View
218
Download
2
Category
Preview:
Citation preview
ISMS – Ein Blick hinterdie Kulissen derISO/IEC 27000 FamilieSecurity Podium, 12. Mai 2011, Dr. Peter Weiss
Dr. Peter Weiss | 12.5.2011 | Security Podium 2
Swiss Re - We enable risk-taking that isessential to enterprise and progress
Examples
We educate andconsult on risks
Over 50 risk-related publicationsduring the last 12 months
We transfer andtrade risks
Securitisation of earthquake andhurricane risks
We identify andevaluate risks
Climate change identified asemerging risk almost 20 years ago
We select andtake risks
Insurance of mostindustrial risks
Dr. Peter Weiss | 12.5.2011 | Security Podium
ISO/IEC SC 27 Standards Committee
ISO/IEC 27000 ISMS Family of Standards
ISMS Certification
Acknowledgment: many thanks to Prof. Edward Humphreys, Convenor of SC27 WG1, for sharingsome ideas from his presentation given in Singapore in April 2011
3
Agenda
Dr. Peter Weiss | 12.5.2011 | Security Podium
Slide 5
ISO/IEC JTC1 and SNV
ISO: International Organization for StandardizationIEC: International Electrotechnical CommissionJoint Technical Committee 1,
"Information Technology Standards"
SC 27 - IT SecurityTechniques
Schweizerische Normen-Vereinigung
INB NK149 –InformationstechnologieUK 07 - Sicherheitstechniken
MirrorCommittee
P-Members: 44O-Members: 17
Dr. Peter Weiss | 12.5.2011 | Security Podium 6
ISO/IEC JTC1 –Standards Development Cycle
DRAFTStandard
Disposition ofComments
WorkgroupMeeting
Vote &Comments
½ year
InternationalStandard
Task: resolve all comments in aconsensus process
Dr. Peter Weiss | 12.5.2011 | Security Podium
ISO/IEC 27000 Family
7
Overview and Development
Revision of ISO/IEC 27001 and ISO/IEC 27002
Dr. Peter Weiss | 12.5.2011 | Security Podium 8
ISO/IEC 27000 Family - Overview
GuidelineStandardsGuidelineStandards
RequirementsStandardsSector-
specificGuidelines
ISMSsupportingGuidelines
GeneralRequirements
Terminology27000
Overview and Vocabulary27000
Overview and Vocabulary
27002Code of Practice
IS Controls
27002Code of Practice
IS Controls
TR 27008Auditing IS Controls
TR 27008Auditing IS Controls
27005IS Risk Management
27005IS Risk Management
27003ISMS Implementation Guidance
27003ISMS Implementation Guidance
27004IS Measurements
27004IS Measurements
27011Telecommunications
Organizations
27011Telecommunications
Organizations
27799Health Organizations
27799Health Organizations
27015Financial Sector
27015Financial Sector
27010Inter-sector communications (Crit. Infra.)
27010Inter-sector communications (Crit. Infra.)
27001ISMS Requirements
27006 CertificationBody Requirements
27007ISMS Audit Guidelines
27007ISMS Audit Guidelines
Dr. Peter Weiss | 12.5.2011 | Security Podium 9
ISO/IEC 27000 Family –Other ISMS related Guidelines
Guidelines on the integrated implementation ofISO/IEC 20000-1 (IT service management) andISO/IEC 27001
ISO/IEC 27013
Information security governance frameworkISO/IEC 27014
Information security economicsISO/IEC 27016ISO/IEC 27016
Dr. Peter Weiss | 12.5.2011 | Security Podium 10
ISO/IEC 27000 Family – ScheduleISO/IEC Current published
versionCurrent status(April 2011 WG Meeting)
Next versionExpected *
27000 2009 Revision - definitions update 2012
27001 2005 Revision 2013
27002 2005 Revision 2013
27003 2010
27004 2009
27005 2008 Revision – minor alignment to ISO 31000 2011
27006 2007 Revision – alignment to new ISO 17021 early 2012
27007 Final alignment to new ISO 19011 2012
27008 To be published 2011
27010 FCD 2012
27011 2008
27013 CD 2012/13
27014 CD 2013?
27015 CD 2013/14?
27016 WD (TR) 2013/14?* Author's estimation status April 2011
Dr. Peter Weiss | 12.5.2011 | Security Podium
Joint work between SC27 Workgroups 1 (Requirements, Audit,Governance), 4 (Security technologies) and 5 (Identity management andprivacy technologies)
Study period Oct 2010 – April 2011
New Work Item Proposal - Guidelines on Information security controls forthe use of cloud computing services based on ISO/IEC 27002 (April 2011)
Extended study period April 2011 – Oct 2011
11
New and Future Work – Cloud ComputingSecurity
Dr. Peter Weiss | 12.5.2011 | Security Podium
ISMS requirements
ISMS Processes toimplement the Plan,
Do, Check, Act.Continuous
improvement model
This is a certificationstandard
Annex A
Catalogue of securitycontrols (matching
those in 27002) 27002 ‘should’ controls27001 Annex A ‘shall’ controls
2005 version now under revision - estimated date for the new edition is 2013
Until the new edition is published the 2005 version is the only legal version
ISO/IEC 27001 Revision
Dr. Peter Weiss | 12.5.2011 | Security Podium
Harmonisation and structural alignment with other management systemstandards
Improvements in wording, concepts and ideas
Further alignment with ISO 31000:2009, Risk Management
13
ISO/IEC 27001 Revision –Revision highlights
Dr. Peter Weiss | 12.5.2011 | Security Podium
Requirements for harmonisation andstructural alignment with othermanagement system standardsshould become clear by end of 2011:
– Common structure
– Common text
– Common definitions
ISO/IEC 27001 adopted commonstructure (SC27 meeting Oct 2010)
Common text partially adopted, partiallymodified and other common text stillunder discussion
Common definitions under discussion
14
ISO/IEC 27001 Revision –Harmonised structure
HARMONISATION OFMANAGEMENT SYSTEMSTANDARDS
Quality
Environment
Food safety
Information security management
Records Management
Energy
Supply chains
IT services
Business continuity
…
ISO
TM
BS
C 2
7 W
G1
Dr. Peter Weiss | 12.5.2011 | Security Podium
Draft High Level Structure MSS
Introduction
1. Scope
2. Normative References
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance Evaluation
10. Improvement
Annex A
15
ISO/IEC 27001 Revision –Harmonised structure
ISO/IEC 27001:2005
Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Information securitymanagement system
5. Management responsibility
6. Internal ISMS Audits
7. Management review of the ISMS
8. ISMS Improvement
Annex A (normative) Controlobjectives and controls
Dr. Peter Weiss | 12.5.2011 | Security Podium
Code of practice forinformation security
management
Set of ISM controlobjectives and
controls
Implementationguidance for controls
This is not acertification standard
27002 ‘should’ controls27001 Annex A ‘shall’ controls
The 2005 version is now under revision - estimated date for the new editionis 2013 (earliest)
Until the new edition is published the 2005 version is the only legal version
ISO/IEC 27002 Revision
Dr. Peter Weiss | 12.5.2011 | Security Podium
Revision objectives:
– modernize
– remove outdated controls
– content and terminology
– reduce redundancies
– remove technical detail
– add missing controls
– review in context of entire 27000 family and other ISO Standards
General style and layout remain
Some re-structuring of Sections and relocation of controls necessary
Your suggestions are welcome!
17
ISO/IEC 27002 Revision - Highlights
Dr. Peter Weiss | 12.5.2011 | Security Podium
ISMS Certification
18
Certification
Accreditation
Stakeholders and Conflicts
Dr. Peter Weiss | 12.5.2011 | Security Podium
ISMS certification audits are performed to verify the effectiveness ofan ISMS in compliance with ISO/IEC 27001:
19
3rd Party ISMS Audits (Certification)
• to verify the existence of objective evidence of ISMSprocesses
• to assess how successfully processes have beenimplemented
• for judging the effectiveness of achieving any definedISMS target levels, providing evidence concerningreduction and elimination of ISMS problems
• a management tool for achieving continual improvementin an organization
Dr. Peter Weiss | 12.5.2011 | Security Podium
Currently there are 10,000+ ISMS certificates world-wide
www.iso27001certificates shows 7300+ examples of thesecertifications
– leading nation is Japan
– Different sectors across countries
– CH: we have >30 certifications registered on the SAS site (i.e. certificates fromSwiss CAs) http://www.seco.admin.ch/sas
ISMS Certificates Status
Dr. Peter Weiss | 12.5.2011 | Security Podium
Competitive advantage
Meeting/supporting legislative requirements (e.g. SOX 404,SAS/70; HIPAA, Data Protection)
Reduce third party auditing
Demonstrate information security management capability andgood corporate governance, both to external and internalstakeholders
Create internal awareness / obtain budget for information securitygovernance program
21
ISMS – Certificates: Drivers to get certified
Dr. Peter Weiss | 12.5.2011 | Security Podium
0 Non-existent — Complete lack of any recognisable processes. The enterprise has not evenrecognised that there is an issue to be addressed.
1 Initial/ Ad Hoc — There is evidence that the enterprise has recognised that the issues exist and needto be addressed. There are, however, no standardised processes; instead, there are ad hoc approaches thattend to be applied on an individual or case-by-case basis. The overall approach to management isdisorganised.
2 Repeatable but Intuitive — Processes have developed to the stage where similar procedures arefollowed by different people undertaking the same task. There is no formal training or communication ofstandard procedures, and responsibility is left to the individual. There is a high degree of reliance on theknowledge of individuals and, therefore, errors are likely.
3 Defined Process — Procedures have been standardised and documented, and communicatedthrough training. It is mandated that these processes should be followed; however, it is unlikely thatdeviations will be detected. The procedures themselves are not sophisticated but are the formalisation ofexisting practices.
4 Managed and Measurable — Management monitors and measures compliance with proceduresand takes action where processes appear not to be working effectively. Processes are under constantimprovement and provide good practice. Automation and tools are used in a limited or fragmented way.
5 Optimised — Processes have been refined to a level of good practice, based on the results ofcontinuous improvement and maturity modelling with other enterprises. IT is used in an integrated way toautomate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick toadapt.
22
ISMS vs. COBIT 4 Maturity Levels
© 1996-2007 IT Governance Institute, "COBiT 4.1 Executive Summary – Framework"
ISMSISMS
CurrentStatus
CurrentStatus
Dr. Peter Weiss | 12.5.2011 | Security Podium
ISMS Accreditation of Certification Bodies
SAS (Swiss AccreditationSystem), Bern
Accreditation body (AB)
Certificationbody (CB)
• Accreditation of CertificationBodies is the internationallyrecognized way to createtrust in certification
EA-1/08 — Multi and BilateralAgreement Signatories
accreditation
Dr. Peter Weiss | 12.5.2011 | Security Podium
ISMS Accreditation of Certification Bodies
SAS (Swiss AccreditationSystem), Bern
Accreditation body (AB)
Certificationbody (CB)
• AB checks the systems,processes and documen-tation at the HQ of the CB
• AB witnesses on-site auditscarried out by the CB
• Initial assessment by the ABas well as surveillanceassessments(every 6-12 months)
• Accreditation lasts for3 years and then are-accreditation processtakes placeISO 19011:2002
(& ISO/IEC 27007:2012)
ISO/IEC 17021:2006 — Requirements forbodies providing audit and certification ofmanagement systems
ISO/IEC 27006:2007 — Requirements forbodies providing audit and certification ofinformation security management systems
SAS 521.dw
ISO Committeeon conformityassessment(CASCO)
SAS Sektorkomitee
Dr. Peter Weiss | 12.5.2011 | Security Podium
ISMS Certification
Certificationbody (CB)
Organisation’sISMS
• CB checks the systems, processes anddocumentation of the implementedISMS at the HQ of the organisation
• CB does on-site audits
• Initial assessment by the CB as well assurveillance audits/assessments (every6-12 months)
• Certification lasts for 3 years and thena full re-certification process takesplace
• Auditing of controls varies across CBsand countries (depending on AB)
ISO 19011:2002 — Guidelines forquality and/or environmentalmanagement systems auditing
(ISO/IEC 27007:2012) — Guidelinesfor information security managementsystems auditing
ISO/IEC 27001:2005—Information securitymanagement systems —Requirements
Dr. Peter Weiss | 12.5.2011 | Security Podium
ISO www.iso.org
SC27 www.jtc1sc27.din.de/en
SNV www.snv.ch
SAS www.seco.admin.ch/sas
ISMS Certificates http://www.iso27001certificates.com
CH CBs SQS: www.sqs.chKPMG: www.kpmg.chSGS: www.ch.sgs.com
Peter Weiss peter_weiss (at) swissre.com
27
Links
Dr. Peter Weiss | 12.5.2011 | Security Podium
WG 1 "Information security management systems"– ISMS standards and guidelines
WG 2 "Cryptography and security mechanisms"– terminology, general models and standards for IT Security techniques and
mechanisms for use in security services (both cryptographic and non-cryptographictechniques and mechanisms)
WG 3 "Security evaluation criteria"– standards for IT Security evaluation and certification of IT systems, components,
and products
WG4 "Security controls and services“– standards and guidelines addressing services and applications supporting the
implementation of control objectives and controls as defined in ISO/IEC 27002
WG 5 "Identity management and privacy technologies"– standards and guidelines addressing security aspects of identity management,
biometrics and the protection of personal data
28
ISO/IEC SC27 Workgroup Structure
Dr. Peter Weiss | 12.5.2011 | Security Podium
Legal notice
©2011 Swiss Re. All rights reserved. You are not permitted to create anymodifications or derivatives of this presentation or to use it for commercialor other public purposes without the prior written permission of Swiss Re.
Although all the information used was taken from reliable sources, Swiss Redoes not accept any responsibility for the accuracy or comprehensiveness ofthe details given. All liability for the accuracy and completeness thereof orfor any damage resulting from the use of the information contained in thispresentation is expressly excluded. Under no circumstances shall Swiss Reor its Group companies be liable for any financial and/or consequential lossrelating to this presentation.
29
Recommended