http://www.svamindia.

com/

Official Title of ISO 27001:2013

"Information technology— Security

techniques — Information security
management systems —
Requirements".

An Awareness Training on ISO 27001:2013

10/24/2019
What is Information Security

The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether
accidental or intentional

Information Assets
• Asset is something that has “value to the organization”
• Information assets of an organization can be:
• business data
– Data stored on computers
• E-mail data
– Transmitted across networks
• Employee information
– Printed out
• Research records
– Written on a paper, sent by fax
• Price lists
– Stored on disks
• Tender documents
– Held on microfilm
• Spoken in conversations over the telephone

Organization must determine which assets can materially affect the delivery of product/service by their
absence or degradation
Information Security Management relates to all types of information, be it paper-based, electronic or other. It
determines how information is processed, stored, transferred, archived and destroyed.
A secure information is one which ensures Confidentiality, Integrity, and Availability.
It is all about protecting information assets from potential security breaches.

10/24/2019
What is Information Security

• Confidentiality
• Is my communication private?
• Ensuring that the data is read only by the intended person
• Protection of data against unauthorized access or disclosure
• Possible through access control and encryption

• Integrity
• Has my communication been altered?
• Protection of data against unauthorized modification or substitution
• If integrity is compromised, no point in protecting data
• A transparent envelope that is tamper evident
• Availability
• Are the systems responsible for delivering, storing and processing
information accessible when needed
• Are the above systems accessible to only those who need them

10/24/2019
Need for ISMS

Management Concerns Security

• Market reputation Measures/Controls
• Business continuity • Technical
• Disaster recovery • Procedural
• Business loss • Physical
• Loss of confidential data • Logical
• Loss of customer confidence • Personnel
• Legal liability • Management
• Cost of security

All these can be addressed effectively and

efficiently only by establishing a proper
Information Security Management System (ISMS)

10/24/2019 4
Comparing ISO 27001:2005 to ISO 27001:2013

ISO 27001:2005 ISO 27001:2013

Structure Structure
The specification is spread across 5 The specification is spread across 7
clauses, which approach the ISMS clauses, which do not have to be
from a managerial perspective. followed in the order they are listed.
4. Information security 4. Context of the organization
management system 5. Leadership
5. Management responsibility 6. Planning
6. Internal ISMS audits 7. Support
7. Management review of the ISMS 8. Operation
8. ISMS improvement 9. Performance evaluation
10. Improvement

10/24/2019
 Comparing ISO 27001:2005 to ISO 27001:2013
ISO 27001:2005
Process
The standard clearly states that it follows the
PDCA (Plan-Do-Check-Act) model
Governance and management
Senior management plays a major role.
Management and board engagement is high but
the separation between board and management
is not clear.
10/24/2019
ISO 27001:2013
Process
The standard does not specify any particular
process model.
The standard requires that a process of continual
improvement is used
Governance and management
Management roles are described as
‘management’ and ‘top management’,
removing reference to the board.
The organization is that part of the business
that falls within the scope, and not
necessarily the legal entity.
The board initiates the ISMS; management
oversees the implementation of the ISMS
 Comparing ISO 27001:2005 to ISO 27001:2013
ISO 27001:2005
Risk assessments
The definition of risk is the “combination of the
probability of an event and its consequences”.
The organization identifies risks against assets.
The asset owner determines how to treat the risk,
accepting residual risk. Controls are drawn from
Annex A.
Annex A is not exhaustive, so additional controls
can be drawn from other sources.
The Statement of Applicability records whether a
control from Annex A is selected and why.
10/24/2019
ISO 27001:2013
Risk assessments
The definition of risk is the “effect of uncertainty
on objectives”, which may be positive or negative.
Baseline controls based on regulatory, business
and contractual obligations may be identified and
implemented before the risk assessment is
conducted.
The organization identifies risks to the
organization's information the assessment does
not have to be asset-based.
The risk owner determines how to treat the risk,
accepting residual risk.
Controls are drawn from any source or control Set
Selected controls are compared to those in Annex
A.
The Statement of Applicability records whether a
control from Annex A is selected and why
 Comparing ISO 27001:2005 to ISO 27001:2013

ISO 27001:2005 ISO 27001:2013

Controls
Annex A contains 133 controls across 11 control
categories.
Controls from other sources are used to ‘plug
gaps’ not covered by Annex A controls
Controls
Annex A contains 114 controls across 14
control categories
Controls (from any source) are identified
before referring to Annex A

Documentation Documentation
The standard recognizes two forms: documents The standard makes no distinction between
and records. documents and records.
Documents include policies, procedures, process Documents and records are subject to the
diagrams, etc. same control requirements.
Records track work completed, audit schedules,
etc.

10/24/2019
 ISO27001 Structure

ISO27001

ISO/IEC 27001:2013 Auditable Standard

Clauses: Mandatory Processes Annex A: Control Objectives

4 Context of the organisation

14 Domains
5 Leadership
35 Control Objectives
6 Planning
114 controls
7 Support

8 Operation

9 Performance evaluation

10 ISMS Improvement

9
 Number of Domains and Controls
Domains Control Obj. Controls
A5. Information Security policies 1 2
A6. Organization of information security 2 7
A7. Human resources security 3 6
A8. Asset management 3 10
A.9 Access control 4 14
A.10 Cryptography 1 2
A.11 Physical and environmental security 2 15
A.12. Operations Security 7 14
A.13 Communications Security 2 7
A.14 Systems acquisition, development & Maint. 3 13
A.15 Supplier Relationship 2 5
A.16 Information security incident management 1 7
A.17 Information Security aspect of Business continuity management 2 4
A.18 Compliance 2 8
Total - 14 35 114
10
ISO 27001 Main Clauses

• Clause 4: Context of the organization

• Understanding the organization and its context
• Understanding the needs and expectation of interested parties.
• Determining the scope of the information security management system
• Information security management system

• Clause 5: Leadership
• Leadership and Commitment
• Policy
• Organization, roles, responsibilities and authorties

• Clause 6: Planning
• Action to address Risk and Opportunities
• Information security objectives and Planning to achieve them

• Clause 7: Support
• Resource
• Competence
• Awareness
• Communication
• Documented Information
10/24/2019 11
ISO 27001 Main Clauses

• Clause 8: Operation
• Operation planning and control
• Information security Risk assessment
• Information security Risk Treatment

• Clause 9: Performance evaluation

• Monitoring, measurement, analysis and evaluation
• Internal Audit
• Management Review

• Clause 10: Improvement

• Non conformity and corrective action
• Continual improvement

10/24/2019 12
ISMS Scope

The Information Security Management Systems

covering all business functions and processes
associated with information assets to provide
customers, employees and business partners benefits
and services in the organization.

10/24/2019 13
Quality Policy & Business Objectives

Quality & Security Policy :

NST is committed to maintain high quality standards in delivering timely and cost
effective solutions to our customers by continual improvement of our processes,
instilling quality consciousness amongst all employees and recognizing the
confidentiality, integrity and availability of information assets to relevant
stakeholders including our customers.

Business Objectives
Key Objective 1: Provide high quality services to our clients.
Key Objective 2: Continuous focus on employee satisfaction and competency development so as to reduce and
stabilize employee attrition.

Key Objective 3: Continual improvement of services to our internal & external customers.

Key Objective 4: To secure its information assets and of its customers, NST shall deploy procedures to maintain
confidentiality, integrity and availability of all information assets.
Key Objective 5: To have year on year revenue increase while maintaining profitability.
ISMS Documentation

Management framework
policies
Level 1 Policy, ISMS Manual
scope (Apex document)
Risk Assessment,
statement of applicability

Level 2 Describes processes Procedure

who, what, when, where

Level 3 Describes how tasks and specific Work Instructions,

activities are done checklists, forms,
etc.

Provides objective evidence of compliance

Level 4 to ISMS requirements Records

10/24/2019 15
Risk Assessment and Management

• Risk Assessment
• Identify all Stakeholders
• Identify Business Process
• Identify Operation Process
• Identify Assets
• Identify Risk on the basis of all Stakeholders
• Identify Threats and Vulnerabilities
• Evaluate Probability and Impact
• Calculate Risk Value
• Risk treatment
• Mitigate/Reduce risk
• Avoid risk
• Transfer risk
• Accept risk
• Risk Management
• Mitigate the risk by appropriate controls
• Evaluate controls periodically

10/24/2019 16
ISO 27001:2013 Main Clauses-10

• Clause 4: Context of the Organization

• Clause 5: Leadership
• Clause 6: Planning
• Clause 7: Support
• Clause 8: Operation
• Clause 9: Performance Evaluation
• Clause 10: Improvement
• Clause 11: Domain, Control Objective & Controls

There are 14 domains 35 control objectives and 114 detail controls

Structure of ISO 27001:2013 Controls

14 Domains comprising 35 Control Objectives and 114 Controls

A.5 Information security policies – controls on how the policies are written and reviewed
A.6 Organization of information security – controls on how the responsibilities are assigned; also
includes the controls for mobile devices and teleworking
A.7 Human resources security – controls prior to employment, during, and after the employment
A.8 Asset management – controls related to inventory of assets and acceptable use, also for
information classification and media handling
A.9 Access control – controls for Access control policy, user access management, system and
application access control, and user Responsibilities
A.10 Cryptography – controls related to encryption and key management
A.11 Physical and environmental security – controls defining secure areas, entry controls,
protection against threats, equipment security, secure disposal, clear desk and clear screen
policy, etc.
A.12 Operational security – lots of controls related to management of IT production: change
management, capacity management, malware, backup, logging, monitoring, installation,
vulnerabilities, etc.
A.13 Communications security – controls related to network security, segregation, Network
services, transfer of information, messaging, etc.
 Structure of ISO 27001:2013 Controls

A.14 System acquisition, development and maintenance – controls defining security requirements
and security in development and support processes
A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the
suppliers
A.16 Information security incident management – controls for reporting events and weaknesses,
defining responsibilities, response procedures, and collection of evidence

A.17 Information security aspects of business continuity management – controls requiring the
planning of business continuity, procedures, verification and reviewing, and IT redundancy

A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual
property protection, personal data protection, and reviews of information security

19
 Guidelines for using the Risk Register Sheet-13

Risk analysis is an evaluation of the identified risk events to determine the likelihood of the events occurring and their impact,
to assign a risk rating based on the project criteria and to prioritize the risks. For each risk event, the following risk analysis
guidelines can be used:

1 2
Probability Vulnerability (Impact)value Risk Value = (probability of event) + ( Vulnerability) +(CIA Value)
The likelihood of occurrence can be The vulnerability of each risk are attributed to a Probability (P) Vulnerability (V) CIA Value Risk Values (P+I+C)
categorized as: characterization value as follows: Levels Values (C)
Rating Description Score Rating Description Score 1- Low 3 to 5 -
Near Event that has a Showstoppe The effect is catastrophic; the 1 - (R)emote 1 - (N)egligible Normal/Trivial
certaint greater than 75% r organization may face significant
2-
y chance of occurring loss and impact. The project will
5 fail. 4
2 - (U)nlikely 2 - (M)arginal Medium 6 to 7 – Low
Highly Event that has Critical The impact is serious and the 3 - (L)ikely 3 - (C)ritical 3- High 8 to 10 – Medium
likely between a 51 – 75% project may be largely affected due 4 - (H)ighly likely 4 - (S)howstopper 11 to 12 - High
chance of occurring to the risk. There could be huge 5 - (N)ear
delays and the project could be 3
certainty
4 postponed due to it. 3 Risk Level Value definition
Likely Event that has Marginal The risks could affect in small
3 to 5: No action required
between a 20 – 50% delays in schedule .
chance of occurring 3 2 6 to 7: To be reviewed regularly and Organization will accept
Unlikely Event that has Negligible The impact of these risks on the risk up to this level
between a 10 – 20% project could be minimal. 8 to 10: Medium level risk, mitigation to be planned in a period
chance of occurring 2 1 of six months
Remote Event that has a 0 –
11 to 12: High Level risk, Mitigation immediately required
10% chance of
occurring 1

10/24/2019
 Understanding the Needs and Expectation from Interested Parties

Stake holders Issues External Customers Service delivery

Governance, Resource availability, organization structure, roles
Internal Management and accountabilities, Policies, objectives, and the strategies
Supply of goods and services to enable the organization to
Fulfillment of commitments, adherence to organization policies,
Vendors meet the requirement of the customer
processes and guidelines and to ensure seamless /
uninterrupted operations. Expectation of employees in terms of
Employees commitment made by the organization need to be fulfilled.
Relationship with, and perceptions and values of, internal Information technology related requirements to the
Shareholders stakeholder’s organization such as access right, IT infra availability to
Maintaining commitment to customers, goodwill and repute of Users / Public internal users and other departments.
the organization, and maintaining return on investment
Board of Directors committed on the business, in totality
Corporate Submission of desired reports and statements and approvals
requirements Standards, guidelines and models adopted by the organization to carry out the business. Fulfilling the legal, and regulatory
Information technology related requirements to the Government requirement.
Users / Other organization such as access right, IT infra availability to internal
departments users and other departments.
Resource availability, resource competence, training,
HR background verification etc., Natural and competitive environment, Key drives and trends
Finance Approval of financial commitments Society and having impact on the objectives of the organization, Political,
Vetting of Legal contracts and protecting the organization from environment financial status of the country.
non-compliance of legal, regulatory and contractual
Legal requirements

10/24/2019 21
Communication

With whom Processes by which

What to Who shall
When to communicate to communication
communicate communicate
communicate shall be effected.
Communications provide the To seek clarification,
Delivery
statement to the Organization of the Technical matters
communicate execution
and discussing options
Customer Manager /
Email / Hard
copy/Phone
Technical Lead
Information Security of the business of delivery
Non-Technical when communicating
that highlighting the importance of Business upgrades / updates and Customer Account Manager
Email / Hard
copy/Phone
Development offers of NST
information s protection. Financial
Information such as
As and when the event Accounts Email / Hard
Invoices, Payment Customer
takes place Manager copy/Phone
reminder, Proposal,
Users shall be made aware about upgrade offer etc.
Accounts
the risk of Information Security while To get the action
Technical matters initiated on completion
Manager /
Delivery
Manager /
Email / Hard
Business copy/Phone
exchanging information through of delivery
Head
Technical Lead

Account Manager PPT / Word /

Voice, Email, Fax, and Video Performance report Monthly / quarterly
Business
and Delivery Excel -
Head
Manager Email/Phone
Communication facility PPT / Word /
As and when the event Project
Technical Matters Developer/Tester Excel -
takes place Manager
Email/Phone

10/24/2019 22
Statement of Applicability

Document describing the control objectives and controls that are

relevant and applicable to the organization’s ISMS, based on the
results of risk assessment and risk treatment processes.

10/24/2019 23
Exercise

Given below are various risks that may faced by an organization. Go

through the list of clauses and map them against each risk.
Impact Probability of Probability
Threat / Concern Threat impact Rating Happening Rating

Unauthorised It will/may change the Can happen

Access functionality of s/w High Occasionaly Medium

Loss of Source Sytem breakdown /

code Competitive access High Occasionally Medium

Maintenance Lack of customer

support' satisfaction, High Frequently High

Training and Wrong / errorneous

awareness operation Meium frequently High

10/24/2019 24
Generic Changes from ISO 27001:2005 standard

• Puts more emphasis on measuring and evaluating how well an organization's ISMS is
performing
• New section on Outsourcing
• Does not emphasize the Plan-Do-Check-Act cycle.
• More attention is paid to the organizational context of information security.
• Risk assessment has changed.
• Management commitment requirements have a focus on “leadership”
• Preventive action has been replaced with “actions to address, risks and opportunities”
• SOA requirements are similar, with more clarity on the need to determine controls by
the risk treatment process
• Controls in Annex A have been modified to reflect changing threats, remove
duplication and have a more logical grouping.
• Stress on maintaining documented information, rather than information record
• Greater emphasis is on setting objectives, monitoring performance and metric

25
 Risk assessment and risk treatment

• Risk management is the activities to make clear what kind of information security risks may occur,
determine the risk treatment and manage the risks.
• The activities to make the risks clear are referred to as "risk assessment".
• Identify the risk owners
• The actions taken for the risks, which are made clear, are referred to as "risk treatment".
• Avoiding: Withdrawal of business, etc.
• Taking or increasing risk in order to pursue an opportunity: Additional investment, etc.
• Changing the likelihood of risks: Performing preventive measures, etc.
• Removing the risk sources: Performing preventive measures, etc.
• Changing the consequences of risks: Preparing the actions taken for the possible situations, etc.
• Sharing the risks with another parties: Insuring the risks, etc.
• Retaining the risk as they are: Accepting the risks upon recognition
• This is the same as the "management judgment" conventionally conducted by Management.
New controls

14.2.1 Secure development policy – rules for development of software and

information systems

14.2.5 Secure system engineering principles – principles for system engineering

14.2.6 Secure development environment – establishing and protecting development

environment

14.2.8 System security testing – tests of security functionality

16.1.4 Assessment of and decision on information security events – this is part of

incident management

17.2.1 Availability of information processing facilities – achieving redundancy

27
 Conceptual changes
New/Updated Concepts
Context of the organization
Issues, risks and opportunities
Interested parties
Leadership
Communication
Information security objectives
Risk assessment
Risk owner
Risk treatment plan
Controls
Documented information
Performance evaluation
Continual improvement
Explanation
The environment in which the organization operates
Replaces preventive action
Replaces stakeholders
Requirements specific to top management
There are explicit requirements for both internal and external communications
Information security objectives are now to be set at relevant functions and
levels
Identification of assets, threats and vulnerabilities is no longer a prerequisite
for the identification of information security risks.(6.1.2 d) – Now emphasis is
on impact and Probability
Replaces asset owner
The effectiveness of the risk treatment plan is now regarded as being more
important than the effectiveness of controls
Now determined during the process of risk treatment.
Replaces documents and records
Covers the measurement of ISMS and risk treatment plan effectiveness
Methodologies other than Plan-Do-Check-Act (PDCA) may be used
28
List of controls removed from ISO 27001:2005
 A.06.01.1 Management commitment to information
security
 A.06.01.2 Information security coordination
 A.06.01.4 Authorization process for information
processing facilities
 A.06.02.1 Identification of risks related to external
parties
 A.06.02.2 Addressing security when dealing with
customers
 A.10.02.1 Service delivery
 A.10.04.2: Controls against Mobile code
 A.10.07.4 Security of system documentation
 A.10.08.5 Business Information Systems
 A.10.09.3 Publicly available information
 A.10.10.2 Monitoring system use
 A.10.10.4 Administrator and operator logs
 A.10.10.5 Fault logging
 A.11.04.2 User authentication for external
connections
 A.11.04.3 Equipment identification in networks
 A.11.04.4 Remote Diagnostic and configuration port
protection
 A.11.04.6 Network Connection control
 A.11.04.7 Network routing control
 A.11.05.2 User identification and authentication
 A.11.05.5 Session time-out
 A.11.05.6 Limitation of connection time
 A.11.06.2 Sensitive system isolation
 A.12.02.1: Input data validation
 A.12.02.2 Control of internal processing
 A.12.02.3 Message integrity
 A.12.02.4 Output data validation
 A.12.05.4 Information leakage
 A.14.01.1 Including information security in the business
continuity management process
 A.14.01.3 Developing and implementing continuity
plans including formation security.
 A.14.01.4 Business continuity planning framework
 A.15.01.5 Prevention of misuse of information
processing facilities
 A.15.03.2 Protection of information
64 systems audit tools
Click to edit Master title style

Thank you