Large organisations with dedicated ISMS staff still benefit from external help and advice as implementation can be more complex.

Challenges

State “obtaining employee buy-in and raising staff awareness” is one of the biggest challenges in implementing

ISO 27001.

45%

20% Find it a challenge “convincing the board that information security is a critical

business issue”.

40% Seek external help for certification.

Source: ISO 27001 Global Report 2015 by IT Governance



Thank you!



Accenture Security Services


iso/iec 27001 implementation – challenges and practical...

Documents