ISO/IEC 27001 and CoBIT 5

Information Security
Management and Data
Classification Program
1
Agenda
Overview of ISMS Family of Standards
ISO/IEC 27001
Implementation
Benefits of Compliance
Summary




2
Overview of ISMS Family of Standards

The ISMS standards specify a framework for Organization to manage
information security aspects of its business, and if necessary to demonstrate
to other parties (e.g. business partners, external auditors, customers,
suppliers) its ability to manage information security.

Published by the International Organization for Standardization (ISO) and the
International Electro technical Commission (IEC).

It specifies a risk-based security management system that is designed to
ensure that organizations select and operate adequate and proportionate (i.e.
cost effective) security controls to protect information assets.

It uses the plan-do-check-act (improve) model.



3
Overview of ISMS Family of Standards (contd)

Do
ISO/IEC 27000 - ISMS fundamentals and vocabulary
ISO/IEC 27001 -
- Establishing, implementing, operating,
maintaining and improving an ISMS
- Documentation requirements



Plan

Establish the
ISMS

- Management responsibilities
Implement and
operate the ISMS
Maintain and
improve the ISMS
Act

- Internal audits and management reviews



ISO/IEC 27003 - ISMS implementation Guide
ISO/IEC 27004 Measurement and metrics
ISO/IEC 27005 Risk management



Monitor and
review the ISMS

Check
4
Information Security
Information
An asset that, like other important business assets, is essential to an
organizations business and consequently needs to be suitably protected.
Source: ISO/IEC 17999:2005 Section 0.1
Asset
anything that has value to the organization
Source: ISO/IEC 27001:2005, 3.1

Information Security

preservation of confidentiality, integrity and availability of information; in
addition, other properties, such as authenticity, accountability, non-
repudiation, and reliability can also be involved
Source: ISO/IEC 27001:2005
5
CIA
Confidentiality
Clause 3.3 of ISO/IEC 27001
Ensuring that information is accessible only to those authorized to
have access.

Integrity
Clause 3.8 of ISO/IEC 27001
Safeguarding the accuracy and completeness of information and
process methods.

Availability
Clause 3.2 of ISO/IEC 27001
Ensuring that authorized users have access to information
6
ISO 27001:2005 Structure (Contd)
Overall the standard can be put in
a) Domain Areas 11 (Annex A :11 Domains of Information Management)
A. 5 Security policy
A. 6 Organization of Information security
A. 7 Asset management
A. 8 Human resources security
A. 9 Physical and environmental security
A.10 Communications and operations management
A.11 Access control
A.12 Information systems acquisition, development and maintenance
A.13 Information security incident management
A.14 Business continuity management
A.15 Compliance
b) Control Objectives 39
c) Controls - 133
7
Implementation
1.Establish the ISMS
Establish security policy, objectives, targets, processes and procedures relevant to managing
risk and improving information security to deliver results in accordance with an organization's
overall policies and objectives.
2. Implement and operate the ISMS
Implement and operate the security policy, controls, processes and procedures.
3. Monitor and review the ISMS
Assess and, where applicable, measure process performance against security policy,
objectives and practical experience and report the results to management for review.
4. Maintain and Improve the ISMS
Take corrective and preventive actions, based on the results of the management review, to
achieve continual improvement of the ISMS.

8