Certified ISO 27001 Lead Implementer Participant Manual

April 21, 2017 | Author: Arthur Ekow | Category: N/A
Share Embed Donate


Short Description

Course Manual...

Description

ep rin

t

Information Security Training

Sa m

pl e

M

at er ia

l-

N

ot

fo r

R

Certified ISO/IEC 27001 Lead Implementer

Participant Handbook

ISO 27001 Lead Implementer, Classroom course, release 5.0.0

Copyright and Trademark Information for Partners/Stakeholders.

R

ITpreneurs Nederland B.V. is affiliated to Veridion.

ep rin

t

Copyright

fo r

Copyright © 2013 ITpreneurs. All rights reserved.

N

ot

Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.

Sa m

pl e

M

at er ia

l-

The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

ep rin

t

Follow Us Before you start the course, please take a moment to:

R

“Like us” on Facebook

fo r

http://www.facebook.com/ITpreneurs

N

http://twitter.com/ITpreneurs

ot

“Follow us” on Twitter

"Add us in your circle" on Google Plus

at er ia

l-

http://gplus.to/ITpreneurs

"Link with us" on Linkedin

http://www.linkedin.com/company/ITpreneurs

M

"Watch us" on YouTube

Sa m

pl e

http://www.youtube.com/user/ITpreneurs

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

1

pr in

Th p is le pa M ge haat seb reiea nl l -efNt b lan ot k i n fo tent r R ion all e y

Sa m

t

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

R

Certified ISO/IEC 27001 Lead Implementer

ep rin

t

Contents

------------------------------------------------------------

5

Day 2

------------------------------------------------------------

65

Day 3

------------------------------------------------------------

133

Day 4

-----------------------------------------------------------------------------------------------

l-

Appendix A: Case Study

N

ot

fo r

Day 1

at er ia

Appendix B: Exercises List ---------------------------------Appendix C: Correction Key ----------------------------------

201 263 271 289

Sa m

pl e

M

Appendix D: Release Notes ---------------------------------305  3DUWLFLSDQW)HHGEDFN)RUP

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

3

pr in

Th p is le pa M ge haat seb reiea nl l -efNt b lan ot k i n fo tent r R ion all e y

Sa m

t

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

ep rin

t

Day 1

Sa m

pl e

M

at er ia

l-

N

ot

fo r

R

ISO 27001 Lead Implementer

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

5

1

fo r

R

DAY

ep rin

t

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

N

ot

Certified ISO 27001 Lead Implementer

at er ia

Section 1

l-

Certified ISO 27001 Lead Implementer Training Course objectives and structure a. Meet and greet b. General points

M

c. Training objectives

d. Educational approach e. Examination and certification

Sa m

pl e

f. PECB g. Schedule for the training

2

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

6

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Activity

3

N

ot

fo r

R

ep rin

t

Meet and greet

at er ia

l-

General Information

Use of a computer and access to the Internet

Smoking area

Sa m

pl e

M

Use of mobile phones and recording devices

Timetable and breaks

Meals

Absences 4

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

7

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Training Objectives

ep rin

Master the concepts, approaches, standards, methods and techniques for the implementation and effective management of an ISMS

5

N

ot

3

Understand the goal, content and correlation between ISO 27001 and ISO 27002 as well as with other standards and regulatory frameworks

R

2

Understand the components and the operation of an Information Security Management System based on ISO 27001 and its principal processes

fo r

1

t

Acquiring knowledge

l-

Training Objectives

at er ia

Development of competencies

Interpret the ISO 27001 requirements in the specific context of an organization

2

Develop the expertise to support an organization to plan, implement, manage, monitor and maintain an ISMS as specified in ISO 27001

M

1

Sa m

pl e

3

4

Acquire the expertise to advise an organization on information security management best practices S Strengthen the personal qualities necessary to act with due pr professional care when conducting a compliance project 6

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

8

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Educational Approach

7

Examination

l-

N

ot

fo r

R

ep rin

t

Students at the center

1 2

Fundamental principles of information security Information security control best practice based on ISO 27002 Planning an ISMS based on ISO 27001

M

3

at er ia

Competency domains

Implementing an ISMS based on ISO 27001

5

Performance evaluation, monitoring and measurement of an ISMS based on ISO 27001

Sa m

pl e

4 6

Continual improvement of an ISMS based on ISO 27001

7

Preparing for an ISMS certification audit 8

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

9

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Certified ISO 27001 Lead Implementer

Pass the exam

1 2 3 4 5 6

ep rin

t

Prerequisites for certification

Adhere to the PECB Code of Ethics 5 years professional experience

300 hours activity

R

2 years information security experience

fo r

Professional references

9

Certificate

l-

N

ot

Certified ISO 27001 Lead Implementer

Sa m

pl e

M

at er ia

Candidates who met all the prerequisites for certification will receive a certificate:

10

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

10

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

What is PECB?

ep rin

t

Professional Evaluation and Certification Board

11

N

ot

fo r

1. Certification of personnel (Auditor and Implementer) 2. Certification of training organizations 3. Certification of trainers

R

Main services:

at er ia

ISO 17024

l-

Personnel Certification Bodies

ISO 17024 specifies the criteria for an organization that conducts certification of persons in relation to specific requirements, including developing and maintaining a certification scheme for persons

z

PECB is accredited by ANSI under ISO/IEC 17024

z

Most of the organizations proposing certifications of professionals are not accredited certification bodies

Sa m

pl e

M

z

12

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

11

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Why becoming Certified Implementer?

Qualifying oneself to manage an ISMS project

ep rin

t

Advantages

fo r

R

Formal and independent recognition of personal competencies

13

N

ot

Certified professionals usually earn salaries higher than those of non-certified professionals

l-

Customer Service

at er ia

Comments, questions and complaints 1. Submit a complaint

Participant

2. Answer in writing

M pl e

Sa m

Training Provider

4. Final arbitration

3. Appeal PECB

14

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

12

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

15

Sa m

pl e

M

at er ia

Questions?

l-

N

ot

fo r

R

ep rin

t

Schedule for the Week

16

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

13

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Certified ISO 27001 Lead Implementer Training

t

Section 2

ep rin

Standard and regulatory framework a. ISO structure b. Fundamental ISO principles

R

c. Information Security Standards d. ISO 27000 family e. Integrated normative framework

17

What is ISO?

l-

N

ot

fo r

f. Project Management Standards

ISO is a network of national standardization bodies from over 160 countries

z

The final results of ISO works are published as international standards

at er ia

z

M

Over 19 000 standards have been published since 1947

Sa m

pl e

z

18

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

14

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

1. Equ Equal representation: 1 vote per country

2. V Voluntary membership: ISO does not have the authority to force adoption of its standards auth

R

3. Business orientation: ISO only develops sta standards for which a market demand exists 4. C Consensus approach: looking for a large consensus among the different stakeholders con

fo r

Basic principles of ISO standards

ep rin

t

Basic Principles – ISO Standards

19

N

ot

5. International Inter cooperation: over 160 member countri countries plus liaison bodies

Sa m

pl e

M

at er ia

l-

Eight ISO Management Principles

20

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

15

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Management System Standards

ISO 14001

OHSAS 18001

ISO 20000

Environment

Health and Safety at work

IT Service

R

Quality

ep rin

ISO 9001

t

Primary standards against which an organization can be certified

ISO 22301

ISO 27001

Business continuity

Information security

ISO 28000

Supply Chain Security

ot

Food Safety

fo r

ISO 22000

N

21

l-

Integrated Management System

at er ia

Common structure of ISO standards Requirements

ISO 14001:2004

ISO 20000:2011

ISO 22301:2012

ISO 27001:2005

5.4.1

4.3.3

4.5.2

6.2

4.2.1

Policy of the management system

5.3

4. 2

4.1.2

5.3

4.2.1

Management commitment

5.1

4.4.1

4.1

5.2

5

Documentation requirements

4.2

4.4

4.3

7.5

4.3

Internal audit

8.2.2

4.5.5

4.5.4.2

9.2

6

Continual improvement

8.5.1

4.5.3

4.5.5

10

8

5.6

4.6

4.5.4.3

9.3

7

M

Objectives of the management system

pl e

Sa m

ISO 9001:2008

Management review

22

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

16

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Other Information Security Standards

ot

fo r

R

ep rin

t

Examples

N

23

at er ia

Important dates

l-

History of the ISO 27001 Series

M

1990

Sa m

pl e

Code of best practises (Published by a group of companies)

1995

1998

2000

2005

2007

ISO 27006 BS7799-2 BS7799-1 Code of best practices

ISMS certification schema

ISO 17799 Best practices code

New Version of ISO 17799 ISO 27001 publication

Certification organization requirements

2008+

Publication of other standards of the 27000 family Revision to ISO 27001 & ISO 27002 in progress

24

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

17

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

ep rin

Requirements

ISO 27000 Vocabulary

ISO 27006 Certification organization requirements

Industry guides

ISO 27002 Code of practices

ISO 27799 Health

ISO 27004 Metrics

ISO 27005 Risk management

ISO 27007-27008 Audit guides

ISO 270XX others

25

ISO 27001

l-

N

ot

ISO 27011 Telecommunications

ISO 27003 Implementation guide

fo r

General guides

ISO 27001 ISMS requirements

R

Vocabulary

t

ISO 27000 Family

Specifies requirements for ISMS management

at er ia

z

(Clause 4 to 8)

Requirements (clauses) are written using the imperative verb “shall”

M

z

Annex A: 11 clauses containing 39 control objectives and 133 controls

Sa m

pl e

z

z

Organization can obtain certification against this standard 26

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

18

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

ISO 27002

z

t 27

ISO 27003

l-

N

ot

z

ep rin

z

R

z

Guide for code of practice for information security management (Reference document) Clause written using the verb “should” Composed of 11 clauses, 39 control objectives and 133 controls Organization can not obtain certification against this standard A.k.a. ISO 17799

fo r

z

at er ia

z Code of practice for the implementation of an ISMS z Reference document to be used with the ISO 27001 and ISO 27002 standards

M

z Consisting of 9 clauses which define 28 stages to implement an ISMS

Sa m

pl e

z Certification against this standard is not possible

28

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

19

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

For industries:

Application security Cyber security Security incident management Privacy protection...

29

Sa m

pl e

M

at er ia

Questions?

l-

N

ot

– – – –

fo r

For specific sectors related to information security:

R

– Telecommunication – Health – Finance and insurance…

ep rin

Within the 27000 series, ISO 27009 and the subsequent numbers are reserved for the creation of domain-specific standards:

t

ISO 27009+

30

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

20

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Certified ISO 27001 Lead Implementer Training

a. Definition of an ISMS b. Process approach

R

c. Overview – Clauses 4 to 8

ep rin

Information Security Management System (ISMS)

t

Section 3

31

N

ot

fo r

d. Annex A

l-

Definition of ISMS

at er ia

ISO 27001, clause 3.7

M

The part of the overall management system, based on a risk-based approach, to establish, implement, operate, monitor, review, maintain and improve information security

Sa m

pl e

Note: The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources

32

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

21

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Process Approach

Interested Parties

ep rin

t

ISO 27001, clause 0.2 Interested Parties

Plan Establish an ISMS

Monitor and review the ISMS

Check

fo r

Implement Impl lementt the th ISMS

Maintain and Improve the ISMS

Managed information security

33

N

ot

Information security requirements and expectations

Do

R

Act

l-

Process Approach

at er ia

z The application of the process approach will vary from one organization to the next depending on its size, complexity and activities

Sa m

pl e

M

z Organizations often identify too many processes

Control

Input

Activities

Output 34

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

22

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Structure of the ISO 27001 Standard

Clause 4.2.1 Establish the ISMS

Clause 4.2.3 Monitor and review the ISMS

Clause 8 ISMS improvement

Annex A

R

Clause 4.2.2 Implement and operate the ISMS

fo r

Clause 4.2.4 Maintain and improve the ISMS

t

Clause 6 Internal ISMS audits

ep rin

Clause 5 Management responsibility

Clause 7 Management review

35

N

ot

Control objectives and controls

l-

Establish the ISMS

at er ia

ISO 27001, clauses 4.2.1 a-j b) Define an ISMS policy

c) Define the risk assessment approach

d) Identify the risks

e) Analyze and evaluate the risks

f) Identify and evaluate risk treatment options

g) Select control objectives and controls

h) Approve residual risks

Sa m

pl e

M

a) Define scope and boundaries of the ISMS

i) Have management approve the ISMS

j) Prepare the statement of applicability

36

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

23

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Implementation of the ISMS

Set in place an incident management process to detect and treat them rapidly

ISMS Management

Training & Awareness

fo r

Implement the controls and define how to measure the effectiveness of the selected controls

Incident Management

R

Implementation of controls

ep rin

Set in place a training and awareness programme

Define the plan (actions, resources, responsibilities, priorities, objectives) and put it in place

RiskTreatment Plan

t

ISO 27001, clause 4.2.2

37

N

ot

Manage ISMS operations daily

l-

ISMS Monitoring and Review

at er ia

ISO 27001, clause 4.2.3 1.

Monitoring and review of detection and security event prevention procedures

M

6. Management review

Sa m

pl e

and update of security plans

5. Conducting the internal audits

ISMS monitoring and review

2. Regular review of the effectiveness of the ISMS taking into account the feedback and suggestions of the stakeholders

3. Measurement of the effectiveness of controls

4. Review of risk assessments

Note: Each of these actions must be documented and recorded 38

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

24

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Documentation Requirements

ISO 27001, clause 4.3.1

ep rin

t

ISO 27001, clause 4.3

ƒ Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and ensure that the recorded results are reproducible

ISMS Policy and Objectives

39

N

ot

fo r

R

ƒ It is important to be able to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives

l-

Management Responsibility

at er ia

ISO 27001, clause 5

5.1. Management commitment

ƒ Management shall provide evidence of its commitment to the ISMS

M

5.2.1 Make resources available

Sa m

pl e

ƒ Management shall determine and provide the necessary resources for the ISMS

5.2.2 Training, awareness & competency

ƒ Management shall ensure that personnel who have been assigned responsibilities defined in the ISMS have the necessary competencies to perform the required tasks

40

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

25

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

ISMS Internal Audits

ep rin

t

ISO 27001, clause 6

The organization shall conduct ISMS internal audits at regular intervals

z

An audit programme must be planned taking into account the importance of processes and scopes to audit, as well as previous audit results

41

N

ot

fo r

R

z

l-

ISMS Management Review

at er ia

ISO 27001, clause 7

Management review input elements 1. Results of ISMS audits and reviews 2. Feedback from stakeholders

M

3. Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness 4. Status of preventive and corrective actions 5. Vulnerabilities or threats that have not been adequately assigned during the previous risk assessment

Sa m

pl e

6. Results from effectiveness measurements 7. follow-up actions from previous management reviews 8. Any change that can affect the ISMS

Management review output elements 1. Improvement of the effectiveness of the ISMS 2. Update of the risk assessment and the risk treatment plan 3. Modification of information security procedures and controls 4.

Resource needs

5. Improvement in the way efficiency of controls is measured

9. Recommendations for improvement 42

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

26

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

ISMS Improvement

t

ISO 27001, clause 8.1

43

N

ot

fo r

R

ep rin

The organization shall continually improve the effectiveness of the ISMS using the information security policy, information security objectives, audit results, event analysis, corrective and preventive actions, and the management review

l-

Security Objectives and Controls

at er ia

ISO 27001, Annex A

ISO 27002 Objectives and controls

ISO 27001 Annex A

Supplementary Information

Sa m

pl e

M

(List of the security objectives and controls)

Recommendations for implementation

Important note: in theory, taking into account the 27002 best practices is not a requirement to obtain a 27001 certification 44

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

27

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

ISO 27002 Clauses

ep rin

t

ISO 27001, Annex A Security policy

A6

Organization of information security

A7

Asset management

A8

Human resources security

A9

Physical and environmental security

A 10

Communications and operations management

A 11

Access control

A 12

Information systems acquisition, development and maintenance

A 13

Information security incident management

A 14

Business continuity management

A 15

Compliance

45

Exercise 1

l-

N

ot

fo r

R

A5

Sa m

pl e

M

at er ia

Reasons to adopt ISO 27001

46

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

28

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

1. Improvement Imp of security 2. Good G governance 3. Conformity

R

ADVANTAGES

ep rin

t

ISO 27001 Advantages

fo r

4. C Cost reduction

47

Sa m

pl e

M

at er ia

Questions?

l-

N

ot

5. Marketing Ma

48

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

29

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Certified ISO 27001 Lead Implementer Training

t

Section 4

ep rin

Fundamental Principles of Information Security a. Asset and information asset b. Information security

R

c. Confidentiality, integrity and availability d. Vulnerability, threat and impact e. Information security risk

fo r

f. Security objectives and controls

49

N

ot

g. Classification of security controls

l-

Asset and Information Asset

at er ia

ISO 9000, clause 7.3.1; ISO 27000, clause 2.3 & 2.8

Information: meaningful data

z

Asset: All elements having value for the organization

z

Information asset: Knowledge or data that has value to the organization

Sa m

pl e

M

z

50

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

30

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Document – Specification – Record

ep rin

t

ISO 9000, clause 3.7

Document ƒ Information and its supporting medium

Specification

R

ƒ Document stating requirements

fo r

Record

51

N

ot

ƒ Document stating results achieved or providing evidence of activities performed

l-

Information Security

at er ia

ISO 27002, clause 0.1

Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and

M

maximize return on investments and business

Sa m

pl e

opportunities

52

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

31

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Information Security

Preservation of confidentiality, integrity and availability of information

z

Note: In addition, other properties, such as

ep rin

z

t

ISO 27000, clause 2.19

R

authenticity, accountability, non-repudiation, and

53

N

ot

fo r

reliability can also be involved

l-

Information Security

at er ia

Covers information of all kinds

Printed or hand written

z

Recorded using technical support

z

Transmitted by email or electronically

z

Included in a website

z

Shown on corporate videos

z

Mentioned during conversations

z

Etc.

Sa m

pl e

M

z

54

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

32

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Confidentiality

t

ISO 27000, clause 2.9

55

Integrity

l-

N

ot

fo r

R

ep rin

Property that information is not made available or disclosed to unauthorized individuals, entities, or processes

at er ia

ISO 27000, clause 2.25

Sa m

pl e

M

Property of protecting the accuracy and completeness of assets

56

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

33

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Availability

t

ISO 27000, clause 2.7

57

Vulnerability

l-

N

ot

fo r

R

ep rin

Property of being accessible and usable upon demand by an authorized entity

at er ia

ISO 27000, clause 2.46

Sa m

pl e

M

Weakness of an asset or a security control that can be exploited by a threat

58

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

34

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Types of Vulnerabilities Type of vulnerability 1 Hardware 2 Software

Insufficient maintenance Portability No registration logs Complicated interfaces Lack of encryption transfers Single Point of Access Insufficient training Lack of supervision Unstable electrical system Site in an area susceptible to flood Lack of segregation of duties No job descriptions

4 Personnel 5 Site

59

Threats

l-

N

ot

6 Organization's structure

fo r

R

3 Network

Examples

ep rin

t

ISO 27005, Annex D

at er ia

ISO 27000, clause 2.45

Sa m

pl e

M

Potential cause of an unwanted incident which may result in harm to a system or an organization

60

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

35

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Types of Threats

1 Physical damage 2 Natural disaster 3 Loss of essential service 4 Disruption caused by radiation

fo r

5 Information compromised

ep rin

Example Fire Water damage Earthquake Flooding Failure of air conditioning Power outage Electromagnetic radiation Thermal radiation Wiretaps Theft of documents Equipment failure Network overload Unauthorized access Use of pirated software

R

Threat type

t

ISO 27005, Annex C

6 Technical failure

61

N

ot

7 Unauthorized action

at er ia

Examples

l-

Relationship: Vulnerability and Threat Vulnerabilities

Threats

Warehouse unprotected and without surveillance

Theft Data input error by personnel

No segregation of duties

Fraud, unauthorized use of a system

Unencrypted data

Information theft

Use of pirated software

Lawsuit, virus

Sa m

pl e

M

Complicated data processing procedures

No review of access rights

Unauthorized access by persons who have left the organization

No backup procedures

Loss of information 62

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

36

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Impact

t

ISO 27000, clause 2.17

ƒ Invasion of privacy of employees

ƒ Accidental change ƒ Deliberate change ƒ Incorrect results ƒ Incomplete results ƒ Loss of data

ƒ Performance degradation

ƒ Service interruption ƒ Unavailability of service ƒ Disruption of operations

63

N

ot

ƒ Confidential information leakage

Examples of impacts on availability

R

ƒ Invasion of privacy of users or customers

Examples of impacts on integrity

fo r

Examples of impacts on confidentiality

ep rin

Adverse change to the level of business objectives achieved

l-

Information Security Risk

at er ia

ISO 27000, clause 2.24

Potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization

Sa m

pl e

M

Note: It is measured in terms of a combination of the likelihood of an event and its consequence

64

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

37

Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook

Risk Scenario

t

Example

ep rin

United Kingdom Corruption of several websites of the Conservative Party (Vital Security 01/03/2010)

Information asset

Content of the Conservative party website

R

The text of the corruption encourages Web site visitors to vote for the Labour Party. Messages left by the attackers include security evaluation of the site and political slogans.

Server hosting the Conservative party website

Security aspect

Integrity

fo r

Other asset

Security holes in the Web server

Threat

Hackers

Impact

Image of the Conservative party

65

N

ot

Vulnerability

l-

Control Objective and Control

at er ia

ISO 27000, clause 2.10-11

M

Technical control

Sa m

pl e

Managerial control

Administrative control

Legal control

Control Objective ƒ Statement describing what is to be achieved as a result of implementing controls

Control ƒ Methods to manage a risk ƒ Include policies, procedures, guidelines and practices or organizational structures ƒ Synonym: measure, countermeasure, security device 66

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

38

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF