International Security Management Standards
BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005 ISO/IEC takes the form of guidance notes and recommendations, which has been produced following consultation with leading companies. ISO/IEC 27001:2005 provides requirements for Information Security Management and is relevant to those responsible for initiating, implementing or maintaining security in their organization.
Organizations ISO – International Organization for Standardization IEC – International electrotechnical Commission BSI – British Standards Institute
BS7799-Part2:2002 BS 7799:Part 2 has been updated and was released as ISO/IEC 27001:2005 on October 15th The new international version of the standard clarifies and strengthens the requirements of the original British standard, and includes changes to the following areas: risk assessment, contractual obligations, scope, management decisions, measuring the effectiveness of selected controls.
Corporate Information Security Policy Information Security Management Policies / Standards framework Education & awareness people Existing Processes Processes Technical Control Technology Information Security Risk Information Security Management System - Key Principles based on BS 7799
POLICY Establish the context - Define Information Security policy and objectives -ISMS scope and policy -Security Organization -Risk identification and assessment - Identify risks - Analyse risks - Evaluate Manage the risk - Identify and evaluate options for managing the risks - Select controls and objectives for the treatment and management of risk - Implement selected controls - Statement of applicability Monitor The Progress Create Monitoring Rules Monitor and review ISMS Improve ISMS - Identify improvements in the ISMS and implement them - Take appropriate Corrective and preventive actions - Communicate and consult (management,stakeholders, users etc.) ISMS Implementation
The standard for Information Security Management System (ISMS), BS 7799 (now ISO/IEC 27001:2005), has fast become one of the world's established standards for information security An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information and information entrusted to companies by third parties so that it remains secure. It encompasses people, processes and IT systems.
What is an Information Security Management System (ISMS)? An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information and information entrusted to companies by third parties so that it remains secure. It encompasses people, processes and IT systems.
What is BS 7799? BS 7799 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimize the range of threats to which information is regularly subjected.
BS 7799 is organized into 10 sections: 1.Security policy 2.Organization of assets and resources 3.Asset classification and control 4.Personnel security 5.Physical and environmental security 6.Communications and operations management 7. Access control 8.Systems development and maintenance 9.Business continuity management 10.Compliance
ISO27001:2005 The present standard has : -11 Domains -39 Control Objectives -133 Controls
ISO 27001:2005 The 11 domains are: 1.Security Policy 2.Organization of Information Security 3.Asset Management 4.Human Resources Security 5.Physical and Environmental Security 6.Communications and Operations Management 7.Access Control 8.Information systems acquisition, development and maintenance 9.Information security Incident Management 10.Business Continuity Management 11.Compliance
Domain, control obj. & controls – Example 5 Physical and Environmental Security 5.1 Secure Areas Physical Security Perimeter Physical Entry Controls Security Offices, rooms and facilities Protecting against external and environmental threats Working in Secure Areas Public Access, delivery and loading areas 5.2 Equipment Security Equipment siting and protection Supporting Utilities Cabling Security Equipment Maintenance Security equipment off-premises Secure disposal or reuse of equipment Removal of property
Domain, control obj. & controls - Example 11 Compliance 11.1 Compliance with legal requirements 6 controls 11.2 Compliance with security standards and technical compliance - 2 controls 11.3 Information Systems Audit Considerations 2 controls
. Formulation of security requirements and objectives; To ensure that security risks are cost effectively managed; TTo ensure compliance with laws and regulations; As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met; IIdentification and clarification of existing information security management processes;
To be used by management to determine the status of information security management activities; To be used by internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization; To provide relevant information about information security policies, directives, standards and procedures to trading partners; To provide relevant information about information security to customers.
Laws and Regulations Regulatory requirements Establishment Organization Responsibilities Correlation to financial, operational and IT audit functions
Laws and Regulations Steps to determine compliance with external requirements: Identify external requirements Document pertinent laws and regulations Assess whether management and the IS function have considered the relevant external requirements Review internal IS department documents that address adherence to applicable laws Determine adherence to established procedures
ISACA Standards and Guidelines for IS Auditing ISACA IS Auditing Standards ISACA IS Auditing Guidelines ISACA Code of Professional Ethics
ISACA Standards and Guidelines for IS Auditing Objectives of ISACA IS Auditing Standards Inform management and other interested parties of the profession’s expectations concerning the work of audit practitioners Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code of Professional Ethics
ISACA Standards and Guidelines for IS Auditing Framework for the ISACA’s Information Systems Auditing Standards: Standards Guidelines Procedures
ISACA Standards and Guidelines for IS Auditing ISACA Standards and Guidelines for IS Auditing Audit charter Independence Professional Ethics and Standards Competence
ISACA Standards and Guidelines for IS Auditing ISACA Standards and Guidelines for IS Auditing Continued... Planning Performance of audit work Reporting Follow-up activities
Audit charter ISACA Standards and Guidelines for IS Auditing Responsibility, authority and accountability
ISACA Standards and Guidelines for IS Auditing Independence Professional independence Organizational relationship
Professional Ethics and Standards ISACA Standards and Guidelines for IS Auditing Code of Professional Ethics Due professional care
ISACA Standards and Guidelines for IS Auditing Competence Skills and knowledge Continuing professional education
ISACA Standards and Guidelines for IS Auditing Planning Audit planning
ISACA Standards and Guidelines for IS Auditing Performance of audit work Supervision Evidence
ISACA Standards and Guidelines for IS Auditing Reporting Report content and form
ISACA Standards and Guidelines for IS Auditing Follow-up Activities Review previous conclusions and recommendations Review previous relevant findings Determine whether appropriate actions have been implemented in a timely basis
ISACA Standards and Guidelines for IS Auditing Use of ISACA Guidelines Consider the guidelines in determining how to implement the standards Use professional judgment in applying these guidelines Be able to justify any departure