Understanding ISO/IEC 27001:2013 Information Security Management System

undefined
 
 
ISO/IEC 27001:2013
Information security management system.
 
To brief members to the concept of information
security, information security management system.
 
Members to understand requirements of ISO/IEC
27001:2013 standard and how to implement it in our
organization.
 
To provide members with steps to certification
overview.
 
 
 
To enhance understanding information and
information security.
 
To enhance understanding of the different kind
of information and information media.
 
To enhance understanding information life cycle
in relation to ISMS.
 
   Information security management system(ISMS).
      It is a part of the overall management system,
based on risk approach , to establish ,implement
,maintain and continually improve information
security.
 
 
 It is a requirement for ISO/IEC27001:2013
stand certification.
To make us 
understand
 requirements of
ISO/IEC27001:2013 stand and how to
implement them in our organization.
To make us be able to develop the
ISO/27001:2013  Risk assessment process.
To provide us with steps to certification
overview.
 
 
 
Information:
 is an asset existing in many forms
and has value to an organization thus it requires
proper protection.
 
Asse
t: Is anything that has value to an
organization
 
What is information security?
     It is  the preservation of 
Confidentiality
,
Integrity
 and 
Availability
 (C.I.A) of information.
 
These three information aspects (C.I.A) 
MUST
 be
preserved through out the information cycle .
 
C-
cofidentiality
.
Its when information is not made available  or
disclosed to unauthorized persons or processes
I-integrity;
Is the property of protecting the accuracy and
completeness of information assets.
A-availability;
Is the property of information being accessible and
usable upon demand by authorized person.
 
Internal;
Information that must be protected due to
ownership ,ethical or privacy consideration.
Confidential;
Information that is exempted from disclosure.
Shared/Public;
Information regarded as publicly available.
 
 
 
 
Information MUST maintain C.I.A  throughout its
life cycle for it to remain protected/secured and
retain authenticity. Information may need
protection from creation to deletion or disposal.
 
Loss, theft.
Unauthorized disclosure.
Accidental disclosure.
Unauthorized modification.
Unavailability.
Lack of integrity.
 
Over trusting people.
Living doors open.
Scribbling a lot on papers.
Carry office work home.
Talking loud on phone.
Sharing of offices.
Not having clear desk policy.
Grapevine information.
Printing information unnecessarily.
 
 
Power of ethanol.
Unattended unsecured computers.
Updating too much on social media.
Using office computer for personal work or
vise versa.
 
Names,addresses,phone,numbers
Bank accounts numbers,credit cards details
Personal details (health ,etc).
Designs ,patents ,technical research
Passwords
Plans
Intelligence( on criminal activities ,hostile nation
etc)
Bids of contract,market research competitive
analysis
Security information(Facilities plans etc)
 
 
Mails/e-mails
Dvds
Database
People conversations
Websites/blogs/social networking sites
Memory sticks and Flash disks.
CD Roms
Papers(printed,handwritten etc)
 
 
 
Context of the organization
 
 
 
 
Understanding the organization and its
context.
The 
internal
, 
external
 issues and 
interested
parties that affect and are affected by the
organization.
 
 
 
Organizational structure
Strategic objectives
Internal stake holders
Contractual relationship
Policies and governance
Organizational culture
 
 
External issues
Social culture
Legal
Technological
Political
Ecological
Competition
 
 
 
Interested parties
Stake holders
Consumer
Suppliers
Competitors
Intermediaries
 
The organization shall determine interested parties
that are relevant to the information security
management system and the requirements of
these interested parties relevant to the
information security.
 
 
It is a document which clearly state an
organization range(boundaries),mandate and
infrastructure(Assets) in place to support
delivery of its mandate.
 
Note: The scope shall be available as a documented information which must clearly show the
processes, boundary and assets .
 
The organization shall determine the
boundaries and applicability of the
information security management system to
establish its scope.
When defining the scope we need to consider.
The internal and external issues
Needs and expectations of interested parties.
 Interfaces and dependencies between activities performed by the
organization and those that are performed by other organizations.
 
 
 
To provide quality tertiary education through
teaching  and research at main and town
campuses in Eldoret.
It also includes consultancy and common
outreach services . Asset of the university are
human capital ,land infrastructure state of the
art equipment and use of enterprise
resources, planning to support the delivery of
its mandate.
 
 
LEADERSHIP
 
 
Top management shall demonstrate leadership and
commitment with respect to ISMS by ;
 
Ensuring  resources needed for ISMS are available.
 
Communicating the importance of ISMS and of
conforming to the ISMS requirements.
 
Ensuring that the ISMS achieves it intended outcome(s).
 
Ensuring the integration of ISMS requirements in the
organization’s processes.
 
 
 
 
 
 
 
Directing and supporting persons to contribute to the
effectiveness of the ISMS.
 
Promoting continual improvement.
 
Ensuring 
information security policy 
and the 
information
security objectives 
are established and are compatible with
the strategic direction of the organization.
 
Supporting other relevant management roles to demonstrate
their leadership as it applies to their areas of responsibility.
 
 
 
 
It is a high level statement of organization’s
beliefs, goals , objectives and means for their
attainment for a specific subject area.
 
Brief
Written at broad level
Directive
Catches readers eye
Be an A4 size document.
 
The policy’s goal is to protect UoE
organization’s information assets against  all
internal external deliberate and accidental
threats.
The VC shall approve the information security
policy.
The security policy ensures that:-
In formation will be protected against unauthorized access .
Confidentiality of information is assured.
Integrity of information will be maintained.
Awareness of information will be provided to all personnel on a regular basis.
Legislative and regulatory requirements will be met.
The policy will be reviewed by responsible team yearly and incase of any changes.
All heads of units are directly responsible for implementing the policy at their
respective levels and for the adherence of their staff.
                                                                 VC SIGNATURE
 
 
Risk-based thinking, describes the tools for
identifying and managing risks.
It also refers to a coordinated set of activities
and methods that an organization put in
place to  manage and control the many risks
that affect organization’s ability to achieve
objectives.
 
Risk-based thinking replaces what earlier version of the standard called
preventive action.
 
 Recognize the best and most relevant input
data.
  Understand the benefits of the process.
  Recognize risks and their potential impacts
to the organization in attaining its goals.
  Provide information for decision-makers.
 
 
Identify asset(Asset inventory).
Identify asset owner.
Identify location of the asset.
 Identify the risk.
Identify the vulnerabilities.
 Evaluate the asset(calculating the risk).
 Make a record of the findings(Risk assessment
matrix).
React to non conformities (corrective action
plan).
 
 
Documentation Reviews.
Information Gathering Techniques.
Brainstorming.
Interviewing.
Excel 
.
Root Cause Analysis.
S.w.o.t Analysis (Strength, Weakness,
Opportunities and Threats) .
P.E.S.T.E.L Analysis ( Political, Economical, Social,
Technological , Environmental and legal)
Checklist Analysis.
 
Should be :-
I.
Able to collect data.
II.
Able to analyze data.
III.
Repeatable.
IV.
Have clear instructions to use and analyze.
V.
Able to help in selection of controls
VI.
Able to report results in a clear and accurate
manner.
VII.
Installed and configured correctly
VIII.
Be compatible with organization’s hardware and
software in use.
 
 
Slide Note
Embed
Share

Overview of ISO/IEC 27001:2013 standard for information security management system (ISMS). Learn about the importance of protecting information assets, preserving confidentiality, integrity, and availability of information, and steps to certification. Enhance understanding of different types of information and media, information life cycle, and risk assessment process.


Uploaded on Jul 29, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. ISO/IEC 27001:2013 Information security management system.

  2. To brief members to the concept of information security, information security management system. Members to understand requirements of ISO/IEC 27001:2013 standard and how to implement it in our organization. To provide members with steps to certification overview.

  3. To enhance understanding information and information security. To enhance understanding of the different kind of information and information media. To enhance understanding information life cycle in relation to ISMS.

  4. Information security management system(ISMS). It is a part of the overall management system, based on risk approach , to establish ,implement ,maintain and continually improve information security.

  5. It is a requirement for ISO/IEC27001:2013 stand certification. To make us understand requirements of ISO/IEC27001:2013 stand and how to implement them in our organization. To make us be able to develop the ISO/27001:2013 Risk assessment process. To provide us with steps to certification overview.

  6. Information: is an asset existing in many forms and has value to an organization thus it requires proper protection. Asset: Is anything that has value to an organization

  7. What is information security? It is the preservation of Confidentiality, Integrity and Availability (C.I.A) of information. These three information aspects (C.I.A) MUST be preserved through out the information cycle .

  8. C C- -cofidentiality. Its when information is not made available or disclosed to unauthorized persons or processes I I- -integrity; Is the property of protecting the accuracy and completeness of information assets. A-availability; Is the property of information being accessible and usable upon demand by authorized person. integrity;

  9. Internal; Information that must be protected due to ownership ,ethical or privacy consideration. Confidential; Information that is exempted from disclosure. Shared/Public; Information regarded as publicly available.

  10. Delete Create Archive Store Modify Distribute

  11. Information MUST maintain C.I.A throughout its life cycle for it to remain protected/secured and retain authenticity. Information may need protection from creation to deletion or disposal.

  12. Loss, theft. Unauthorized disclosure. Accidental disclosure. Unauthorized modification. Unavailability. Lack of integrity.

  13. Over trusting people. Living doors open. Scribbling a lot on papers. Carry office work home. Talking loud on phone. Sharing of offices. Not having clear desk policy. Grapevine information. Printing information unnecessarily.

  14. Power of ethanol. Unattended unsecured computers. Updating too much on social media. Using office computer for personal work or vise versa.

  15. Names,addresses,phone,numbers Bank accounts numbers,credit cards details Personal details (health ,etc). Designs ,patents ,technical research Passwords Plans Intelligence( on criminal activities ,hostile nation etc) Bids of contract,market research competitive analysis Security information(Facilities plans etc)

  16. Mails/e-mails Dvds Database People conversations Websites/blogs/social networking sites Memory sticks and Flash disks. CD Roms Papers(printed,handwritten etc)

  17. Context of the organization

  18. Understanding the organization and its context. The internal parties that affect and are affected by the organization. internal, external external issues and interested interested

  19. Organizational structure Strategic objectives Internal stake holders Contractual relationship Policies and governance Organizational culture

  20. External issues Social culture Legal Technological Political Ecological Competition

  21. Interested parties Stake holders Consumer Suppliers Competitors Intermediaries Interested parties The organization shall determine interested parties that are relevant to the information security management system and the requirements of these interested parties relevant to the information security.

  22. It is a document which clearly state an organization range(boundaries),mandate and infrastructure(Assets) in place to support delivery of its mandate. Note: The scope shall be available as a documented information which must clearly show the processes, boundary and assets .

  23. The organization shall determine the boundaries and applicability of the information security management system to establish its scope. When defining the scope we need to consider. The internal and external issues Needs and expectations of interested parties. Interfaces and dependencies between activities performed by the organization and those that are performed by other organizations.

  24. To provide quality tertiary education through teaching and research at main and town campuses in Eldoret. It also includes consultancy and common outreach services . Asset of the university are human capital ,land infrastructure state of the art equipment and use of enterprise resources, planning to support the delivery of its mandate.

  25. LEADERSHIP

  26. Top management shall demonstrate leadership and commitment with respect to ISMS by ; Ensuring resources needed for ISMS are available. Communicating the importance of ISMS and of conforming to the ISMS requirements. Ensuring that the ISMS achieves it intended outcome(s). Ensuring the integration of ISMS requirements in the organization s processes.

  27. Directing and supporting persons to contribute to the effectiveness of the ISMS. Promoting continual improvement. Ensuring information security policy and the information security objectives are established and are compatible with the strategic direction of the organization. Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

  28. It is a high level statement of organizations beliefs, goals , objectives and means for their attainment for a specific subject area.

  29. Brief Written at broad level Directive Catches readers eye Be an A4 size document.

  30. The policys goal is to protect UoE organization s information assets against all internal external deliberate and accidental threats. The VC shall approve the information security policy. The security policy ensures that:- In formation will be protected against unauthorized access . Confidentiality of information is assured. Integrity of information will be maintained. Awareness of information will be provided to all personnel on a regular basis. Legislative and regulatory requirements will be met. The policy will be reviewed by responsible team yearly and incase of any changes. All heads of units are directly responsible for implementing the policy at their respective levels and for the adherence of their staff. VC SIGNATURE

  31. Risk-based thinking, describes the tools for identifying and managing risks. It also refers to a coordinated set of activities and methods that an organization put in place to manage and control the many risks that affect organization s ability to achieve objectives. Risk-based thinking replaces what earlier version of the standard called preventive action.

  32. Recognize the best and most relevant input data. Understand the benefits of the process. Recognize risks and their potential impacts to the organization in attaining its goals. Provide information for decision-makers.

  33. Identify asset(Asset inventory). Identify asset owner. Identify location of the asset. Identify the risk. Identify the vulnerabilities. Evaluate the asset(calculating the risk). Make a record of the findings(Risk assessment matrix). React to non conformities (corrective action plan).

  34. Documentation Reviews. Information Gathering Techniques. Brainstorming. Interviewing. Excel Root Cause Analysis. S.w.o.t Analysis (Strength, Weakness, Opportunities and Threats) . P.E.S.T.E.L Analysis ( Political, Economical, Social, Technological , Environmental and legal) Checklist Analysis. Excel .

  35. Should be :- I. Able to collect data. II. Able to analyze data. III. Repeatable. IV. Have clear instructions to use and analyze. V. Able to help in selection of controls VI. Able to report results in a clear and accurate manner. VII. Installed and configured correctly VIII. Be compatible with organization s hardware and software in use.

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#