Embed Size (px)
DESCRIPTION
ISO
Citation preview
ISO 27001 – Information Security Management - in Layman’s terms
Refer to the ISO 27001 document published in year 2013 – BS ISO / IES 27001:2013
Don’t bother with anything before “page 1” (at the bottom of the page) – it’s just “warming up”.
“Info Sec” = Information Security
Ref Heading Meaning
1.1 General Ignore
1.2 Application Ignore
2 Normative references Ignore
3 Terms and definitions Ignore
4.1 Understanding the organisation List the internal and external Info Sec issues
4.2 Needs and expectations of interested parties
Lists needs and expectations of interested parties
4.3 Scope of Info Sec List what’s “in” and what’s “out”
4.4 Info Sec management Need to have a working system
5.1 Leadership The bosses need to take this seriously -time and effort
5.2 Info Sec Policy “Grandstand statement” on Info Sec
Must contain certain phrases (listed in the standard)
5.3 Organisation, Roles and Responsibilities
We need list of “Who does what around here?”
6.1.1 Risks and Opportunities - General List the risks and opportunities linked to interested parties (from above)
6.1.2 Info Sec Risk Assessment Risk Assessment on Info Sec
6.1.3 Info Sec Risk Treatment What we do to “control” the risks identified above.
Needs to include controls for Annex A
6.2 Objectives Info Sec objectives need to be set
Objectives need to be measurable
7.1 Provision of resources We need sufficient manpower, machinery, materials and money to do the job
Standards Plus Limited Laurel House, 95 Hob Hey Lane Culcheth, Warrington WA3 4NS t 01925 765 050 e [email protected] w standardsplus.co.uk
Ref Heading Meaning
7.2 Training, awareness and competence
We need a training plan.
Every individual needs their own personal training record
7.3 Awareness Staff and contractors need to be aware of Info Sec
7.4 Communication List the internal and external communications
7.5.1 Documents - general Info Sec has to be written down
7.5.2 Creating and updating documents Document ID
Document approval
7.5.3 Document Control Documents need to be “safe” – protected, stored, version controlled etc
8.1 Operational Control Need documented procedures
8.2 Info Sec Risk Treatment Need documented controls
9.1 Measuring and monitoring performance
Need a procedure for measuring performance
9.2 Internal Audit Written procedure required.
Timetable (schedule) required.
Trained people required.
Records of audits required.
9.3 Management Review - General Minutes are required from the “Director’s Meeting
Have an agenda for the Director’s Meeting
The minutes need to say who will do what and by when
10.1 Non conformances (Info Sec incident)
Non-con – also known as “mistake” or “WTF?”
Written procedure required.
Records of mistakes are required.
What we did to fix a problem.
Written procedure required
Records of “How we fixed a problem” are required.
10.2 Continual improvement We need to get better (all areas).
Annex A
Ref Heading Meaning
A.5 Info Sec Policy Repeat of 5.2 above.
Policy needs to be reviewed
A.6.1 Internal Organisation Repeat of 5.3 above, with more details
.6.2 Mobile devices Need a policy for all remote access devices
A.7.1 Prior to employment Need pre-employment screening
Need contracts of employment
A.7.2 During employment Need Info Sec awareness
Need Info Sec as a disciplinary offence
A.7.3 Changes to employment Info Sec does not finish when you leave!
A.8.1 Info Sec Assets Need a “List of Assets”
Need an Acceptable Use policy
A.8.2 Info Classification Need to classify information
Need to label it as well.
A.8.3 Media Handling Need procedures for handling and disposal of hardware
A.9.1 Access control - networks Need a policy on (network) access
A.9.2 User management Need a procedure for registering / deregistering users.
Passwords, usernames and permissions.
Need to review privileges
A.9.3 User responsibilities Secret authentication (your mother’s dog’s favourite colour)
A.9.4 Access control - systems Logging on, passwords, changing passwords
A.10.1 Encryption Use of encryption and encryption keys
A.11.1 Physical security Perimeter, building access, secure rooms, delivery areas
A.11.2 Equipment Location, services, cabling, maintenance, unattended equipment
“Clear desk policy”
A.12.1 Operations Procedures need to be documented
Change management
Capacity management
A.12.1 Malware Anti virus
Ref Heading Meaning
A.12.3 Back up Do backups and test them
A.12.4 Event logging Protecting user event logs (from alterations)
Protecting administrators event logs (from alteration)
Clock synchronisation
A.12.5 Operating software Procedure for installing software
A.12.6 Technical vulnerability Procedures for software updates
A.12.7 Audit considerations Don’t interfere with operations
A.13.1 Network security Service level agreements
Segregation of networks
A.13.2 Information transfer Formal agreements on support calls, formal reports
Non disclosure agreements
Applies to all external organisations
A.14.1 Public networks Info Sec when using the public networks
A.14.2 Development and support Applies to software development
Applies to support services
Changes need to be controlled, reviewed, tested and accepted
A.14.3 Test data Keep it safe
A.15.1 Suppliers Non disclosure agreements and Service Level Agreements need to include Info Sec
A.15.2 Managing suppliers Monitor supplier’s performance
Changes to services need to be managed
A.16.1 Info Sec incidents Same as 10.1 above
A.17.1 Business Continuity Need a business continuity plan / disaster recovery plan
It needs to be tested (parts of it)
A.17.2 Redundancies Need spare capacity
Ref Heading Meaning
A.18.1 Legal compliance Need a procedure for keeping up to date with legislation
Need to be award of our contractual obligations with customers
Need to be aware of intellectual property / licensing obligations
A.18.2 Info Sec reviews Need to review Info Sec from time to time
Don’t bother with anything after “page 22” (at the bottom of the page) – it’s just “cooling down”.
