Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why ISO 27001? Subtitle or presenter

Published byWhitney Gibbs Modified over 5 years ago

Similar presentations

Presentation on theme: "Why ISO 27001? Subtitle or presenter"— Presentation transcript:

1 Why ISO 27001? Subtitle or presenter
In this presentation I’ll show you why ISO doesn’t have to be just another bureaucratic compliance job – I’ll show you how it can help you do your job.

2 Copyright ©2014 9001Academy. All rights reserved.
By implementing information security, you help both your company and yourself The main point is – information security can be very useful – not only for our company, but also for you personally. 11/23/2018 Copyright © Academy. All rights reserved.

3 Copyright ©2014 9001Academy. All rights reserved.
Content Basic information about ISO 27001 The purpose of ISO 27001 The ISO framework ISO myths Benefits for our company Implementation details Your role in the implementation 11/23/2018 Copyright © Academy. All rights reserved.

4 Basic information about ISO 27001
International standard, published by ISO Developed by leading information security experts Applicable to any industry Applicable to any size company More than 20,000 companies have certified worldwide ISO = International Organization for Standardization Developed by leading information security experts – the point is, ISO is the summary of best information security practices worldwide 11/23/2018 Copyright © Academy. All rights reserved.

5 Copyright ©2014 9001Academy. All rights reserved.
The purpose of ISO 27001 Preservation of: Confidentiality Integrity Availability Confidentiality = only the authorized persons can access the information Integrity = only the authorized persons or systems can change the information Availability = the information is available when needed The point is: information security is not only about confidentiality, it is also about preserving the integrity and availability 11/23/2018 Copyright © Academy. All rights reserved.

6 How to protect the information
Controls (safeguards): Procedure Password Encryption Legal Training & awareness How can we protect the confidentiality, integrity and availability? Let's say, you leave your laptop frequently in your car, on the back seat. Chances are, sooner or later it will get stolen. So, what can you do to decrease the risk to your information? First of all, you can make a rule (by writing a procedure or a policy) that laptops cannot be left in a car unattended, or that you have to park a car where some kind of physical protection exists. Second, you can protect your information by setting a strong password and encrypting your data. Further, you can require your employees to sign a statement by which they are legally responsible for the damage that may occur. But all these measures may remain ineffective if you didn’t explain the rules to your employees through a short training. QUESTION: Can you think of any other risks in our company, and the ways to mitigate them? 11/23/2018 Copyright © Academy. All rights reserved.

7 What is information security?
So what can we conclude from the laptop example? The controls are never only IT-related – they always involve organizational issues, human resources management, physical security and legal protection. Therefore, information security is a set of combined controls, very diversified in nature. 11/23/2018 Copyright © Academy. All rights reserved.

8 The ISO 27001 framework Risk assessment & treatment
114 controls from Annex A Now, since our company has [use real number here] laptops, [number] servers, a complex network, lots of sensitive information in databases and on paper, many contractors, etc. - if protecting the information on a single laptop was easy, managing the security of all of these assets in an organization is certainly not. For that you need a system, and ISO defines the Information Security Management System or ISMS. So, what is it that you need to do to set your ISMS? First you need to find out what can go wrong with your information – that is, how can the confidentiality, integrity and availability of each and every piece of information in your company be endangered – this is done through a process called risk assessment; once you know where the risks are, you need to select appropriate controls (or safeguards) for each risk you find unacceptable. 11/23/2018 Copyright © Academy. All rights reserved.

9 Copyright ©2014 9001Academy. All rights reserved.
ISO myths “This is an IT job” “It’s all about writing policies and procedures” “We’ll get lost in all those documents” “ISO will only make our job more difficult” “It will be implemented in 2 months” “We do it only because of the certification” “This is an IT job” – this is wrong because security is everyone’s job – e.g., everyone needs to protect his or her laptop “It’s all about writing policies and procedures” – this is wrong because the point is not in writing documents, but in applying them in practice – e.g., if the procedure says that backup needs to be done daily even for laptops, then this is something that everyone needs to do “We’ll get lost in all those documents” – wrong because we will write only the documents that are really needed – we will try to keep the number of documents to a minimum; besides, we will present you with the documents before they are published “ISO will only make our job more difficult” – this standard may require some new things from you, but it will help you with other things – e.g., implementation of ISO will decrease the number of IT incidents, meaning that employees in the IT department won’t have to lose time on resolving those incidents; also, it will decrease the chance of someone abusing your account and performing fraud (for which you would be held accountable) “It will be implemented in 2 months” – this is wrong because implementation of ISO requires changes in behavior, and we cannot make several changes at the same time (imagine if we published 20 new policies and procedures in a single day). This is why these documents need to be introduced gradually “We do it only because of the certification” – certification is one of our goals, but not the only one… [go to the next slide] 11/23/2018 Copyright © Academy. All rights reserved.

10 Benefits for our company
Compliance Marketing edge Lowering the expenses Optimizing business processes [choose the benefits that fit your company – for detailed explanation of each of these read this article: Four key benefits of ISO implementation 11/23/2018 Copyright © Academy. All rights reserved.

11 Implementation details
Project manager: [insert name] Project sponsor: [insert name] Project duration: [insert number of months] Project manager – write here the person who will coordinate the implementation of ISO 27001 Project sponsor – write here someone from the top management who will provide you with support for your project Project duration – calculate the time needed using this free calculator: 11/23/2018 Copyright © Academy. All rights reserved.

12 Your role in the implementation
Suggest which processes to document Suggest changes in existing & new policies and procedures Read all the new documents and attend awareness & training sessions Comply with policies and procedures once they are published Suggest which process to document – if you think some process is important, but it is not clear who has to perform the tasks in this process, when and how 11/23/2018 Copyright © Academy. All rights reserved.

13 ISO 27001 helps you put all the pieces together (if done properly)
So to conclude – this standard enables you to take into account all the information in various forms and all the potential problems, and gives you the methodology how to keep the information secure. And in it will even make your job easier in some cases. However, to be effective, ISO needs to be implemented for real, not just because of an auditor and not just by printing documents without applying them. 11/23/2018 Copyright © Academy. All rights reserved.

14 Copyright ©2014 27001Academy. All rights reserved.
Thank you! Presenter’s name 11/23/2018 Copyright © Academy. All rights reserved.

Download ppt "Why ISO 27001? Subtitle or presenter"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Security Controls – What Works

Security Controls – What Works
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Presentation on Integrating Management Systems www.imsrisksolutions.co.uk.

Presentation on Integrating Management Systems
Effectively applying ISO9001:2000 clauses 5 and 8

Effectively applying ISO9001:2000 clauses 5 and 8
General Awareness Training

General Awareness Training
FORESEC Academy FORESEC Academy Security Essentials (II)

FORESEC Academy FORESEC Academy Security Essentials (II)
95-8411-1 95-841 Information Assurance Policy Tim Shimeall

Information Assurance Policy Tim Shimeall
Hazards Identification and Risk Assessment

Hazards Identification and Risk Assessment
Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.

Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)

Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
ICT Legislation  Copyright, Designs and Patents Act (1988);  Computer Misuse Act (1990);  Health and Safety at Work Act (1974);  EU Health and Safety.

ICT Legislation  Copyright, Designs and Patents Act (1988);  Computer Misuse Act (1990);  Health and Safety at Work Act (1974);  EU Health and Safety.
What is ISO 27001 Certification? Information is a valuable asset that can make or break your business. When properly managed it allows you to operate.

What is ISO Certification? Information is a valuable asset that can make or break your business. When properly managed it allows you to operate.
Primary Steps for Achieving ISO 27001 Certification.

Primary Steps for Achieving ISO Certification.
Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health

Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health
Project Management Training December 2020. Session One: Course Overview Think critically when choosing a project team Make the best of an assigned project.

Project Management Training December Session One: Course Overview Think critically when choosing a project team Make the best of an assigned project.
Copyright © 2012 Pearson Education, Inc. All rights reserved. Chapter 4 Code of Ethics.

Copyright © 2012 Pearson Education, Inc. All rights reserved. Chapter 4 Code of Ethics.
Safety Management Across Large Organizations The Meeks Lumber Way.

Safety Management Across Large Organizations The Meeks Lumber Way.

Similar presentations

Ads by Google