1. ISO/IEC 27001 Winnie Chan BADM 559 Professor Shaw 12/15/2008

2. ISO/IEC 27001 Objective To provide a guide for establishing, implementing, reviewing, and maintaining a firm’s Information Security Management System (ISMS) To provide a guide for establishing, implementing, reviewing, and maintaining a firm’s Information Security Management System (ISMS) –Using a Continual Improvement Approach Known as the Plan-Do-Check-Act (PDCA) Cycle

3. PDCA Cycle Plan Stage Plan Stage –Involves establishment of a Firm’s Security Objectives and Methods to Achieve Those Are Drafted Out Using a Risk Assessment Approach –Appropriate Information Security Controls Determined Do Stage Do Stage –Plan is Implemented Act Stage Act Stage –Analyze Results and Compare Actual Accomplishments to Planned Objectives Check Stage Check Stage –Continuously Makes Necessary Changes Until the Best Future Result From the ISMS is Obtained.

4. ISO/IEC 27001 History First part of the growing ISO/IEC 27000 (ISO 27K) Family First part of the growing ISO/IEC 27000 (ISO 27K) Family – Series of Information Security Standards Developed to Protect the Reliability, Confidentiality, and Accessibility of Essential Data that Firms Rely On Derived From the 1999 British Standard (BS) 7799- Part 2 Derived From the 1999 British Standard (BS) 7799- Part 2 In October 2005: In October 2005: –Adopted By the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) Also Known As “Information Security Management- Specification with Guidance for Use” Also Known As “Information Security Management- Specification with Guidance for Use”

5. ISO/IEC 27001 Structure 8 Major Sections: 8 Major Sections: –Scope, Normative References, Terms and Definitions, ISMS, Management Responsibility, Internal ISMS Audits, Management Review of the ISMS, and ISMS Improvements 3 Main Annexes: 3 Main Annexes: –Control Objectives and Controls –Organisation for Economic Co-Operation and Development (OECD) Principles –ISO/IEC 27001, and the correspondence between ISO 9001 (Quality Management Systems Standard), ISO 14001 (Environmental Management Systems Standard) and ISO/IEC 27001.

6. Certification Process Desktop Audit Desktop Audit –Accredited Certification Body Auditor Examines a Firm’s Relevant Documents Like its Statement of Applicability (SoA) and Risk Treatment Plan (RTP) Examines a Firm’s Relevant Documents Like its Statement of Applicability (SoA) and Risk Treatment Plan (RTP) On-Site Audit On-Site Audit –Certification Body Sends an Audit Team to Perform an In-Dept Assessment of a Firm’s Information Security System’s Implementation Sends an Audit Team to Perform an In-Dept Assessment of a Firm’s Information Security System’s Implementation Firm Agrees to Surveillance Schedule Firm Agrees to Surveillance Schedule –Certification Body Periodically Checks Firm’s ISMS Every 6-9 Months Issuance of Certificate Issuance of Certificate –Certificate Only Lasts for 3 years after Initial Certification

7. Pros to Certification Certified Firms: Certified Firms: –Meets US Legislative Requirements Sarbanes Oxley Section 404 Sarbanes Oxley Section 404 Statement of Auditing Standards (SAS) 70 Statement of Auditing Standards (SAS) 70 Health Insurance Portability and Accountability Act (HIPAA) Requirements Health Insurance Portability and Accountability Act (HIPAA) Requirements –Have Reduced Regulation Costs –May Get Insurance Reduction Premiums –Results in Improved Confidence from Suppliers, Customers, and Stakeholders Confidence from Suppliers, Customers, and Stakeholders –Have Competitive Advantage

8. Update on ISO/IEC 27001 ISO/IEC 27001 currently being revised by renown experts in information security area ISO/IEC 27001 currently being revised by renown experts in information security area –Angelika Plate –Matthieu Grall Revised version Expected to Be Published Sometime in 2009 or 2010 Revised version Expected to Be Published Sometime in 2009 or 2010