Scribd
Upload
218 views

Building ISMS PDF

Uploaded by

Ciprian Raileanu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
218 views

Building ISMS PDF

Uploaded by

Ciprian Raileanu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 115

#113 – Building an ISMS

based on ISO/IEC 27001


Peter R. Bitterli, CISA
http://www.bitterli-consulting.ch
[email protected]
“I will work in Please observe the copyright: You are allowed to use and

concert with
further distribute this presentation only with this copyright
notice attached. If you use parts of this documentation in
presentations or other diagrams you have to refer to the source.

my peers.”
Any commercial use of this presentation is only allowed with
written consent of the author.

© 19.3.2007
Abstract
Building an ISMS based on ISO/IEC 27001 & ISO/IEC 17799

Almost every IT security professional has heard or read about BS7799-2 and/or
ISO 17799. Many have used the ISO 17799 to their advantage for designing,
implementing or even auditing information security – some have used it for writing
security policies and others actually for performing risk analysis. BS7799-2 (now
ISO 27001), however, is less known and its contents are often misunderstood.
ISO 27001 clearly defines how an Information Security Management System
(ISMS) should look like, describing actually the major security management
processes any company should have in place. This session explains the differences
between the “twin standards” ISO 27001 and ISO 17799, concentrating mostly on
the ISMS. It clearly shows how existing security organizations and security
management processes fit in such an ISMS and what steps your company should
take if you want to professionalize your information security management up to the
point where you could get certified. The session also shows many pitfalls that
companies might fall in, based on the speaker’s experience both in his capacity as
an official expert supervising the accredited certification bodies and as an IT
auditor and security consultant.

© Peter R. Bitterli, Slide 2


Learning Objectives
The participants will learn about …

1. what an effective ISMS according ISO/IEC 27001 is


andwhat mandatory elements it consists of.
2. what the main differences are between the “twin
standards” ISO/IEC 27001 and ISO/IEC 17799
3. how to improve the existing security processes to a
certifiable ISMS
4. why this makes sense even if your company doesn’t
want to become ISO/IEC 27001 certified
5. main lessons the speaker learned by looking at
certified and uncertified ISMS of several companies

© Peter R. Bitterli, Slide 3


Content
Overview

 Typical unresolved security problems


 From CoP to BS7799-2 to ISO17799/27001
 Introduction to
 ISO/IEC 27001 (elements of an ISMS)
 ISO/IEC 17799 (the controls)
 Certification based on ISO/IEC 27001
 Step by step approach to change your ISMS
 Major benefits of improving your ISMS
 Pitfalls to avoid

© Peter R. Bitterli, Slide 4


Introduction
Part 1

Typical unresolved
information security
problems

–i.e. ISMS weaknesses

© Peter R. Bitterli, Slide 5


Typical ISMS Weaknesses

 Problematic areas
 Parallel internal control systems
 Ineffective security organization
 Contradictory directives & policies
 Outsourcing out of control
 Ineffective IT risk management
 Inadequate awareness
 Poor physical security
 Unresolved business continuity issues

© Peter R. Bitterli, Slide 6


Parallel Control Systems
Ineffective systems of internal control

 Many, partially parallel  Leads to:


systems of internal  Obvious and hidden
controls inconsistencies
 Traditional system of  Inefficient processes
internal controls  Members of staff
 Security  are weary of controls
 Legal / Compliance  will circumvent controls
 might commit passive or
 Data Protection
active sabotage of ICS
 Operational Risk
 Flood of policies
Management
 …
 Quality Assurance
 Safety
 …
© Peter R. Bitterli, Slide 7
Security Organizations
Cemented structures with high frictional loss

 Many independent parties  Leads to unclear


maintain that they are responsibilities, authorities
“the only one” to take care and accountabilities:
of security  Ambiguous responsibilities
 Physical Security (>security gaps)
 IT Security  Overlapping authorities
 Data Protection
(>inconsistencies, >gaps)
 Tasks might not be fulfilled
 Product Security
(Validation) (> gaps)
 Wastages (> no efficiency)
 Unfavorable reporting
 Trouble with staff
lines
 …
 Individual kingdoms
© Peter R. Bitterli, Slide 8
Directives and Policies
Conflicting directives and wrong use of them

 Historically grown  Leads to:


directives & policies:  Flood of policies or very
 Not up to date selective policies
 Poor/contradictory  Employee deviance:
definitions  Impossible to comply
 Unclear verbalizations  Might negate or circumvent
existing policies on purpose
 Too much or too little is
 Might commit passive or
regulated
active sabotage
 Not known to members of
 Disengagement of
staff
management’s expectations
 “Americanization” of from reality
management’s behaviour
 …

© Peter R. Bitterli, Slide 9


Outsourcing (Multi-Sourcing)
Unjustifiable trust and critical dependencies

 (Still) increasing  Leads to:


outsourcing  Absolute dependency on
 Network provider
 ERP packages  Governance problems
 Housing/operating provider  Strategic alignment
 Efficiency
 “Office” provider
 Compliance problems
 Blind trust in outsourcing
 …
partner
 No provider audits
 Reliance on certifications
and attestations
 Use of too small companies

© Peter R. Bitterli, Slide 10


IT Risk Management
ORM will not diminish need for IT risk management

 Operational risk  Leads to:


management (ORM)  Incomplete risk landscapes
often far from reality:  Unrecognized risks with
 too superficial high severity
 too detailed  Ineffective risk manage-
 too theoretical
ment, e.g. in the area of IT
security
 too inflexible approach
 …
(must follow software)
 No link between ORM
and IT risk management
 No IT risk management

© Peter R. Bitterli, Slide 11


Security Awareness
Missing security awareness increases risks

 No, superficial or  Leads to:


discontinuous security  Little understanding for
awareness measures and directives
 Every employee
 Management attitude
individually decides how
that (additional) secure he/she wants to be
awareness training is not  Careless treatment of
necessary critical information and
 Management itself is the systems
biggest problem!  Inadequate support and
budget for security
 …

© Peter R. Bitterli, Slide 12


Physical Security
Even data centres and banks are not always really secure

 Unclear perimeter  Leads to:


 Clients, meeting zones,  Access of unauthorized
internal offices persons to inner offices
 Risks in the  Leads to a wrong
neighborhood impression of visiting VIPs
 Threat to health and lives
 restaurants, subterranean
parking, …  Possible loss of complete
site
 Cumulation of risks
 …
 “all eggs in one basket”
 Non-compliance to safety
regulations

© Peter R. Bitterli, Slide 13


Business Continuity
Insufficient and not proven measures

 Critical business  Leads to:


processes are not known  Missing awareness on
 No SLAs management level
 Fragmentary emergency
 for normal operations
plan
 for emergencies
 Untested sub plans
 No willingness of  Ineffective measures
management for  Erratic updating of plans
 analysis  …
 documentation
 and reduction
of processes

© Peter R. Bitterli, Slide 14


Typical IT Risk Landscape
(Typical “generic” risks of a mid-sized company)

1 Half-day power loss


2 Failure of outsourcing
every provider
day
E 3 Loss of confidentiality of
daily
Probability (p)

customer data
4 Malicious code
8 12 14 every 5 Access management
D 10 days
frequently 6 Telebanking (Phishing)
7 Patch management
1 3 5 4 9 13 every 8 Non-compliance with
100 days rules
C
likely 10 9 Network interrupt
10 Infringements
11 6 7 2 every 11 Loss of key personnel
1000 days
B
unlikely 12 Password handling
13 Application of new
15 16 every technologies
10.000 days
A 14 Application dependent
very unlikely
controls
15 Unsuited BCM/BCP
1 2 3 4 5
low medium high very high critical 16 Internal sabotage

1 Number of risk Damage potential (A)

© Peter R. Bitterli, Slide 15


What is the Solution?

 Build an information security


management system (ISMS)
with:
 security management processes
according ISO/IEC 27001
 security measures (i.e. controls)
based on ISO/IEC 17799
 Maybe: have it certified

© Peter R. Bitterli, Slide 16


Evolution of Standards
Part 2

History of the “Code of


Practice for Information
Security Management” and
overview of the ISO/IEC
27000 Standards Family

© Peter R. Bitterli, Slide 17


Evolution of Code of Practice
(Code of Practice for Information Security Management)

SRI International
Survey of Industry
Shell Best Practices

SRI International
Shell Baseline
Baseline Controls
Security Controls

Best Practices of BT,


Marks & Spencer,
Midland, BOC, DTI Code of Practice
Nationwide & Unilever
1995
British Standard
BS7799-1: 1995 1999
British Standard 12.2000
1998 BS7799-1: 1999 ISO Standard 6.2005
ISO 17799: 2000 ISO Standard ???
British Standard
BS7799-2: 1998 ISO 17799: 2005 ISO Standard
1999
9.2002 ISO 27002
British Standard
BS7799-2: 1999 British Standard 2005
10.2005
BS7799-2: 2002 British Standard
BS7799-2: 2005 ISO Standard
ISO 27001

© Peter R. Bitterli, Slide 18


ISO/IEC 27000 Family
Building an Information Security Management System
published

27000 to be
Terminology Overview published

& Vocabulary

27001 27006
Requirements ISMS Accreditation
Requirements Requirements

Support 27002 27003 27004 27007 ?


27005
Code of Implementation ISM ISMS Audit
PDCA Practice Guidance Measurements
Risk Management
Guidelines

Guideline 13335-x 18028-x 18043 18044


15947
ICT Network IDS Incident
IDS Framework
Control Security -3 Security - 1 Management Management
Implemen- -4 -2
-5 -3
tation -4 and others ...
-5

Source: Peter Weiss, Zurich


© Peter R. Bitterli, Slide 19
© Peter R. Bitterli, Slide 20
Major contents of an ISMS
Part 3

Brief explanation of
ISO/IEC27001

© Peter R. Bitterli, Slide 21


Scope
Building an effective Information Security Management System

 ISO/IEC 27001 specifies the requirements


for establishing, implementing, operating,
monitoring, reviewing, maintaining and
improving a documented ISMS within the
context of the organization’s overall
business risks.
 It specifies requirements for the implemen-
tation of security controls customized to the
needs of individual organizations or parts
thereof.
Source: ISO/IEC 27001 Chapter 1 Scope
© Peter R. Bitterli, Slide 22
Contents
ISO/IEC 27001 (formally known as BS7799-2)

0 Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Information Security Management System
5 Management responsibility
6 Internal ISMS audits
7 Management review of the ISMS
8 ISMS improvement
– Annexes
© Peter R. Bitterli, Slide 23
ISMS – PDCA Model
Building an effective Information Security Management Systems

PLAN

Establish the
ISMS

improve the ISMS


Maintain and
operate the ISMS
Implement and

DO ACT

Monitor and
review the ISMS

CHECK
© Peter R. Bitterli, Slide 24 Source: Peter Weiss, Zurich
Establish the ISMS
Building an effective Information Security Management System
Risk
management
PLAN
Define ISMS scope &
policy Establish the
ISMS

improve the ISMS


Carry out risk assessment

Maintain and
operate the ISMS
Implement and
Decide on risk treatment
DO ACT
Select controls
(from 17799)

Accept residual risks


Monitor and
review the ISMS

CHECK
© Peter R. Bitterli, Slide 25 Source: Peter Weiss, Zurich
Implement and Operate ISMS
Building an effective Information Security Management System
Risk
management
PLAN
Formulate & implement
risk treatment plan Establish the
ISMS

improve the ISMS


Implement controls

Maintain and
operate the ISMS
Implement and
Implement
training/awareness DO ACT
Define effectiveness
measurement of controls

Manage operations & Monitor and


resources of the ISMS review the ISMS

CHECK
© Peter R. Bitterli, Slide 26 Source: Peter Weiss, Zurich
Monitor and Review ISMS
Building an effective Information Security Management System
Risk
management
Execute monitoring PLAN
procedures
Establish the
Regularly review
ISMS
effectiveness of ISMS

improve the ISMS


Maintain and
Measure effectiveness of

operate the ISMS


Implement and
controls
DO ACT
Review risk assessments

Conduct internal ISMS audits and


management reviews
Monitor and
review the ISMS
Update security plan

CHECK
© Peter R. Bitterli, Slide 27 Source: Peter Weiss, Zurich
Maintain and Improve ISMS
Building an effective Information Security Management System

PLAN

Establish the
Implement improvements
ISMS

improve the ISMS


Take corrective and

Maintain and
preventive actions

operate the ISMS


Implement and
Communicate results DO ACT

Ensure improvements
achieve objectives
Monitor and
review the ISMS

CHECK
© Peter R. Bitterli, Slide 28 Source: Peter Weiss, Zurich
Security Controls
Part 4

Brief explanation of
ISO/IEC17799 (will
become ISO/IEC 27002)

© Peter R. Bitterli, Slide 29


Contents
ISO/IEC 17799 (soon to become ISO/IEC 27002)

1 Scope
2 Terms and definitions General information
3 Structure of standards Organizational issues
4 Assessment and treatment of risks Technical issues
5 Security policy
6 Organisation of information security
7 Asset management
8 Human resource security
9 Physical and environmental security
10 Communications and operations management
11 Access control
12 Information systems acquisition, development and maintenance
13 Information security incident management
14 Business continuity management
15 Compliance
© Peter R. Bitterli, Slide 30
Security Policy
ISO/IEC 17799 (soon to become ISO/IEC 27002)

 Term “information security”


 Definition of objectives
 Enterprise-specific security requirements
 Responsibilities
 Regular updates

Policy

Security concept
(Baseline protection)

Guidelines

© Peter R. Bitterli, Slide 31


Organisation of Security
ISO/IEC 17799 (soon to become ISO/IEC 27002)

 Security organisation  Security in third party


 Security committee companies
 Coordination of all security  Identification of risks
concerns  Security on the customer’s
 Responsibilities site
 Approval of IT installations  Security requirements in
 Specialist know-how contracts
 Third party cooperation
 Independent security
assessment

© Peter R. Bitterli, Slide 32


Management of Inf. Assets
ISO/IEC 17799 (soon to become ISO/IEC 27002)

 Responsibilities  Classification
 Inventory  Classification policy
 Assignment to  Labelling and handling
“owners”
 Acceptable use policy

© Peter R. Bitterli, Slide 33


Human Resources Security
ISO/IEC 17799 (soon to become ISO/IEC 27002)

 Prior to employment  During employment


 Rolls and responsibilities  Management responsibilities
 Background checks  Awareness education and
 Terms and conditions of training
employment  Disciplinary process
 Change/termination of
employment
 Termination responsibilities
 Return of assets
 Removal of access rights

© Peter R. Bitterli, Slide 34


Physical/Environmental Security
ISO/IEC 17799 (soon to become ISO/IEC 27002)

 Secure areas  Equipment security


 Security perimeter  Site
 Entry controls  Power supply
 Securing offices, rooms and  Cabling
facilities  Maintenance
 Protection against external  Off-premises usage
and environmental threats  Disposal
 Working in secure areas
 Removal of property
 Delivery and loading areas

© Peter R. Bitterli, Slide 35


Communication and Operations
ISO/IEC 17799 (soon to become ISO/IEC 27002)

 Operating procedures and responsibilities


 Third-party services
 Planning and acceptance of systems
 Protection against malicious code
 Backup
 Network security management
 Media handling
 Exchange of information and software
 E-commerce services
 Monitoring

© Peter R. Bitterli, Slide 36


Access Control
ISO/IEC 17799 (soon to become ISO/IEC 27002)

 Business requirements for access


control
 Administration of access rights
 User responsibilities
 Network access control
 Operating system access control
 Application access control
 Mobile computing / teleworking

© Peter R. Bitterli, Slide 37


Systems Acquisition,
Development and Maintenance
ISO/IEC 17799 (soon to become ISO/IEC 27002)

 Definition of security  Security of system files


requirements  Security in development
 Correct processing in and support processes
applications  Technical vulnerability
 Input, processing, management
authentication, output
 Cryptographic controls
 Concept
 Encryption

© Peter R. Bitterli, Slide 38


Incident Management
ISO/IEC 17799 (soon to become ISO/IEC 27002)

 Reporting information security incidents


and weaknesses
 Management of information security
incidents and improvements

© Peter R. Bitterli, Slide 39


Business Continuity
ISO/IEC 17799 (soon to become ISO/IEC 27002)

 Information security aspects in BCM


 Business continuity and risk management
 Development and implementation of business
continuity plans
 Planning framework
 Testing, maintaining and reassessing business
continuity plans

© Peter R. Bitterli, Slide 40


Compliance
ISO/IEC 17799 (soon to become ISO/IEC 27002)

 Compliance with legal  Compliance with


requirements policies and standards
 Applicable law  Policies
 Intellectual property  Compliance with
rights technical standards
 Records  Systems audit
 Data protection /  Audit procedure
privacy
 Protection of tools
 Prevention of misuse
 Regulation of
cryptographic controls

© Peter R. Bitterli, Slide 41


Grouping of Main Chapters
ISO/IEC 17799 (soon to become ISO/IEC 27002)

Organizational
issues

5. Security
policy

6. Organization of
information security

7. Asset 11. Access


management control

13.Information security
15. Compliance incident management

8. Human resources 9. Physical and


security environmental security

10. Communications 12. Systems acquisition, 14. Business


Technical and operations development and continuity
issues management maintenance management

© Peter R. Bitterli, Slide 42 based on: Callio


Accreditation & Certification
Part 5

Brief explanation of
accreditation and
certification processes based
on ISO/IEC27001 and
ISO/IEC 27006 (draft)

© Peter R. Bitterli, Slide 43


Terms (I)
Used in the context of accreditation & certification

 Compliance
 is a self-assessment carried out by the
organization in order to verify whether a system
that has been implemented complies with a
standard.

 Certification (Registration)
 is conferred by an accredited certification body
when an organization successfully completes an
independent audit, thus certifying that the
management system meets the requirements of a
specific standard, e.g. ISO/IEC27001.
© Peter R. Bitterli, Slide 44
Terms (II)
Used in the context of accreditation & certification

 Remark
 A company may comply with ISO/IEC 17799, but
certification is only possible with ISO/IEC27001.

 Accreditation
 consists of the means by which an authorized
organization (the accreditation body) officially
recognizes the authority of a certification body to
evaluate, certify and register an organization’s
ISMS with regard to published standards.

© Peter R. Bitterli, Slide 45


Overview over Terms
Accreditation and certification
Accreditation
Body (AB)

Accreditation
Accreditation Body (AB)

Body (AB) http://www.european-accreditation.org


www.iaf.nu
dits accr
re edit
acc s

Certification http://www.xisec.com Certification cert


ifie s
Certified
Company

Body (CB) Body (CB)


certifie certifie
s ce s Certified
cer rti
s tifi fie Company
ifie
cer

s
s

cer
rt es
certifie

certifie
ce
tifie

tifi
Certified Certified

es
s

Company Company

s
Certified
Company
Certified
Certified
Certified Company Company
Certified Company
Company Certified
Company

© Peter R. Bitterli, Slide 46


Scoping
Only the “area” within the defined scope will be certified

Source: www.ceem.com
© Peter R. Bitterli, Slide 47
Certificates
Examples

 ISO 9001
 ISO 14001
 ISO 27001 (originally: BS 7799-2 ISMS)
 BS 15000 / ISO 20000
…

BSI: British Standard Institute


ISO: International Organization for Standardization
IEC: International Electrotechnical Organization
ISO/IEC JTC1: Joint Technical Committee

© Peter R. Bitterli, Slide 48


Aktuelle Zertifizierungen CH

Source: www.iso27001certificates.com
Download on 2.2.2007

© Peter R. Bitterli, Slide 49


Certification Audit (I)
Audit process of accredited certifier

Stage 1 Stage 2
 Review of ISMS  Visit to the company
Documentation  Review of compliance
 Scope  Security policies
 ISMS Policy  Security objectives
 Risk report  Procedures
 Risk treatment  ISMS
 Statement of  conform to ISO27001
Applicability  achieves security
 Core elements of ISMS objectives (as in
ISO17799)

© Peter R. Bitterli, Slide 50


Certification Audit (II)
Audit process of accredited certifier

 Results of stage 2
 Nonconformities
 major
 minor
 Observations
 Report
 Audit team reports to CB
 Company comments and specifies improvements
 CB confirms corrections

© Peter R. Bitterli, Slide 51


Surveillance Audit
… of certification body (CB)

 Periodic
 Often enough
 Non-conformities must be corrected within
agreed time span
 If not: reduction, suspension or recall of
certification

© Peter R. Bitterli, Slide 52


Internal Audit
Internal ISMS audit by the certified company itself

 In planned intervals

 Review, whether ISMS …


 complies to ISO 27001 requirements
 complies with relevant laws and regulations
 has been implement in an effective way
 is being maintained
 does what is expected

© Peter R. Bitterli, Slide 53


Re-Certification
Re-assessment by the original certification body (CB)

 Normally every three years


 Purpose to verify the continuing compliance to
ISO27001 requirements
 In general this comprises:
 Verification that approved ISMS is still
implemented
 Review of all changes to the ISMS
 Confirmation of compliance to ISO 27001,
ISO17799
 Internal maintenance (audit, security review,
management review, preventive/corrective actions)
© Peter R. Bitterli, Slide 54
Accreditation of CB
The auditor is audited too

Requirements:
ISO Guide 62 (and EN 45012):
Accreditation general Requirements/criteria
for Accreditation: applicable for
Body (AB) ISO 9001, ISO 14001, BS7799-2
EA 7/03 states more precisely
acc Guide 62 in relation to ISMS
red audits (will become ISO27006)
its
ISO 19001: Criteria for auditors’
competence
Certification …
Body (CB)

cer
tifi
es

Certified
company
© Peter R. Bitterli, Slide 55
© Peter R. Bitterli, Slide 56
Implementing an ISMS
Part 6

Step by step approach to


change your existing non-
formal ISMS to a ISO/IEC
27001-like ISMS that could
be formally certified

© Peter R. Bitterli, Slide 57


Our ISMS Approach
In 30 steps twice around the PDCA circle to gain momentum
PLAN

Establish the
Establish the
ISMS (phaseI)
ISMS (phaseII)

improve the ISMS


improve the ISMS
Maintain and
Maintain and
(phase I)
(phase II)
operate the ISMS
Implement and
operate the ISMS
Implement and
(phase I)
DO ACT
(phase II)

Monitor and
Monitor
review and
the ISMS
review
(phasetheI)ISMS
(phase II)

© Peter R. Bitterli, Slide 58


CHECK Source: Peter Weiss, Zurich
Goal of an ISMS

 An Information Security Management


System is designed to ensure the selection of
adequate and proportionate security
controls that protect information assets and
give confidence to interested parties.

© Peter R. Bitterli, Slide 59 Source: ISO/IEC 27001 Chapter 1 Scope


Establish the ISMS
Building an effective Information Security Management System
Risk
management
PLAN
Define ISMS scope &
policy Establish the
ISMS

improve the ISMS


Carry out risk assessment

Maintain and
operate the ISMS
Implement and
Decide on risk treatment
DO ACT
Select controls
(from 17799)

Accept residual risks


Monitor and
review the ISMS

CHECK
© Peter R. Bitterli, Slide 60 Source: Peter Weiss, Zurich
Define the Scope
“Easy” steps to implement an ISMS: Step 1

 Even if you don’t aim for certification, you


should define the scope of your ISMS. Start
PLAN slowly and enlarge your scope as you
Establish
the ISMS
progress in maturity, e.g start with:
 IT
 headquarters
 those departments with high business risks
 highly regulated areas of your company
 But first: define responsibilities, authorities
& accountabilities
© Peter R. Bitterli, Slide 61
Define High-level Policy
“Easy” steps to implement an ISMS: Step 2

 Define a overall ISMS policy that …


 includes a framework for setting objectives and
PLAN establishes an overall sense of direction and
Establish
the ISMS principles for information security
 takes into account business and legal or
regulatory requirements and contractual
security obligations
 aligns with the organization’s strategic risk
management
 has been approved by management

© Peter R. Bitterli, Slide 62 Source: ISO/IEC 27001 Chapter 4.2.1 Establish the ISMS
Define Areas of Applicability
“Easy” steps to implement an ISMS: Step 3

 Not all 133 controls need to be implemented


as they are not all relevant and applicable
PLAN

Establish
 Therefore: put together a list of those
the ISMS

controls …
 that cover:
 legal and regulatory requirements
 contractual obligations
 organization’s business requirements

 or are necessary because of the risk assessment


and risk treatment process (steps 4a – 4c)

© Peter R. Bitterli, Slide 63


Maturity & Risk Assessment
“Easy” steps to implement an ISMS: Step 4a

 Perform a controls self assessment (CSA)


incombination with a “quick & dirty”
PLAN riskassessment:
Establish

 Go through all of the 133 controls


the ISMS

 Rate the “maturity level” of these controls


 Rate the severity if an incident would happen
that is (should be) covered by the respective
control
Remark: The purpose of the shown “quick & dirty” risk assessment approach is to
get the whole ISMS improvement process going. It must be later replaced by a
formally defined risk assessment and risk treatment plan as mentioned in step 20 of
the shown approach.

© Peter R. Bitterli, Slide 64


Example of CSA
“Easy” steps to implement an ISMS: Step 4b

5.1
15.3 6.1
15.1
15.2
4 6.2
7.1
Current maturity level
14.1 7.2
(green area)
13.2

13.1
3 8.1

8.2

PLAN
12.6 2 8.3 Room for improvement
12.5 9.1
Establish
the ISMS
12.4
1 9.2

12.3 0 10.1

12.2 10.2 Maturity level aimed at (3)


12.1 10.3 Maximum maturity level (4)
11.7 10.4

11.6 10.5
11.5 10.6
11.4 10.7
11.3 10.8
11.2 11.1 10.10 10.9

© Peter R. Bitterli, Slide 65


CSA Combined with Severity
“Easy” steps to implement an ISMS: Step 4c

Urgent need for

PLAN
I
improvement !
II
Establish Areas where controls
Severity

the ISMS

are necessary but effective

IV III
Possible savings
Low priority

Comment: Shown ratings are for demonstration purposes only


© Peter R. Bitterli, Slide 66
Conformity Requirements
“Easy” steps to implement an ISMS: Step 5

 Check whether the exclusion of certain


controls is acceptable (obtain management
PLAN approval of residual risk).
Establish

 Comment: For certification, the exclusion of


the ISMS

certain controls is only acceptable if these


exclusions do no affect the organization’s ability
and/or responsibility to provide information
security that meets the security requirements
determined by risk assessment and applicable
legal or regulatory requirements.

Source: ISO/IEC 27001 Chapter 1 Scope


© Peter R. Bitterli, Slide 67
Implement and Operate ISMS
Building an effective Information Security Management System
Risk
management
PLAN
Formulate & implement
risk treatment plan Establish the
ISMS

improve the ISMS


Implement controls

Maintain and
operate the ISMS
Implement and
Implement
training/awareness DO ACT
Define effectiveness
measurement of controls

Manage operations & Monitor and


resources of the ISMS review the ISMS

CHECK
© Peter R. Bitterli, Slide 68 Source: Peter Weiss, Zurich
Implement Risk Treatment
“Easy” steps to implement an ISMS: Step 6

 Instead of the required detailed risk


treatment plan start with the following
pragmatic approach:
operate the ISMS
Implement and

 For all controls identified in step 4c as “Urgent


DO

need for improvement” (quadrant I) implement


the respective controls as shown in ISO/IEC
17799 (i.e. as good/best practices)
 Rate the effectiveness of these controls indirectly
by re-measuring the “maturity level”

© Peter R. Bitterli, Slide 69


Improve Security Awareness
“Easy” steps to implement an ISMS: Step 7

 Start marketing security primarily towards


(senior) management
 Show radar chart of step 4b
operate the ISMS
Implement and

 Show severity assessment of step 4c


DO

 Start asking about personal nightmares


 Show management typical situations such as
mentioned in introduction

© Peter R. Bitterli, Slide 70


Security Resources
“Easy” steps to implement an ISMS: Step 8

 Identify current resources for information


security
 Security officers, security engineers (list part
operate the ISMS
Implement and

DO
timers separately)
 Collect same information from your peers
 Start asking for more resources, argue with:
 Increasing legal/regulatory requirements
 Recent incidents from own organization
 Incidents in headlines
 Comparisons with peers

© Peter R. Bitterli, Slide 71


Monitor and Review ISMS
Building an effective Information Security Management System
Risk
management
Execute monitoring PLAN
procedures
Establish the
Regularly review
ISMS
effectiveness of ISMS

improve the ISMS


Maintain and
Measure effectiveness of

operate the ISMS


Implement and
controls
DO ACT
Review risk assessments

Conduct internal ISMS audits and


management reviews
Monitor and
review the ISMS
Update security plan

CHECK
© Peter R. Bitterli, Slide 72 Source: Peter Weiss, Zurich
Identify Security Incidents
“Easy” steps to implement an ISMS: Step 9

 Start collecting information on …


 attempted and successful breaches of security
 any other security incidents
Monitor and

 current threat situation (i.e. viruses, spam, …)


review the ISMS

CHECK

 Start a “security round table” with


representatives from …
 Operations
 Help Desk / 2nd Level Support
 Security
 (IT) Risk Management
© Peter R. Bitterli, Slide 73
Security Reviews
“Easy” steps to implement an ISMS: Step 10

 Start with first reviews of the effectiveness


of (selected parts) of the ISMS, e.g.
 where incidents occurred
Monitor and

 where audit reports showed deficiencies


review the ISMS

CHECK

 where incidents could have a high severity


(quadrant I in step 4c)
 where your personal experience points to
possible room for improvement (professional
judgement)
…

© Peter R. Bitterli, Slide 74


Security Plans
“Easy” steps to implement an ISMS: Step 11

 Formulate concrete security plans (i.e.


security programs) with necessary
improvement activities based on:
Monitor and
review the ISMS
 Best practices controls (step 6)
CHECK

 Security incidents
 Results of security reviews

© Peter R. Bitterli, Slide 75


Maintain and Improve ISMS
Building an effective Information Security Management System

PLAN

Establish the
Implement improvements
ISMS

improve the ISMS


Take corrective and

Maintain and
preventive actions

operate the ISMS


Implement and
Communicate results DO ACT

Ensure improvements
achieve objectives
Monitor and
review the ISMS

CHECK
© Peter R. Bitterli, Slide 76 Source: Peter Weiss, Zurich
Implement Improvements
“Easy” steps to implement an ISMS: Step 12

 Implement with high emphasis identified


improvement measures as shown in security
program:
improve the ISMS
Maintain and

ACT
 Keep track of progress

© Peter R. Bitterli, Slide 77


Communication
“Easy” steps to implement an ISMS: Step 13

 Communicate progress to stakeholders


improve the ISMS
Maintain and

ACT

© Peter R. Bitterli, Slide 78


Intermediate Phase
In 30 steps twice around the PDCA circle to gain momentum
PLAN

Establish the
Establish the
ISMS (phaseI)
ISMS (phaseII)

improve the ISMS


improve the ISMS
Maintain and
Maintain and
(phase I)
(phase II)
operate the ISMS
Implement and
operate the ISMS
Implement and
(phase I)
DO ACT
(phase II)

Monitor and
Monitor
review and
the ISMS
review
(phasetheI)ISMS
(phase II)

© Peter R. Bitterli, Slide 79


CHECK Source: Peter Weiss, Zurich
Improve Documentation (I)
“Easy” steps to implement an ISMS: Step 14a

 For phase II you must improve the quality


of the ISMS documentation:
 Records of management decisions
 Actions are traceable to management decisions
 Recorded results must be reproducible
 Demonstrate relationship from selected controls
back to results from risk assessment and risk
treatment process

© Peter R. Bitterli, Slide 80 Source: ISO/IEC 27001 Chapter 4.3 Documentation Requirements
Improve Documentation (II)
“Easy” steps to implement an ISMS: Step 14b

 ISMS documentation shall include:


 Documented statements of the ISMS policy and
objectives
 Scope of ISMS
 Procedures and controls in support of the ISMS
 Description of the risk assessment methodology
 Risk assessment report
 Risk treatment plan
 Documented security management procedures
 Statement of Applicability

© Peter R. Bitterli, Slide 81 Source: ISO/IEC 27001 Chapter 4.3 Documentation Requirements
Improve Documentation (III)
“Easy” steps to implement an ISMS: Step 14c

 Protect and control ISMS documentation:


 Approve documents for adequacy prior to use
 Review, update and then re-approve documents
 Changes and current revision status of
documents are identified
 Ensure documents are available to those who
need them
 Ensure controlled distribution
 Prevent use of obsolete documents
…

© Peter R. Bitterli, Slide 82 Source: ISO/IEC 27001 Chapter 4.3 Documentation Requirements
Control of Records
“Easy” steps to implement an ISMS: Step 15

 Establish records to provide evidence of


conformity to requirements and the
effective operations of the ISMS:
 Need to be protected and controlled
 Take into account relevant legal or regulatory
requirements and contractual obligations
 Must be retrievable
 Controls for “record management” must be
documented themselves

© Peter R. Bitterli, Slide 83 Source: ISO/IEC 27001 Chapter 4.3.3 Control of records
Management Commitment
“Easy” steps to implement an ISMS: Step 16

 Management shall provide evidence of


commitment to the establishment, imple-
mentation, operation, monitoring, review,
maintenance and improvement of the ISMS
 Establish policy, roles & responsibilities
 Communicate the importance of security
 Provide sufficient resources
 Decide criteria for accepting risks
 Ensure internal ISMS audits and management
reviews

© Peter R. Bitterli, Slide 84 Source: ISO/IEC 27001 Chapter 5 Management responsibility


Establish the ISMS
Building an effective Information Security Management System
Risk
management
PLAN
Define ISMS scope &
policy Establish the
ISMS
(phase II)

improve the ISMS


Carry out risk assessment

Maintain and
operate the ISMS
Implement and
Decide on risk treatment
DO ACT
Select controls
(from 17799)

Accept residual risks


Monitor and
review the ISMS

CHECK
© Peter R. Bitterli, Slide 85 Source: Peter Weiss, Zurich
Broaden the Scope
“Easy” steps to implement an ISMS: Step 17

 Try to broaden the scope from …


 within IT
PLAN
 headquarters
Establish

 those departments with high business risks


the ISMS

 the highly regulated areas of your company


to the whole organization.

© Peter R. Bitterli, Slide 86


Streamline Policies
“Easy” steps to implement an ISMS: Step 18a

 Based on the defined overall ISMS policy


review and streamline all other directives,
PLAN policies and guidelines that concern
Establish
the ISMS
information in any form (electronically
stored, processed, printed, written,
transmitted, spoken).
 Clear up definitions
 Remove contradictions and redundancies
 Remove all parts not necessary

© Peter R. Bitterli, Slide 87


Streamline Policies
“Easy” steps to implement an ISMS: Step 18b

PLAN

Establish
the ISMS

© Peter R. Bitterli, Slide 88 Hint: Be aware that there is no standard terminology


Verify Areas of Applicability
“Easy” steps to implement an ISMS: Step 19

 Check whether the subset of the 133


controls that were implemented in the first
PLAN phase needs to be enlarged based on
Establish
the ISMS
changes in scope or risks.

© Peter R. Bitterli, Slide 89


Formal Risk Assessment (I)
“Easy” steps to implement an ISMS: Step 20a

 Improve your current risk assessment and


treatment to a more mature process:
PLAN  Formalize risk assessment methodology
Establish

 Determine criteria for risk acceptance


the ISMS

 Identify assets within scope of ISMS and the


owners of the assets
 Identify threats to those assets
 Identify vulnerabilities that might be exploited
 Identify impact of those vulnerabilities

© Peter R. Bitterli, Slide 90 Source: ISO/IEC 27001 Chapter 4.2.1 Establish ISMS
Formal Risk Assessment (II)
“Easy” steps to implement an ISMS: Step 20b

 Improve your current risk assessment and


treatment to a mature process (cont.):
PLAN  Analyze and evaluate the risks
Establish

 Identify and evaluate options for the treatment


the ISMS

of risks
 Select control objectives and controls for
treatment of risks
 Obtain management approval of residual risks

© Peter R. Bitterli, Slide 91 Source: ISO/IEC 27001 Chapter 4.2.1 Establish ISMS
Formal Risk Assessment (III)
“Easy” steps to implement an ISMS: Step 20c

Risk 16: Remote Access Vulnerabilities


will be reduced by security program elements:
E A: Remote Access Server, Single Sign-On every
daily B: Awareness day
Probability

C: Regulations (Contract management, policies)

(Example for demonstration purposes only *)


D every
often 5 10 days

PLAN
C 2 3 6 14 16 7 every
Establish probable 100 days
the ISMS

B 1 4 9 11 16 13 21 every
improbable 1000 days

A
highly improbable every
17 8 15 10 19 20 18 12 10,000 days

1 2 3 4 5
low medium high very high critical

Severity

© Peter R. Bitterli, Slide 92


Implement and Operate ISMS
Building an effective Information Security Management System
Risk
management
PLAN
Formulate & implement
risk treatment plan Establish the
ISMS

improve the ISMS


Implement controls

Maintain and
operate the ISMS
Implement and
Implement
training/awareness

(phase II)
DO ACT
Define effectiveness
measurement of controls

Manage operations & Monitor and


resources of the ISMS review the ISMS

CHECK
© Peter R. Bitterli, Slide 93 Source: Peter Weiss, Zurich
Implement Risk Treatment
“Easy” steps to implement an ISMS: Step 21

 Determine detailed risk treatment plan:


 Identify options for risk treatment
 Apply appropriate controls
operate the ISMS
Implement and

DO
 Knowingly and objectively accept risks (provided they
clearly satisfy the organization’s policies and criteria
for accepting risks)
 Check whether additional controls (e.g. not listed in
ISO/IEC 17799) need to be implemented
 Determine how progress will be assessed

© Peter R. Bitterli, Slide 94


Further Security Awareness
“Easy” steps to implement an ISMS: Step 22

 Start with a formal information security


awareness campaign that aims for
competent staff
operate the ISMS
Implement and

 Analyze target audience


DO

 Decide an overall goals, contents, approaches


 Develop security marketing campaign
 In any case, implement:
 formal classroom based training (users, IT, …)
 a combination of other delivery channels

 Develop and implement metrics


 Rollout and monitor the campaign
© Peter R. Bitterli, Slide 95
Get more Security Resources
“Easy” steps to implement an ISMS: Step 23a

 Based on security program of phase II,


estimate required resources for information
security
operate the ISMS
Implement and

 Always ask for about 20% more resources


DO

than needed, argue with:


 Still increasing legal/regulatory requirements
 Results of risk assessment performed
 Many ongoing security programs
 More incidents in headlines
 List of intangible benefits (see next page)
© Peter R. Bitterli, Slide 96
Intangible Security Benefits
“Easy” steps to implement an ISMS: Step 23b

 Benefits affecting  Benefits affecting


clients and partners: organization:
 Higher quality  Brand
 Proven availability  Skills & knowledge
operate the ISMS
Implement and

DO

 Broader functionality  Training


 More flexibility  Leadership & Culture
 …  Growth & opportunities
 …

© Peter R. Bitterli, Slide 97


Monitor and Review ISMS
Building an effective Information Security Management System
Risk
management
Execute monitoring PLAN
procedures
Establish the
Regularly review
ISMS
effectiveness of ISMS

improve the ISMS


Maintain and
Measure effectiveness of

operate the ISMS


Implement and
controls
DO ACT
Review risk assessments

Conduct internal ISMS audits and


management reviews
Monitor and
review the ISMS
Update security plan (phase II)

CHECK
© Peter R. Bitterli, Slide 98 Source: Peter Weiss, Zurich
Improve Incident Management
“Easy” steps to implement an ISMS: Step 24

 Incident management is considered to be a


critical success factor of an ISMS; i.e. needs
to be highly effective
Monitor and
review the ISMS
 Processes for reporting events established
CHECK

 Correct behaviour needs to be known


 Feedback should be provided
 Disciplinary process necessary

 Link to problem management


 Prevention should be a high priority, too!
© Peter R. Bitterli, Slide 99
Security Compliance Reviews
“Easy” steps to implement an ISMS: Step 25

 Perform security compliance reviews of the


effectiveness of (selected parts) of the ISMS,
e.g.
Monitor and
review the ISMS
 where you have invested $$ for improvements
CHECK

 where risk assessment shows lack of controls


 where management attention is insufficient
 where quick improvements are possible
…

 If possible, look for objective security


© Peter R. Bitterli, Slide 100 metrics
Management Reviews
“Easy” steps to implement an ISMS: Step 26

 Perform management review (once a year)


of ISMS to ensure its continuing suitability,
adequacy and effectiveness; include:
Monitor and
review the ISMS
 Results of ISMS audits and reviews
CHECK

 Status of preventive and corrective actions


 Results from effectiveness measurement
 Come to a decision and take action:
 Improvement of effectiveness
 Update of risk assessment and treatment plan
 Modification of controls that affect information
© Peter R. Bitterli, Slide 101
security
Status Monitoring
“Easy” steps to implement an ISMS: Step 27

Monitor and
review the ISMS

CHECK

© Peter R. Bitterli, Slide 102


Maintain and Improve ISMS
Building an effective Information Security Management System

PLAN

Establish the
Implement improvements
ISMS

improve the ISMS


Take corrective and

Maintain and
(phase II)
preventive actions

operate the ISMS


Implement and
Communicate results DO ACT

Ensure improvements
achieve objectives
Monitor and
review the ISMS

CHECK
© Peter R. Bitterli, Slide 103 Source: Peter Weiss, Zurich
Continuing Improvements
“Easy” steps to implement an ISMS: Step 28

 Identify nonconformities and their causes


 Evaluate need for further actions
 Determine and implement corrective action
improve the ISMS
Maintain and

 Record result of action taken


ACT

 Aim for prevention, i.e. identify potential


nonconformities

© Peter R. Bitterli, Slide 104


Accelerate Communication
“Easy” steps to implement an ISMS: Step 29

 Communicate actions and improvements to


all interested parties with a level of detail
appropriate to the circumstances
improve the ISMS
Maintain and

ACT  Ask for agreement on how to proceed


 Implement quarterly top management
security status report (“dashboard)

© Peter R. Bitterli, Slide 105


Aim for Certification
“Easy” steps to implement an ISMS: Step 30

 If not yet done: Formally decide on


certification
 Perform gap analysis for certification
improve the ISMS
Maintain and

ACT (ISO/IEC 27001 & ISO/IEC 17799)


 Implement “certification rollout program”

© Peter R. Bitterli, Slide 106


Benefits
Part 7

Discussion of some of the


major benefits of improving
your ISMS to a mature
ISMS

© Peter R. Bitterli, Slide 107


Support of OECD Principles
Building an effective Information Security Management System

 Awareness of need for information security


 Responsibility for information security
 Prevent, detect and respond to incidents
 Ethics respecting interests of others
 Information security compatible with
essential values of a democratic society
 Risk management providing levels of
assurance towards acceptable risks
 Security incorporated in systems
© Peter R. Bitterli, Slide
108 Continuous improvement Source: Peter Weiss, Zurich
Other Benefits
Every company has an ISMS – but most have an ineffective one

 An improved ISMS …
 lowers probability of major security incidents
 decreases severity of low probability scenarios
 removes contradictions, bottlenecks and blind
spots
 improves security awareness
 lets you invest your $$$ more effective
 demonstrates proper stewardship
 gets the auditors off your back
 lets you sleep well
…
© Peter R. Bitterli, Slide 109
© Peter R. Bitterli, Slide 110
Pitfalls to avoid
Part 9

Some pitfalls to avoid


during such an
improvement process

© Peter R. Bitterli, Slide 111


Pitfalls to avoid (I)
Building an effective Information Security Management System

 Give the ISMS improvement project to a


person that
 has no security experience
 is a security engineer (a techie)
 has been to long in your company
 is not a good communicator
 is too junior or too old

>>> and you will fail!

© Peter R. Bitterli, Slide 112


Pitfalls to avoid (II)
Building an effective Information Security Management System

 No backing from executive management


 Unclear authorities & accountabilities
 Not enough funding for 2–3 years
 Not enough human resources
 Too short time span for results
 “Play hockey instead of curling”
 Underestimate corporate culture
 Believe that operational risk management
will solve your security issues
© Peter R. Bitterli, Slide 113
For More Information:

Peter R. Bitterli, CISA

Bitterli Consulting AG & ITACS Training AG


prb(at)bitterli-consulting.ch

© Peter R. Bitterli, Slide 114


Thank you!

“I will work in
concert with
my peers.”

You might also like