Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISO/IEC 27001:2005 A brief introduction Kaushik Majumder

Published byFalko Abel Modified over 6 years ago

Similar presentations

Presentation on theme: "ISO/IEC 27001:2005 A brief introduction Kaushik Majumder"— Presentation transcript:

1 ISO/IEC 27001:2005 A brief introduction Kaushik Majumder
Information Security Group Datamatics Global Services Limited September,2009

2 Agenda Information & Information Security......?????
Achieving Information Security ISO Overview Datamatics Who has certified Us.....???????? Datamatics Roadmap to ISO Roles & Responsibilities ( Information Security Cell)

3 Information Printed or written on paper Stored electronically
“Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected.” Printed or written on paper Stored electronically Transmitted by mail or electronic means Spoken in conversations Need for Information Security

4 What is Information Security ISO 27001 defines this as the preservation of:
Threats Ensuring that information is accessible only to those authorized to have access Ensuring that authorized users have access to information and associated assets when required Safeguarding the accuracy and completeness of information and processing methods Vulnerabilities Risks

5 Achieving Information Security
4 Ps of Information Security Policy & Procedures Products People

6 What is ISO27001? An internationally recognized structured
methodology dedicated to information security A management process to evaluate, implement and maintain an Information Security Management System (ISMS) A comprehensive set of controls comprised of best Practices in information security Applicable to all industry sectors Emphasis on prevention

7 ISO 27001:2005 Structure Five Mandatory requirements of the standard:
Information Security Management System • General requirements • Establishing and managing the ISMS (e.g. Risk Assessment) • Documentation Requirements Management Responsibility • Management Commitment • Resource Management (e.g. Training, Awareness) Internal ISMS Audits Management Review of the ISMS • Review Input (e.g. Audits, Measurement, Recommendations) • Review Output (e.g. Update Risk Treatment Plan, New Recourses) ISMS Improvement Continual Improvement Corrective Action Preventive Action

8 The 11 Domains of Information Management
Overall the standard can be put in : • Domain Areas – 11 • Control Objectives – 39 and • Controls – 133

9 ISMS @ Datamatics DGSL Security Policy
DGSL is committed to maintain an effective information security management system, which will enable dissemination of information throughout the organization, to its associates, and to its customers, as required for its business, while ensuring, as appropriate, its confidentiality, integrity and availability.

10 Organization Structure
CEO MISF CHAIRPERSON Mem 1 ISM Mem 2 Mem 3 ISC:Nashik ISC:Mumbai ISC:Chennai ISM/ISC:USA

11 Certification Body and Certificate Validity
STQC - Standardization Testing and Quality Certification DGSL achieved its 1st certification in Nov 2003 on BS7799 standard. Migrated to new standard “ ISO 27001” in July 2006. According to new Policy Surveillance audits are conducted after 12,24,and 36 months. Certification is valid for 3 years. Our next certification is due in October 2009.

12 ISO 27001:2005@Datamatics - PDCA
Plan Establish ISMS scope, policy, objectives, processes and procedures Define risk assessment approach Perform risk assessment Select controls for treatment of risks Obtain management approval of residual risks

13 PDCA :Do Formulate and implement RTP (Risk Treatment Plan)
Implement ISMS policy, objectives, processes and procedures Define how to measure the effectiveness Implement training and awareness program

14 PDCA :Check Monitor and review procedures
Measure effectiveness of controls Review risk assessment and residual risks Conduct internal ISMS audit Undertake management review

15 PDCA :Act Take corrective and preventive actions Apply lessons learnt
Communicate actions for improvement to interested parties VA/PT( Coordinating the closure of vulnerabilities found in the report) , Closure of NC’s

16 Roles & Responsibilities
Maintain Information security documentation as well as forms. Liasoning with SSG to improve processes Keeping a tab on the status of the requests. Documenting reports like ( Firewall review, Additional Access rights , IDS review , Antivirus logs review, CPU/Bandwidth review, server access logs review, backup-logs review) Reviewing forms like (Server patches update , Laptop requisition , backup register , server room register , Data verification form , server configuration form) Monitoring of Server’s Monitoring Critical server alerts Monitoring Syslog servers Monitoring Firewalls & IDS for severe intrusions & Events Liasoning with CITNO to resolve all the issues and monitoring Review of Deleted User-id’s from exit list Document and report review ISMS Improvement (Continuous Improvement) Evaluation/Testing and deployment of security software's on critical laptops Planning & implementation of network security including Configuring firewalls, file permissions and adding and deleting users. Liasoning with vendors for negotiating technical requirements & establishing Prices.

17 Roles & Responsibilities
Internal Audits Planning , conducting and verification audits ( Coordinating with respective LOB’s for closure of NC’s) Develop and conduct awareness training Helping Organization user’s for any ISMS related queries. Ensure that security activities are executed in compliance with the information security policy. Identify how to handle non-compliances Co-ordinate vulnerability assessment /Penetration testing exercise Liasoning with the Vendor coordinating with CITNO to resolve problems Close down the vulnerabilities associated with systems/networks by discussing with third party service provider or otherwise through online assistance provided by various security forums Co-ordinate the implementation of information security controls Facilitating in External Audit Active Participation and involvement in BUPA audit.

18 Please Visit….. http://dlnet/dlintranet/Login.do?method=showLogin/ISMS
ISMS Manual P&G Manual

19 Q&A

20 THANK YOU

Download ppt "ISO/IEC 27001:2005 A brief introduction Kaushik Majumder"

Similar presentations

Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Developing a Risk-Based Information Security Program

Developing a Risk-Based Information Security Program
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
/ Information Security Seminar

/ Information Security Seminar
Computer Security: Principles and Practice

Computer Security: Principles and Practice
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
4. Quality Management System (QMS)

4. Quality Management System (QMS)
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
4. Quality Management System (QMS)

4. Quality Management System (QMS)
Medicare Certification Systems Thilak Wickremasinghe, Director/CEO Sri Lanka Accreditation Board.

Medicare Certification Systems Thilak Wickremasinghe, Director/CEO Sri Lanka Accreditation Board.
Consultancy.

Consultancy.
Adaptive Processes Simpler, Faster, Better 1 Adaptive Processes Understanding Information Security ISO 17799 / BS7799.

Adaptive Processes Simpler, Faster, Better 1 Adaptive Processes Understanding Information Security ISO / BS7799.
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Similar presentations

Ads by Google