ISO 27001 Practical Guide [PDF]

Zitiervorschau

ISO/IEC 27001 implementation – challenges and practical solutions October 2015

About Presenter Intars Garbovskis, Information Security Lead Accenture Latvia Intars is leading the Accenture Latvia Security Practice and acting as the Information Security Lead for delivery centers in Latvia, Mauritius, Morocco, France, the Netherlands. He is Certified Information Systems Auditor, ISO 27001 Lead Auditor with more than 10 years of professional IT consulting, project management, information systems' auditing and ISMS implementation experience. Specialties: ISO 27001 implementation, IT Governance and project management, IS Auditing, Business Analysis, ISO/IEC 20000, ITIL, CobIT, Business Continuity/Disaster Recovery.

Copyright © 2015 Accenture All rights reserved.

Agenda • ISO/IEC 27001:2013: Information Security Management System • Key chellanges • Effective solutions and tactics • Why ISO/IEC 27001:2013?

Copyright © 2015 Accenture All rights reserved.

ISO/IEC 27001:2013: Information Security Management System The standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). The main objective of ISMS – preserve the confidentiality, integrity and availablility of information. Applicable to all organizations, regardless of type, size or nature. Structure of the standard: •

7 mandatory clauses.

•

114 controls spread across 14 domains and 35 control objectives.

Copyright © 2015 Accenture All rights reserved.

Key chellanges

Top management commitment and support

Copyright © 2015 Accenture All rights reserved.

Raise awareness and build security culture

Systematically follow implemented ISMS processes

Ensure continual improvement of ISMS

Effective solutions and tactics (1)

Formally assigned responsibilities and authority

Continual and natural management example (role model)

Copyright © 2015 Accenture All rights reserved.

Provided the needed resources (with required competences!)

Communication to ALL interested parties

Management approved ISMS implementation and maintenance plan

Clearly defined ISMS scope, objectives and benefits

Effective solutions and tactics (2) Effective security awareness programs* • Set a clear goal, define metrics and measure the progress

Living ISMS maintenance and improvement plan • Assign an owner of the ISMS maintenance and improvement plan

• Involve the right audience • Choose the relevant topics and most effective communication channels • Plan for long-term culture

• Regular reporting to the top management (use a simple dashboard) • Ensure regular follow-ups with the interested parties to ensure implemented ISMS processes are followed, identified risks are closed, new risks are identified

Evaluation of ISMS effectiveness • Define performance evaluation metrics that will monitored • Define when and who will analyse the metrics • Use the meseament results to evaluate effectiveness and make decisions for continual ISMS improvement

Source: https://securitycultureframework.net Copyright © 2015 Accenture All rights reserved.

Why ISO/IEC 27001:2013? Benefits: Holistic, structured and risk-based IS management approach -> Improved IS across the whole organisation.

Demonstrates credibility and trust. Provides customers and stakeholders with confidence that IS is adequately managed.

Copyright © 2015 Accenture All rights reserved.

Competitive advantage in the market.

Increased awareness of interested parties. Improved security culture within the organisation.

Cost savings through reduction in security incidents.

IT Governance research ISO 27001 Global Report 2015: Drivers based on survey findings Drivers

96% 70%

Feel ISO 27001 plays an important role in improving cyber security defence.

Reveal improving information security as the biggest driver for implementing ISO 27001.

Implementing an ISMS allows an organisation to define and monitor risk levels internally, thus driving management decisions to balance expenditure against potential business harm. Improving IS across the whole organisation is the single most important benefit. Others include: meeting industry requirements to comply with best practice, and gaining a competitive advantage.

66%

Were asked by their clients about their ISO 27001 status in the past 12 months.

Respondents reveal that ISO 27001 is a regular requirement for contracts and tendering for new business.

23%

Have full time ISMS Managers employed at their company.

This activity is generally delegated to various other roles within the organisation (e.g. IT Managers). 44% admit that the person managing their ISMS does not have formal ISO 27001 qualifications.

Source: ISO 27001 Global Report 2015 by IT Governance Copyright © 2015 Accenture All rights reserved.

IT Governance research ISO 27001 Global Report 2015: Challenges based on survey findings Challenges

45%

40%

20%

State “obtaining employee buy-in and raising staff awareness” is one of the biggest challenges in implementing ISO 27001.

Seek external help for certification.

Find it a challenge “convincing the board that information security is a critical business issue”.

Engaging staff with the right level of competence and expertise is fundamental to the success and the long-term effectiveness of an ISMS. Increasing IS awareness among non-technical staff is essential – employees are the weakest link. The absence of full time staff and formal training for ISMS management may contribute to this result. Large organisations with dedicated ISMS staff still benefit from external help and advice as implementation can be more complex. Reasons behind this challenge include securing sufficient budget allowance, gaining permission to employ sufficient resources and having Leadership agree to complete certification.

Source: ISO 27001 Global Report 2015 by IT Governance Copyright © 2015 Accenture All rights reserved.

Thank you!

Copyright © 2015 Accenture All rights reserved.

Accenture Security Services

Copyright © 2015 Accenture All rights reserved.