Understanding ISO/IEC 27001:2013 Information Security Management System
Overview of ISO/IEC 27001:2013 standard for information security management system (ISMS). Learn about the importance of protecting information assets, preserving confidentiality, integrity, and availability of information, and steps to certification. Enhance understanding of different types of information and media, information life cycle, and risk assessment process.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
ISO/IEC 27001:2013 Information security management system.
To brief members to the concept of information security, information security management system. Members to understand requirements of ISO/IEC 27001:2013 standard and how to implement it in our organization. To provide members with steps to certification overview.
To enhance understanding information and information security. To enhance understanding of the different kind of information and information media. To enhance understanding information life cycle in relation to ISMS.
Information security management system(ISMS). It is a part of the overall management system, based on risk approach , to establish ,implement ,maintain and continually improve information security.
It is a requirement for ISO/IEC27001:2013 stand certification. To make us understand requirements of ISO/IEC27001:2013 stand and how to implement them in our organization. To make us be able to develop the ISO/27001:2013 Risk assessment process. To provide us with steps to certification overview.
Information: is an asset existing in many forms and has value to an organization thus it requires proper protection. Asset: Is anything that has value to an organization
What is information security? It is the preservation of Confidentiality, Integrity and Availability (C.I.A) of information. These three information aspects (C.I.A) MUST be preserved through out the information cycle .
C C- -cofidentiality. Its when information is not made available or disclosed to unauthorized persons or processes I I- -integrity; Is the property of protecting the accuracy and completeness of information assets. A-availability; Is the property of information being accessible and usable upon demand by authorized person. integrity;
Internal; Information that must be protected due to ownership ,ethical or privacy consideration. Confidential; Information that is exempted from disclosure. Shared/Public; Information regarded as publicly available.
Delete Create Archive Store Modify Distribute
Information MUST maintain C.I.A throughout its life cycle for it to remain protected/secured and retain authenticity. Information may need protection from creation to deletion or disposal.
Loss, theft. Unauthorized disclosure. Accidental disclosure. Unauthorized modification. Unavailability. Lack of integrity.
Over trusting people. Living doors open. Scribbling a lot on papers. Carry office work home. Talking loud on phone. Sharing of offices. Not having clear desk policy. Grapevine information. Printing information unnecessarily.
Power of ethanol. Unattended unsecured computers. Updating too much on social media. Using office computer for personal work or vise versa.
Names,addresses,phone,numbers Bank accounts numbers,credit cards details Personal details (health ,etc). Designs ,patents ,technical research Passwords Plans Intelligence( on criminal activities ,hostile nation etc) Bids of contract,market research competitive analysis Security information(Facilities plans etc)
Mails/e-mails Dvds Database People conversations Websites/blogs/social networking sites Memory sticks and Flash disks. CD Roms Papers(printed,handwritten etc)
Understanding the organization and its context. The internal parties that affect and are affected by the organization. internal, external external issues and interested interested
Organizational structure Strategic objectives Internal stake holders Contractual relationship Policies and governance Organizational culture
External issues Social culture Legal Technological Political Ecological Competition
Interested parties Stake holders Consumer Suppliers Competitors Intermediaries Interested parties The organization shall determine interested parties that are relevant to the information security management system and the requirements of these interested parties relevant to the information security.
It is a document which clearly state an organization range(boundaries),mandate and infrastructure(Assets) in place to support delivery of its mandate. Note: The scope shall be available as a documented information which must clearly show the processes, boundary and assets .
The organization shall determine the boundaries and applicability of the information security management system to establish its scope. When defining the scope we need to consider. The internal and external issues Needs and expectations of interested parties. Interfaces and dependencies between activities performed by the organization and those that are performed by other organizations.
To provide quality tertiary education through teaching and research at main and town campuses in Eldoret. It also includes consultancy and common outreach services . Asset of the university are human capital ,land infrastructure state of the art equipment and use of enterprise resources, planning to support the delivery of its mandate.
Top management shall demonstrate leadership and commitment with respect to ISMS by ; Ensuring resources needed for ISMS are available. Communicating the importance of ISMS and of conforming to the ISMS requirements. Ensuring that the ISMS achieves it intended outcome(s). Ensuring the integration of ISMS requirements in the organization s processes.
Directing and supporting persons to contribute to the effectiveness of the ISMS. Promoting continual improvement. Ensuring information security policy and the information security objectives are established and are compatible with the strategic direction of the organization. Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
It is a high level statement of organizations beliefs, goals , objectives and means for their attainment for a specific subject area.
Brief Written at broad level Directive Catches readers eye Be an A4 size document.
The policys goal is to protect UoE organization s information assets against all internal external deliberate and accidental threats. The VC shall approve the information security policy. The security policy ensures that:- In formation will be protected against unauthorized access . Confidentiality of information is assured. Integrity of information will be maintained. Awareness of information will be provided to all personnel on a regular basis. Legislative and regulatory requirements will be met. The policy will be reviewed by responsible team yearly and incase of any changes. All heads of units are directly responsible for implementing the policy at their respective levels and for the adherence of their staff. VC SIGNATURE
Risk-based thinking, describes the tools for identifying and managing risks. It also refers to a coordinated set of activities and methods that an organization put in place to manage and control the many risks that affect organization s ability to achieve objectives. Risk-based thinking replaces what earlier version of the standard called preventive action.
Recognize the best and most relevant input data. Understand the benefits of the process. Recognize risks and their potential impacts to the organization in attaining its goals. Provide information for decision-makers.
Identify asset(Asset inventory). Identify asset owner. Identify location of the asset. Identify the risk. Identify the vulnerabilities. Evaluate the asset(calculating the risk). Make a record of the findings(Risk assessment matrix). React to non conformities (corrective action plan).
Documentation Reviews. Information Gathering Techniques. Brainstorming. Interviewing. Excel Root Cause Analysis. S.w.o.t Analysis (Strength, Weakness, Opportunities and Threats) . P.E.S.T.E.L Analysis ( Political, Economical, Social, Technological , Environmental and legal) Checklist Analysis. Excel .
Should be :- I. Able to collect data. II. Able to analyze data. III. Repeatable. IV. Have clear instructions to use and analyze. V. Able to help in selection of controls VI. Able to report results in a clear and accurate manner. VII. Installed and configured correctly VIII. Be compatible with organization s hardware and software in use.