1

Information Security
Management System
ISO/IEC 27001:2005
Implementation

INFORMATION SECURITY
MANAGEMENT SYSTEM
IMPLEMENTATION
ISO/IEC 27001:2005

Syllabus
3

Overview of an ISMS

Implementation Flowcharts & Diagrams

Obtaining management support

Determining the scope of the ISMS

Identifying applicable legislation

Defining a method of risk assessment

Creating an inventory of information assets to protect

Identifying risks

Syllabus
4

(Cont.)

Assessing the risks

Identifying applicable objectives and controls

Setting up policy and procedures to control risks

Allocating resources and train the staff

Monitoring the implementation of the ISMS

Preparing for certification audit

Required Documents and Records

Overview of an ISMS
5

Information security is the protection of information to ensure:

Confidentiality: ensuring that the information is accessible only to

those authorized to access it.

Integrity: ensuring that the information is accurate and complete and

that the information is not modified without authorization.

Availability: ensuring that the information is accessible to authorized

users when required.

Overview of an ISMS
6

Information security is achieved by applying a suitable set of controls

(policies, processes, procedures, organizational structures, and
software and hardware functions).

An Information Security Management System (ISMS) is way to protect

and manage information based on a systematic business risk
approach, to establish, implement, operate, monitor, review, maintain,
and improve information security. It is an organizational approach to
information security.

Overview of an ISMS
7

ISO/IEC publishes two standards that focus on an organizations ISMS:

The code of practice standard: ISO/IEC 27002 (ISO/IEC 17799).

This standard can be used as a starting point for developing an
ISMS. It provides guidance for planning and implementing a
program to protect information assets. It also provides a list of
controls (safeguards) that you can consider implementing as part of
your ISMS.

Overview of an ISMS
8

ISO/IEC publishes two standards that focus on an organizations ISMS:

The management system standard: ISO/IEC 27001. This standard

is the specification for an ISMS. It explains how to apply ISO/IEC
27002 (ISO/IEC 17799). It provides the standard against which
certification is performed, including a list of required documents. An
organization that seeks certification of its ISMS is examined against
this standard.

Overview of an ISMS
9

The standards set forth the following practices:

All activities must follow a method. The method is arbitrary but must
be well defined and documented.

A company or organization must document its own security goals.

An auditor will verify whether these requirements are fulfilled.

All security measures used in the ISMS shall be implemented as the

result of a risk analysis in order to eliminate or reduce risks to an
acceptable level.

Overview of an ISMS
10

The standards set forth the following practices:

The standard offers a set of security controls. It is up to the

organization to choose which controls to implement based on the
specific needs of their business.

A process must ensure the continuous verification of all elements of

the security system through audits and reviews.

A process must ensure the continuous improvement of all elements

of the information and security management system.

Overview of an ISMS
11

The ISO/IEC 27001 standard adopts the Plan-Do-Check-Act

[PDCA] model as its basis and expects the model will be followed in
an ISMS implementation.

These practices form the framework within which you will establish
an ISMS.

Overview of an ISMS
12

Overview of an ISMS
13

Overview of an ISMS
14

Technology

- System Security
- UTM. Firewalls
- IDS/IPS
- Data Center
- Physical Security
- Vulnerability
Assessment
- Penetration Testing
- Application
Security
- Secure SDLC
- SIM/SIEM
- Managed Services

- Training
- Awareness
- HR Policies
- Background
Checks
- Roles /
responsibilities
- Mobile
Computing
- Social
Engineering
- Social
Networking
- Acceptable Use
- Policies
- Performance Mgt

People

Process

- Risk
Management
- Asset
Management
- Data
Classification
- Info Rights Mgt
- Data Leak
Prevention
- Access
Management
- Change
Management
- Patch
Management

15

IMPLEMENTATION FLOWCHART &

DIAGRAMS

16

17

Obtaining management support

18

As described in ISO/IEC 27001, management plays an important

role in the success of an ISMS.

What you need: Management responsibility section of ISO/IEC

27001.

Management must make a commitment to the establishment,

implementation, operation, monitoring, review, maintenance, and
improvement of the ISMS. Commitment must include activities such
as ensuring that the proper resources are available to work on the
ISMS and that all employees affected by the ISMS have the proper
training, awareness, and competency.

Obtaining management support

19

Results: Establishment of the following items demonstrates

management commitment:

An information security policy; this policy can be a standalone

document or part of an overall security manual that is used by an
organization.

Information security objectives and plans; again this information can

be a standalone document or part of an overall security manual that
is used by an organization.

Obtaining management support

20

Roles and responsibilities for information security; a list of the roles

related to information security should be documented either in the
organizations job description documents or as part of the security
manual or ISMS description documents.

Announcement or communication to the organization about the

importance of adhering to the information security policy.

Sufficient resources to manage, develop, maintain, and implement

the ISMS.

Obtaining management support

21

In addition, management will participate in the ISMS Plan-Do-CheckAct [PDCA] process, as described in ISO/IEC 27001 by:

Determining the acceptable level of risk. Evidence of this activity can

be incorporated into the risk assessment documents.

Conducting management reviews of the ISMS at planned intervals.

Evidence of this activity can be part of the approval process for

the documents in the ISMS.

Obtaining management support

22

Ensuring that personnel affected by the ISMS are provided with

training, are competent for the roles and responsibilities they are
assigned to fulfill, and are aware of those roles and responsibilities.

Evidence of this activity can be through employee training

records and employee review documents.

Security Policy Example:

23

Security Policy Example:

24

Determining the scope of the ISMS

25

When management has made the appropriate commitments, you can

begin to establish your ISMS. In this step, you should determine the
extent to which you want the ISMS to apply to your organization.
What you need:
You can use several of the result documents that were created as
part of step 1, such as:

The information security policy

The information security objectives and plans

The roles and responsibilities that are related to information security

and were defined by the management

Determining the scope of the ISMS

26

In addition, you will need:

Lists of the areas, locations, assets, and technologies of the

organization that will be controlled by the ISMS.

While reviewing these lists, you might want to answer questions similar
to the following:

What areas of your organization will be covered by the ISMS?

What are the characteristics of those areas; its locations, assets,

technologies to be included in the ISMS?

Will you require your suppliers to abide by your ISMS?

Are there dependencies on other organizations? Should they be

considered?

Determining the scope of the ISMS

27

Your goals will be to cover the following:

the processes used to establish the scope and context of the ISMS.

the strategic and organizational context

Results: A documented scope for your ISMS.

When you have determined the scope, you will need to document it,
usually in a few statements or paragraphs. The documented scope
often becomes one of the first sections of your organizations Security
Manual. Or, it might remain a standalone document in a set of ISMS
documents that you plan to maintain. Often the scope, the security
policy, and the security objectives are combined into one document.

Scope Example:
28

Determining the scope of the ISMS

29

Note: Too narrow scope will create more burden and headache.
Lots of companies try to decrease their implementation costs by
narrowing the scope, but they often find themselves in a situation
where such a scope gives them a headache. The problem when the
ISO 27001 scope is not the whole organization is that the Information
Security Management System (ISMS) must have interfaces to the
outside world in that context, the outside world are not only the
clients, partners, suppliers etc., but also the organizations departments
that are not within the scope. It may seem funny, but a department
which is not within the scope should be treated in the same way as an
external supplier.

Determining the scope of the ISMS

30

You have to put yourself in the certification bodys shoes it must

certify that within your scope you are able to handle the information in a
secure way, while it cannot check any of your departments outside the
scope. The only way to handle such a situation is to treat such
departments as if they were external companies.

Identifying applicable legislation

31

After you have determined the scope, identify any regulatory or

legislative standards that apply to the areas you plan to cover with the
ISMS. Such standards might come from the industry in which your
organization works or from state, local, or federal governments, or
international regulatory bodies.

Identifying applicable legislation

32

What you need: Up-to-date regulatory or legislative standards that

might be applicable to your organization. You might find it helpful to
have input and review from lawyers or specialists who are
knowledgeable about the standards.

Results: Additional statements in the scope of the ISMS. If your ISMS

will incorporate more than two or three legislative or regulatory
standards, you might also create a separate document or appendix in
the Security Manual that lists all of the applicable standards and details
about the standards.

Identifying applicable legislation

33

Example:
The text added to the scope statement as a result of identifying
applicable legislation is shown in the following example in italics.

Defining a method of risk assessment

34

Risk assessment is the process of identifying risks by analyzing threats

to, impacts on, and vulnerabilities of information and information
systems and processing facilities, and the likelihood of their
occurrence. Choosing a risk assessment method is one of the most
important parts of establishing an ISMS.
To meet the requirements of ISO/IEC 27001, you will need to define
and document a method of risk assessment and then use it to assess
the risk to your identified information assets, make decisions about
which risks are intolerable and therefore need to be mitigated, and
manage the residual risks through carefully considered policies,
procedures, and controls.

Defining a method of risk assessment

35

ISO/IEC 27001 does not specify the risk assessment method you
should use; however, it does state that you must use a method that
enables you to complete the following tasks:

Evaluate risk based on levels of Confidentiality, Integrity, and

Availability

Set objectives to reduce risk to an acceptable level

Determine criteria for accepting risk

Evaluate risk treatment options

Some risk assessment methods provide a matrix that defines levels of

confidentiality, integrity, and availability and provide guidance as to
when and how those levels should be applied, as shown in the
following table:

Defining a method of risk assessment

37

What you will need:

If you are unfamiliar with risk assessment methods, you might want to
refer to these published examples:

ISO/IEC 13335 (Management of information and communications

technology security)

NIST SP 800-30 (Risk Management Guide for Information

Technology Systems) http://csrc.nist.gov/publications/nistpubs/

ISO/IEC 31000:2009

Risk assessment methods that are specific to the industry of your

organization

Defining a method of risk assessment

38

There are many risk assessment methods you can choose from, such
as those that are prevalent in your industry. For example, if your
company is in the oil industry, you might find there are risk assessment
methods related to that industry.
Results:
When you have completed this step, you should have a document that
explains how your organization will assess risk, including:

the organizations approach to information security risk

management

criteria for information security risk evaluation and the degree of

assurance required

Defining a method of risk assessment

39

Creating an inventory of information assets

40

To identify risks and the levels of risks associated with the information
you want to protect, you first need to make a list of all of your
information assets that are covered in the scope of the ISMS.

What you will need:

You will need the scope that you defined and input from the
organization that is defined in your scope regarding its information
assets.

Creating an inventory of information assets

41

Result:
When you have completed this step, you should have a list of the
information assets to be protected and an owner for each of those
assets. You might also want to identify where the information is located
and how critical or difficult it would be to replace. This list should be
part of the risk assessment methodology document that you created in
the previous step. Because you will need this list to document your risk
assessment, you might want to group the assets into categories and
then make a table of all the assets with columns for assessment
information and the controls you choose to apply.

Identifying risks
42

Next, for each asset you defined in the previous step, you will need to
identify risks and classify them according to their severity and
vulnerability. In addition, you will need to identify the impact that loss of
confidentiality, integrity, and availability may have on the assets.

To begin identifying risks, you should start by identifying actual or

potential threats and vulnerabilities for each asset.

Identifying risks
43

A threat is something that could cause harm. For example, a threat

could be any of the following:

A declaration of the intent to inflict harm or misery

Potential to cause an unwanted incident, which may result in harm

to a system or organization and its assets

Intentional, accidental, or man-made act that could inflict harm or a

natural disaster (such as a hurricane or tsunami)

Identifying risks
44

A vulnerability is a source or situation with a potential for harm (for

example, a broken window is a vulnerability; it might encourage harm,
such as a break in).

A risk is a combination of the likelihood and severity or frequency that a

specific threat will occur.

Identifying risks
45

What you will need:

The list of assets that you defined in the previous step

The risk assessment methodology you defined in step 5

For each asset, you should identify vulnerabilities that might exist for
that asset and threats that could result from those vulnerabilities. It is
often helpful to think about threats and vulnerabilities in pairswith at
least one pair for each asset and possibly multiple pairs for each asset.

Identifying risks
46

Results:
For each asset, you will have a threat and vulnerability description and,
using your Risk Assessment methodology, you will assign levels of
confidentiality, integrity, and availability to that asset.

Assessing the risks

47

After you have identified the risks and the levels of confidentiality,
integrity, and availability, you will need to assign values to the risks. The
values will help you determine if the risk is tolerable or not and whether
you need to implement a control to either eliminate or reduce the risk.

To assign values to risks, you need to consider:

The value of the asset being protected

The frequency with which the threat or vulnerability might occur

The damage that the risk might inflict on the company or its
customers or partners

Assessing the risks

48

For example, you might assign values of Low, Medium, and High to
your risks. To determine which value to assign, you might decide that if
the value of an asset is high and the damage from a specified risk is
high, the value of the risk should also be high, even though the
potential frequency is low. Your Risk Assessment Methodology
document should tell you what values to use and might also specify the
circumstances under which specific values should be assigned. Also,
be sure to refer to your Risk Assessment Methodology document to
determine the implication of a certain risk value.

Assessing the risks

49

For example, to keep your ISMS manageable, your Risk Assessment

Methodology might specify that only risks with a value of Medium or
High will require a control in your ISMS. Based on your business needs
and industry standards, risk will be assigned appropriate values.

What you will need:

Lists of assets and their associated risks and CIA levels, which you
created in the previous step.

Possibly input from management as to what level of risk they are

willing to accept for specific assets.

Assessing the risks

50

Results:
When you have completed your assessment, you will have identified
which information assets have intolerable risk and therefore require
controls. You should have a document (sometimes referred to as a
Risk Assessment Report) that indicates the risk value for each asset. In
the next step you will identify which controls might be applicable for the
assets that require control in order to reduce the risk to tolerable levels.
This document can either be standalone or it can be part of an overall
Risk Assessment document that contains your risk assessment
methodology and this risk assessment.

Detailed Risk Description

51

Risk Management Process

52

Recognition or identification of risks

Ranking or evaluation of risks

Responding to significant risks

tolerate

treat

transfer

terminate

Resourcing controls

Reaction planning

Reporting and monitoring risk performance

Reviewing the risk management framework

Risk Management Process

53

Framework for Managing Risk (ISO 31000)

54

Risk Management (based on ISO 31000)

55

A risk management policy should include the following sections:

Risk management and internal control objectives (governance)

Statement of the attitude of the organization to risk (risk strategy)

Description of the risk aware culture or control environment

Level and nature of risk that is acceptable (risk appetite)

Risk management organization and arrangements (risk architecture)

Details of procedures for risk recognition and ranking (risk

assessment)

Risk Management (based on ISO 31000)

56

(Cont.)

List of documentation for analyzing and reporting risk (risk

protocols)

Risk mitigation requirements and control mechanisms (risk

response)

Allocation of risk management roles and responsibilities

Risk management training topics and priorities

Criteria for monitoring and benchmarking of risks

Allocation of appropriate resources to risk management

Risk activities and risk priorities for the coming year

Risk Management Responsibilities

57

The CEO / Board:

Determine strategic approach to risk and set risk appetite

Establish the structure for risk management

Understand the most significant risks

Manage the organization in a crisis

Risk Management Responsibilities

58

The business unit manager:

Build risk aware culture within the unit

Agree risk management performance targets

Ensure implementation of risk improvement recommendations

Identify and report changed circumstances / risks

Risk Management Responsibilities

59

Individual employees:

Understand, accept and implement RM processes

Report inefficient, unnecessary or unworkable controls

Report loss events and near miss incidents

Co-operate with management on incident investigations

Risk Management Responsibilities

60

The risk manager:

Develop the risk management policy and keep it up to date

Document the internal risk policies and structures

Co-ordinate the risk management (and internal control) activities

Compile risk information and prepare reports for the Board

Risk Management Responsibilities

61

Specialist risk management functions:

Assist the company in establishing specialist risk policies

Develop specialist contingency and recovery plans

Keep up to date with developments in the specialist area

Support investigations of incidents and near misses

Risk Management Responsibilities

62

Internal audit manager:

Develop a risk-based internal audit program

Audit the risk processes across the organization

Receive and provide assurance on the management of risk

Report on the efficiency and effectiveness of internal controls

Risk Assessment Techniques

63

Biggest challenges with risk management

64

Getting managers to sit and actually complete the questionnaire

Evaluate correctly the impact and likelihood

Being exhaustive and anticipate all possible risks

Picking the right assessment methodology

Dealing with IT specialists who are reluctant to admit there is any

vulnerability

Identifying applicable objectives/controls

65

Next, for the risks that youve determined to be intolerable, you must
take one of the following actions:

Decide to accept the risk, for example, actions are not possible
because they are out of your control (such as natural disaster or
political uprising) or are too expensive.

Transfer the risk, for example, purchase insurance against the risk,
subcontract the activity so that the risk is passed on to the
subcontractor, etc.

Reduce the risk to an acceptable level through the use of controls.

Identifying applicable objectives/controls

66

To reduce the risk, you should evaluate and identify appropriate

controls. These controls might be controls that your organization
already has in place or controls that are defined in the ISO/IEC 27002
(ISO/IEC 17799) standard. (Note: An examination of the controls that
you already have in place against the standard and then using the
results to identify what controls are missing is commonly called a gap
analysis.)

Identifying applicable objectives/controls

67

What you will need:

Annex A of ISO/IEC 27001. This appendix summarizes controls that

you might want to choose from.

ISO/IEC 27002 (ISO/IEC 17799), which provides greater detail

about the controls summarized in ISO/IEC 27001.

Procedures for existing corporate controls

Results:
You should end up with two documents by completing this step:

A Risk Treatment Plan

A Statement of Applicability

Identifying applicable objectives/controls

68

The Risk Treatment Plan documents the following:

The method selected for treating each risk (accept, transfer, reduce)

Which controls are already in place

What additional controls are proposed

The time frame over which the proposed controls are to be

implemented

Identifying applicable objectives/controls

69

The Statement of Applicability (SOA) documents the control objectives

and controls selected from Annex A. The Statement of Applicability is
usually a large table in which each control from Annex A of ISO/IEC
27001 is listed with its description and corresponding columns that
indicate whether that control was adopted by the organization, the
justification for adopting or not adopting the control, and a reference to
the location where the organizations procedure for using that control is
documented. The SOA can be part of the Risk Assessment document;
but usually it is a standalone document because it is lengthy and is
listed as a required document in the standard.

Setting up policy/procedure to control risk

70

For each control that you define, you must have corresponding
statements of policy or in some cases a detailed procedure. The
procedure and policies are used by affected personnel so they
understand their roles and so that the control can be implemented
consistently. The documentation of the policy and procedures is a
requirement of ISO/IEC 27001.

Setting up policy/procedure to control risk

71

What you will need:

To help you identify which procedures you might need to document,
refer to your Statement of Applicability. To help you write your
procedures so that they are consistent in content and appearance, you
might want to create some type of template for your procedure writers
to use.

Setting up policy/procedure to control risk

72

Results:
Additional policy and procedure documents. (The number of
documents you produce will depend on the requirements of your
organization.) Some of these procedures might also generate records.
For example, if you have a procedure that all visitors to your facility
must sign a visitors log, the log itself becomes a record providing
evidence that the procedure has been followed. Sections 4.3.2 and
4.3.3 of ISO/IEC 27001 require that all documents and records that are
part of your ISMS be properly controlled. Therefore, policy and
procedure documents must also be created to address these controls.

Example of some documents in ISMS

73

Allocating resources and train the staff

74

Adequate resources (people, time, money) should be allocated to the

operation of the ISMS and all security controls. In addition, the staff
who must work within the ISMS (maintaining it and its documentation
and implementing its controls) must receive appropriate training. The
success of the training program should be monitored to ensure that it is
effective. Therefore, in addition to the training program, you should also
establish a plan for how you will determine the effectiveness of the
training.

Allocating resources and train the staff

75

What you will need:

A list of the employees who will work within the ISMS

All of the ISMS procedures to use for identifying what type of

training is needed and which members of the staff or interested
parties will require training

Management agreement to the resource allocation and the training

plans.

Allocating resources and train the staff

76

Results:
Specific documentation is not required in the ISO/IEC standards.
However, to provide evidence that resource planning and training has
taken place, you should have some documentation that shows who has
received training and what training they have received. In addition, you
might want to include a section for each employee that lists what
training they should be given. Also, you will probably have some type of
procedure for determining how many people, how much money, and
how much time needs to be allocated to the implementation and
maintenance of your ISMS. Its possible that this procedure already
exists as part of your business operating procedures or that you will
want to add an ISMS section to that existing documentation.

Example of Employee Training Record

77

Monitoring the implementation of the ISMS

78

To ensure that the ISMS is effective and remains current, suitable,

adequate, and effective, ISO/IEC 27001 requires:

Management to review the ISMS at planned intervals. The review

must include assessing opportunities for improvement, and the need
for changes to the ISMS, including the security policy and security
objectives, with specific attention to previous corrective or
preventative actions and their effectiveness.

Periodic internal audits

The results of the reviews and audits must be documented and records
related to the reviews and audits must be maintained.

Monitoring the implementation of the ISMS

79

What you will need:

To perform management reviews, ISO/IEC 27001 requires the following
input:

Results of ISMS internal and external audits and reviews

Feedback from interested parties

Techniques, products, or procedures which could be used in the

organization to improve the effectiveness of the ISMS

Preventative and corrective actions (including those that might have

been identified in previous reviews or audits)

Monitoring the implementation of the ISMS

80

(Cont.)

Incident reports, for example, if there has been a security failure, a

report that identifies what the failure was, when it occurred, and how
it was handled and possibly corrected.

Vulnerabilities or threats not adequately addressed in the previous

risk assessment

Follow-up actions from previous reviews

Any organizational changes that could affect the ISMS

Recommendations for improvement

Monitoring the implementation of the ISMS

81

To perform internal audits on a periodic basis, you need to define the

scope, criteria, frequency, and methods. You also need the procedure
(which should have been written as part of Setting up policy and
procedures to control risks step) that identifies the responsibilities and
requirements for planning and conducting the audits, and for reporting
results and maintaining records.

Monitoring the implementation of the ISMS

82

Results:
The results of a management review should include decisions and
actions related to:

Improvements to the ISMS

Modification of procedures that effect information security at all

levels within the organization

Resource needs

The results of an internal audit should result in identification of

nonconformities and their related corrective actions or preventative
actions. ISO/IEC 27001 lists the activity and record requirements
related to corrective and preventative actions.

83

Preparing for certification audit

84

If you plan to have your ISMS certified, you will need to conduct a full
cycle of internal audits, management review, and activities in the PDCA
process. The external auditor will first examine your ISMS documents
to determine the scope and content of your ISMS. Then the auditor will
examine the necessary records and evidence that you implement and
practice what is stated in your ISMS.
What you will need:

All of the documents that you created in the preceding steps.

Records from at least one full cycle of management reviews, internal

audits, and PDCA activities, and evidence of responses taken as the
result of those reviews and audits.

Preparing for certification audit

85

Results:
The results of this preparation should be a set of documents that you
can send to an auditor for review and a set of records and evidence
that will demonstrate how efficiently and completely you have
implemented your ISMS.

Required Documents and Records

86

Certain documents are required by ISO/IEC 27001 and records are

required to provide evidence of the implementation of the ISMS. The
following lists provide a summary of the documents and records
discussed in previous sections of this guide.

The documents listed here can be separate documents or presented

together in one or more sets of documents.

Required Documents and Records

87

Documents

Documented statements of the ISMS policy and objectives

The scope of the ISMS

Procedures and controls in support of the ISMS

Description of the risk assessment methodology

Risk assessment report

Risk treatment plan

Required Documents and Records

88

(Cont.)

Documented procedures needed by the organization to ensure the

effective planning, operation, and control of its information security
processes and describe how to measure the effectiveness of
controls

Records required by ISO/IEC 27001

Statement of Applicability

Required Documents and Records

89

Records
The records required for your ISMS will depend on the requirements of
your business. ISO/IEC 27001:2005(E) states that records shall be
established and maintained to provide evidence of conformity to
requirements and the effective operation of the ISMS. It further states
that the ISMS shall take account of any relevant legal or regulatory
requirements and contractual obligations. They should be controlled
and maintained according to the organizations document control and
retention policies and procedures.

Required Documents and Records

90

Some examples of records are:

Internal audit records

Employee training records

Management review minutes

Preventative and corrective action records

Incident reports

Any questions?
91