Why ISO 27001? MARIANNE ENGELBRECHT In this presentation I’ll show you why ISO 27001 doesn’t have to be just another bureaucratic compliance job – I’ll show you how it can help you do your job.
Copyright ©2014 9001Academy. All rights reserved. By implementing information security, you help both your company and yourself The main point is – information security can be very useful – not only for our company, but also for you personally. 1/16/2019 Copyright ©2014 9001Academy. All rights reserved.
Copyright ©2014 9001Academy. All rights reserved. Content Basic information about ISO 27001 The purpose of ISO 27001 The ISO 27001 framework ISO 27001 myths Benefits for our company Implementation details Your role in the implementation 1/16/2019 Copyright ©2014 9001Academy. All rights reserved.
Basic information about ISO 27001 International standard, published by ISO Developed by leading information security experts Applicable to any industry Applicable to any size company More than 20,000 companies have certified worldwide ISO = International Organization for Standardization Developed by leading information security experts – the point is, ISO 27001 is the summary of best information security practices worldwide 1/16/2019 Copyright ©2014 9001Academy. All rights reserved.
Copyright ©2014 9001Academy. All rights reserved. The purpose of ISO 27001 Preservation of: Confidentiality Integrity Availability Confidentiality = only the authorized persons can access the information Integrity = only the authorized persons or systems can change the information Availability = the information is available when needed The point is: information security is not only about confidentiality, it is also about preserving the integrity and availability 1/16/2019 Copyright ©2014 9001Academy. All rights reserved.
How to protect the information Controls (safeguards): Procedure Password Encryption Legal Training & awareness How can we protect the confidentiality, integrity and availability? Let's say, you leave your laptop frequently in your car, on the back seat. Chances are, sooner or later it will get stolen. So, what can you do to decrease the risk to your information? First of all, you can make a rule (by writing a procedure or a policy) that laptops cannot be left in a car unattended, or that you have to park a car where some kind of physical protection exists. Second, you can protect your information by setting a strong password and encrypting your data. Further, you can require your employees to sign a statement by which they are legally responsible for the damage that may occur. But all these measures may remain ineffective if you didn’t explain the rules to your employees through a short training. QUESTION: Can you think of any other risks in our company, and the ways to mitigate them? 1/16/2019 Copyright ©2014 9001Academy. All rights reserved.
What is information security? So what can we conclude from the laptop example? The controls are never only IT-related – they always involve organizational issues, human resources management, physical security and legal protection. Therefore, information security is a set of combined controls, very diversified in nature. 1/16/2019 Copyright ©2014 9001Academy. All rights reserved.
The ISO 27001 framework Risk assessment & treatment 114 controls from Annex A Now, since our company has [use real number here] laptops, [number] servers, a complex network, lots of sensitive information in databases and on paper, many contractors, etc. - if protecting the information on a single laptop was easy, managing the security of all of these assets in an organization is certainly not. For that you need a system, and ISO 27001 defines the Information Security Management System or ISMS. So, what is it that you need to do to set your ISMS? First you need to find out what can go wrong with your information – that is, how can the confidentiality, integrity and availability of each and every piece of information in your company be endangered – this is done through a process called risk assessment; once you know where the risks are, you need to select appropriate controls (or safeguards) for each risk you find unacceptable. 1/16/2019 Copyright ©2014 9001Academy. All rights reserved.
Copyright ©2014 9001Academy. All rights reserved. ISO 27001 myths “This is an IT job” “It’s all about writing policies and procedures” “We’ll get lost in all those documents” “ISO 27001 will only make our job more difficult” “It will be implemented in 2 months” “We do it only because of the certification” “This is an IT job” – this is wrong because security is everyone’s job – e.g., everyone needs to protect his or her laptop “It’s all about writing policies and procedures” – this is wrong because the point is not in writing documents, but in applying them in practice – e.g., if the procedure says that backup needs to be done daily even for laptops, then this is something that everyone needs to do “We’ll get lost in all those documents” – wrong because we will write only the documents that are really needed – we will try to keep the number of documents to a minimum; besides, we will present you with the documents before they are published “ISO 27001 will only make our job more difficult” – this standard may require some new things from you, but it will help you with other things – e.g., implementation of ISO 27001 will decrease the number of IT incidents, meaning that employees in the IT department won’t have to lose time on resolving those incidents; also, it will decrease the chance of someone abusing your account and performing fraud (for which you would be held accountable) “It will be implemented in 2 months” – this is wrong because implementation of ISO 27001 requires changes in behavior, and we cannot make several changes at the same time (imagine if we published 20 new policies and procedures in a single day). This is why these documents need to be introduced gradually “We do it only because of the certification” – certification is one of our goals, but not the only one… [go to the next slide] 1/16/2019 Copyright ©2014 9001Academy. All rights reserved.
Benefits for our company Compliance Marketing edge Lowering the expenses Optimizing business processes [choose the benefits that fit your company – for detailed explanation of each of these read this article: Four key benefits of ISO 27001 implementation http://blog.iso27001standard.com/2010/07/21/four-key-benefits-of-iso-27001-implementation/] 1/16/2019 Copyright ©2014 9001Academy. All rights reserved.
Implementation details Project manager: [insert name] Project sponsor: [insert name] Project duration: [insert number of months] Project manager – write here the person who will coordinate the implementation of ISO 27001 Project sponsor – write here someone from the top management who will provide you with support for your project Project duration – calculate the time needed using this free calculator: http://www.iso27001standard.com/en/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation 1/16/2019 Copyright ©2014 9001Academy. All rights reserved.
Your role in the implementation Suggest which processes to document Suggest changes in existing & new policies and procedures Read all the new documents and attend awareness & training sessions Comply with policies and procedures once they are published Suggest which process to document – if you think some process is important, but it is not clear who has to perform the tasks in this process, when and how 1/16/2019 Copyright ©2014 9001Academy. All rights reserved.
ISO 27001 helps you put all the pieces together (if done properly) So to conclude – this standard enables you to take into account all the information in various forms and all the potential problems, and gives you the methodology how to keep the information secure. And in it will even make your job easier in some cases. However, to be effective, ISO 27001 needs to be implemented for real, not just because of an auditor and not just by printing documents without applying them. 1/16/2019 Copyright ©2014 9001Academy. All rights reserved.
Copyright ©2014 27001Academy. All rights reserved. Thank you! MARIANNE ENGELBRECHT 1/16/2019 Copyright ©2014 27001Academy. All rights reserved.