Certified ISO 27001 Lead Implementer Participant Manual
April 21, 2017 | Author: Arthur Ekow | Category: N/A
Short Description
Course Manual...
Description
ep rin
t
Information Security Training
Sa m
pl e
M
at er ia
l-
N
ot
fo r
R
Certified ISO/IEC 27001 Lead Implementer
Participant Handbook
ISO 27001 Lead Implementer, Classroom course, release 5.0.0
Copyright and Trademark Information for Partners/Stakeholders.
R
ITpreneurs Nederland B.V. is affiliated to Veridion.
ep rin
t
Copyright
fo r
Copyright © 2013 ITpreneurs. All rights reserved.
N
ot
Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.
Sa m
pl e
M
at er ia
l-
The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
ep rin
t
Follow Us Before you start the course, please take a moment to:
R
“Like us” on Facebook
fo r
http://www.facebook.com/ITpreneurs
N
http://twitter.com/ITpreneurs
ot
“Follow us” on Twitter
"Add us in your circle" on Google Plus
at er ia
l-
http://gplus.to/ITpreneurs
"Link with us" on Linkedin
http://www.linkedin.com/company/ITpreneurs
M
"Watch us" on YouTube
Sa m
pl e
http://www.youtube.com/user/ITpreneurs
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
1
pr in
Th p is le pa M ge haat seb reiea nl l -efNt b lan ot k i n fo tent r R ion all e y
Sa m
t
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
R
Certified ISO/IEC 27001 Lead Implementer
ep rin
t
Contents
------------------------------------------------------------
5
Day 2
------------------------------------------------------------
65
Day 3
------------------------------------------------------------
133
Day 4
-----------------------------------------------------------------------------------------------
l-
Appendix A: Case Study
N
ot
fo r
Day 1
at er ia
Appendix B: Exercises List ---------------------------------Appendix C: Correction Key ----------------------------------
201 263 271 289
Sa m
pl e
M
Appendix D: Release Notes ---------------------------------305 � 3DUWLFLSDQW�)HHGEDFN�)RUP�����������������������������������������������
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
3
pr in
Th p is le pa M ge haat seb reiea nl l -efNt b lan ot k i n fo tent r R ion all e y
Sa m
t
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
ep rin
t
Day 1
Sa m
pl e
M
at er ia
l-
N
ot
fo r
R
ISO 27001 Lead Implementer
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
5
1
fo r
R
DAY
ep rin
t
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
N
ot
Certified ISO 27001 Lead Implementer
at er ia
Section 1
l-
Certified ISO 27001 Lead Implementer Training Course objectives and structure a. Meet and greet b. General points
M
c. Training objectives
d. Educational approach e. Examination and certification
Sa m
pl e
f. PECB g. Schedule for the training
2
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
6
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Activity
3
N
ot
fo r
R
ep rin
t
Meet and greet
at er ia
l-
General Information
Use of a computer and access to the Internet
Smoking area
Sa m
pl e
M
Use of mobile phones and recording devices
Timetable and breaks
Meals
Absences 4
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
7
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Training Objectives
ep rin
Master the concepts, approaches, standards, methods and techniques for the implementation and effective management of an ISMS
5
N
ot
3
Understand the goal, content and correlation between ISO 27001 and ISO 27002 as well as with other standards and regulatory frameworks
R
2
Understand the components and the operation of an Information Security Management System based on ISO 27001 and its principal processes
fo r
1
t
Acquiring knowledge
l-
Training Objectives
at er ia
Development of competencies
Interpret the ISO 27001 requirements in the specific context of an organization
2
Develop the expertise to support an organization to plan, implement, manage, monitor and maintain an ISMS as specified in ISO 27001
M
1
Sa m
pl e
3
4
Acquire the expertise to advise an organization on information security management best practices S Strengthen the personal qualities necessary to act with due pr professional care when conducting a compliance project 6
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
8
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Educational Approach
7
Examination
l-
N
ot
fo r
R
ep rin
t
Students at the center
1 2
Fundamental principles of information security Information security control best practice based on ISO 27002 Planning an ISMS based on ISO 27001
M
3
at er ia
Competency domains
Implementing an ISMS based on ISO 27001
5
Performance evaluation, monitoring and measurement of an ISMS based on ISO 27001
Sa m
pl e
4 6
Continual improvement of an ISMS based on ISO 27001
7
Preparing for an ISMS certification audit 8
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
9
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Certified ISO 27001 Lead Implementer
Pass the exam
1 2 3 4 5 6
ep rin
t
Prerequisites for certification
Adhere to the PECB Code of Ethics 5 years professional experience
300 hours activity
R
2 years information security experience
fo r
Professional references
9
Certificate
l-
N
ot
Certified ISO 27001 Lead Implementer
Sa m
pl e
M
at er ia
Candidates who met all the prerequisites for certification will receive a certificate:
10
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
10
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
What is PECB?
ep rin
t
Professional Evaluation and Certification Board
11
N
ot
fo r
1. Certification of personnel (Auditor and Implementer) 2. Certification of training organizations 3. Certification of trainers
R
Main services:
at er ia
ISO 17024
l-
Personnel Certification Bodies
ISO 17024 specifies the criteria for an organization that conducts certification of persons in relation to specific requirements, including developing and maintaining a certification scheme for persons
z
PECB is accredited by ANSI under ISO/IEC 17024
z
Most of the organizations proposing certifications of professionals are not accredited certification bodies
Sa m
pl e
M
z
12
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
11
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Why becoming Certified Implementer?
Qualifying oneself to manage an ISMS project
ep rin
t
Advantages
fo r
R
Formal and independent recognition of personal competencies
13
N
ot
Certified professionals usually earn salaries higher than those of non-certified professionals
l-
Customer Service
at er ia
Comments, questions and complaints 1. Submit a complaint
Participant
2. Answer in writing
M pl e
Sa m
Training Provider
4. Final arbitration
3. Appeal PECB
14
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
12
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
15
Sa m
pl e
M
at er ia
Questions?
l-
N
ot
fo r
R
ep rin
t
Schedule for the Week
16
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
13
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Certified ISO 27001 Lead Implementer Training
t
Section 2
ep rin
Standard and regulatory framework a. ISO structure b. Fundamental ISO principles
R
c. Information Security Standards d. ISO 27000 family e. Integrated normative framework
17
What is ISO?
l-
N
ot
fo r
f. Project Management Standards
ISO is a network of national standardization bodies from over 160 countries
z
The final results of ISO works are published as international standards
at er ia
z
M
Over 19 000 standards have been published since 1947
Sa m
pl e
z
18
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
14
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
1. Equ Equal representation: 1 vote per country
2. V Voluntary membership: ISO does not have the authority to force adoption of its standards auth
R
3. Business orientation: ISO only develops sta standards for which a market demand exists 4. C Consensus approach: looking for a large consensus among the different stakeholders con
fo r
Basic principles of ISO standards
ep rin
t
Basic Principles – ISO Standards
19
N
ot
5. International Inter cooperation: over 160 member countri countries plus liaison bodies
Sa m
pl e
M
at er ia
l-
Eight ISO Management Principles
20
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
15
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Management System Standards
ISO 14001
OHSAS 18001
ISO 20000
Environment
Health and Safety at work
IT Service
R
Quality
ep rin
ISO 9001
t
Primary standards against which an organization can be certified
ISO 22301
ISO 27001
Business continuity
Information security
ISO 28000
Supply Chain Security
ot
Food Safety
fo r
ISO 22000
N
21
l-
Integrated Management System
at er ia
Common structure of ISO standards Requirements
ISO 14001:2004
ISO 20000:2011
ISO 22301:2012
ISO 27001:2005
5.4.1
4.3.3
4.5.2
6.2
4.2.1
Policy of the management system
5.3
4. 2
4.1.2
5.3
4.2.1
Management commitment
5.1
4.4.1
4.1
5.2
5
Documentation requirements
4.2
4.4
4.3
7.5
4.3
Internal audit
8.2.2
4.5.5
4.5.4.2
9.2
6
Continual improvement
8.5.1
4.5.3
4.5.5
10
8
5.6
4.6
4.5.4.3
9.3
7
M
Objectives of the management system
pl e
Sa m
ISO 9001:2008
Management review
22
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
16
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Other Information Security Standards
ot
fo r
R
ep rin
t
Examples
N
23
at er ia
Important dates
l-
History of the ISO 27001 Series
M
1990
Sa m
pl e
Code of best practises (Published by a group of companies)
1995
1998
2000
2005
2007
ISO 27006 BS7799-2 BS7799-1 Code of best practices
ISMS certification schema
ISO 17799 Best practices code
New Version of ISO 17799 ISO 27001 publication
Certification organization requirements
2008+
Publication of other standards of the 27000 family Revision to ISO 27001 & ISO 27002 in progress
24
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
17
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
ep rin
Requirements
ISO 27000 Vocabulary
ISO 27006 Certification organization requirements
Industry guides
ISO 27002 Code of practices
ISO 27799 Health
ISO 27004 Metrics
ISO 27005 Risk management
ISO 27007-27008 Audit guides
ISO 270XX others
25
ISO 27001
l-
N
ot
ISO 27011 Telecommunications
ISO 27003 Implementation guide
fo r
General guides
ISO 27001 ISMS requirements
R
Vocabulary
t
ISO 27000 Family
Specifies requirements for ISMS management
at er ia
z
(Clause 4 to 8)
Requirements (clauses) are written using the imperative verb “shall”
M
z
Annex A: 11 clauses containing 39 control objectives and 133 controls
Sa m
pl e
z
z
Organization can obtain certification against this standard 26
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
18
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
ISO 27002
z
t 27
ISO 27003
l-
N
ot
z
ep rin
z
R
z
Guide for code of practice for information security management (Reference document) Clause written using the verb “should” Composed of 11 clauses, 39 control objectives and 133 controls Organization can not obtain certification against this standard A.k.a. ISO 17799
fo r
z
at er ia
z Code of practice for the implementation of an ISMS z Reference document to be used with the ISO 27001 and ISO 27002 standards
M
z Consisting of 9 clauses which define 28 stages to implement an ISMS
Sa m
pl e
z Certification against this standard is not possible
28
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
19
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
For industries:
Application security Cyber security Security incident management Privacy protection...
29
Sa m
pl e
M
at er ia
Questions?
l-
N
ot
– – – –
fo r
For specific sectors related to information security:
R
– Telecommunication – Health – Finance and insurance…
ep rin
Within the 27000 series, ISO 27009 and the subsequent numbers are reserved for the creation of domain-specific standards:
t
ISO 27009+
30
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
20
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Certified ISO 27001 Lead Implementer Training
a. Definition of an ISMS b. Process approach
R
c. Overview – Clauses 4 to 8
ep rin
Information Security Management System (ISMS)
t
Section 3
31
N
ot
fo r
d. Annex A
l-
Definition of ISMS
at er ia
ISO 27001, clause 3.7
M
The part of the overall management system, based on a risk-based approach, to establish, implement, operate, monitor, review, maintain and improve information security
Sa m
pl e
Note: The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources
32
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
21
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Process Approach
Interested Parties
ep rin
t
ISO 27001, clause 0.2 Interested Parties
Plan Establish an ISMS
Monitor and review the ISMS
Check
fo r
Implement Impl lementt the th ISMS
Maintain and Improve the ISMS
Managed information security
33
N
ot
Information security requirements and expectations
Do
R
Act
l-
Process Approach
at er ia
z The application of the process approach will vary from one organization to the next depending on its size, complexity and activities
Sa m
pl e
M
z Organizations often identify too many processes
Control
Input
Activities
Output 34
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
22
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Structure of the ISO 27001 Standard
Clause 4.2.1 Establish the ISMS
Clause 4.2.3 Monitor and review the ISMS
Clause 8 ISMS improvement
Annex A
R
Clause 4.2.2 Implement and operate the ISMS
fo r
Clause 4.2.4 Maintain and improve the ISMS
t
Clause 6 Internal ISMS audits
ep rin
Clause 5 Management responsibility
Clause 7 Management review
35
N
ot
Control objectives and controls
l-
Establish the ISMS
at er ia
ISO 27001, clauses 4.2.1 a-j b) Define an ISMS policy
c) Define the risk assessment approach
d) Identify the risks
e) Analyze and evaluate the risks
f) Identify and evaluate risk treatment options
g) Select control objectives and controls
h) Approve residual risks
Sa m
pl e
M
a) Define scope and boundaries of the ISMS
i) Have management approve the ISMS
j) Prepare the statement of applicability
36
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
23
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Implementation of the ISMS
Set in place an incident management process to detect and treat them rapidly
ISMS Management
Training & Awareness
fo r
Implement the controls and define how to measure the effectiveness of the selected controls
Incident Management
R
Implementation of controls
ep rin
Set in place a training and awareness programme
Define the plan (actions, resources, responsibilities, priorities, objectives) and put it in place
RiskTreatment Plan
t
ISO 27001, clause 4.2.2
37
N
ot
Manage ISMS operations daily
l-
ISMS Monitoring and Review
at er ia
ISO 27001, clause 4.2.3 1.
Monitoring and review of detection and security event prevention procedures
M
6. Management review
Sa m
pl e
and update of security plans
5. Conducting the internal audits
ISMS monitoring and review
2. Regular review of the effectiveness of the ISMS taking into account the feedback and suggestions of the stakeholders
3. Measurement of the effectiveness of controls
4. Review of risk assessments
Note: Each of these actions must be documented and recorded 38
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
24
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Documentation Requirements
ISO 27001, clause 4.3.1
ep rin
t
ISO 27001, clause 4.3
Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and ensure that the recorded results are reproducible
ISMS Policy and Objectives
39
N
ot
fo r
R
It is important to be able to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives
l-
Management Responsibility
at er ia
ISO 27001, clause 5
5.1. Management commitment
Management shall provide evidence of its commitment to the ISMS
M
5.2.1 Make resources available
Sa m
pl e
Management shall determine and provide the necessary resources for the ISMS
5.2.2 Training, awareness & competency
Management shall ensure that personnel who have been assigned responsibilities defined in the ISMS have the necessary competencies to perform the required tasks
40
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
25
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
ISMS Internal Audits
ep rin
t
ISO 27001, clause 6
The organization shall conduct ISMS internal audits at regular intervals
z
An audit programme must be planned taking into account the importance of processes and scopes to audit, as well as previous audit results
41
N
ot
fo r
R
z
l-
ISMS Management Review
at er ia
ISO 27001, clause 7
Management review input elements 1. Results of ISMS audits and reviews 2. Feedback from stakeholders
M
3. Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness 4. Status of preventive and corrective actions 5. Vulnerabilities or threats that have not been adequately assigned during the previous risk assessment
Sa m
pl e
6. Results from effectiveness measurements 7. follow-up actions from previous management reviews 8. Any change that can affect the ISMS
Management review output elements 1. Improvement of the effectiveness of the ISMS 2. Update of the risk assessment and the risk treatment plan 3. Modification of information security procedures and controls 4.
Resource needs
5. Improvement in the way efficiency of controls is measured
9. Recommendations for improvement 42
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
26
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
ISMS Improvement
t
ISO 27001, clause 8.1
43
N
ot
fo r
R
ep rin
The organization shall continually improve the effectiveness of the ISMS using the information security policy, information security objectives, audit results, event analysis, corrective and preventive actions, and the management review
l-
Security Objectives and Controls
at er ia
ISO 27001, Annex A
ISO 27002 Objectives and controls
ISO 27001 Annex A
Supplementary Information
Sa m
pl e
M
(List of the security objectives and controls)
Recommendations for implementation
Important note: in theory, taking into account the 27002 best practices is not a requirement to obtain a 27001 certification 44
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
27
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
ISO 27002 Clauses
ep rin
t
ISO 27001, Annex A Security policy
A6
Organization of information security
A7
Asset management
A8
Human resources security
A9
Physical and environmental security
A 10
Communications and operations management
A 11
Access control
A 12
Information systems acquisition, development and maintenance
A 13
Information security incident management
A 14
Business continuity management
A 15
Compliance
45
Exercise 1
l-
N
ot
fo r
R
A5
Sa m
pl e
M
at er ia
Reasons to adopt ISO 27001
46
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
28
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
1. Improvement Imp of security 2. Good G governance 3. Conformity
R
ADVANTAGES
ep rin
t
ISO 27001 Advantages
fo r
4. C Cost reduction
47
Sa m
pl e
M
at er ia
Questions?
l-
N
ot
5. Marketing Ma
48
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
29
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Certified ISO 27001 Lead Implementer Training
t
Section 4
ep rin
Fundamental Principles of Information Security a. Asset and information asset b. Information security
R
c. Confidentiality, integrity and availability d. Vulnerability, threat and impact e. Information security risk
fo r
f. Security objectives and controls
49
N
ot
g. Classification of security controls
l-
Asset and Information Asset
at er ia
ISO 9000, clause 7.3.1; ISO 27000, clause 2.3 & 2.8
Information: meaningful data
z
Asset: All elements having value for the organization
z
Information asset: Knowledge or data that has value to the organization
Sa m
pl e
M
z
50
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
30
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Document – Specification – Record
ep rin
t
ISO 9000, clause 3.7
Document Information and its supporting medium
Specification
R
Document stating requirements
fo r
Record
51
N
ot
Document stating results achieved or providing evidence of activities performed
l-
Information Security
at er ia
ISO 27002, clause 0.1
Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and
M
maximize return on investments and business
Sa m
pl e
opportunities
52
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
31
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Information Security
Preservation of confidentiality, integrity and availability of information
z
Note: In addition, other properties, such as
ep rin
z
t
ISO 27000, clause 2.19
R
authenticity, accountability, non-repudiation, and
53
N
ot
fo r
reliability can also be involved
l-
Information Security
at er ia
Covers information of all kinds
Printed or hand written
z
Recorded using technical support
z
Transmitted by email or electronically
z
Included in a website
z
Shown on corporate videos
z
Mentioned during conversations
z
Etc.
Sa m
pl e
M
z
54
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
32
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Confidentiality
t
ISO 27000, clause 2.9
55
Integrity
l-
N
ot
fo r
R
ep rin
Property that information is not made available or disclosed to unauthorized individuals, entities, or processes
at er ia
ISO 27000, clause 2.25
Sa m
pl e
M
Property of protecting the accuracy and completeness of assets
56
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
33
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Availability
t
ISO 27000, clause 2.7
57
Vulnerability
l-
N
ot
fo r
R
ep rin
Property of being accessible and usable upon demand by an authorized entity
at er ia
ISO 27000, clause 2.46
Sa m
pl e
M
Weakness of an asset or a security control that can be exploited by a threat
58
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
34
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Types of Vulnerabilities Type of vulnerability 1 Hardware 2 Software
Insufficient maintenance Portability No registration logs Complicated interfaces Lack of encryption transfers Single Point of Access Insufficient training Lack of supervision Unstable electrical system Site in an area susceptible to flood Lack of segregation of duties No job descriptions
4 Personnel 5 Site
59
Threats
l-
N
ot
6 Organization's structure
fo r
R
3 Network
Examples
ep rin
t
ISO 27005, Annex D
at er ia
ISO 27000, clause 2.45
Sa m
pl e
M
Potential cause of an unwanted incident which may result in harm to a system or an organization
60
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
35
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Types of Threats
1 Physical damage 2 Natural disaster 3 Loss of essential service 4 Disruption caused by radiation
fo r
5 Information compromised
ep rin
Example Fire Water damage Earthquake Flooding Failure of air conditioning Power outage Electromagnetic radiation Thermal radiation Wiretaps Theft of documents Equipment failure Network overload Unauthorized access Use of pirated software
R
Threat type
t
ISO 27005, Annex C
6 Technical failure
61
N
ot
7 Unauthorized action
at er ia
Examples
l-
Relationship: Vulnerability and Threat Vulnerabilities
Threats
Warehouse unprotected and without surveillance
Theft Data input error by personnel
No segregation of duties
Fraud, unauthorized use of a system
Unencrypted data
Information theft
Use of pirated software
Lawsuit, virus
Sa m
pl e
M
Complicated data processing procedures
No review of access rights
Unauthorized access by persons who have left the organization
No backup procedures
Loss of information 62
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
36
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Impact
t
ISO 27000, clause 2.17
Invasion of privacy of employees
Accidental change Deliberate change Incorrect results Incomplete results Loss of data
Performance degradation
Service interruption Unavailability of service Disruption of operations
63
N
ot
Confidential information leakage
Examples of impacts on availability
R
Invasion of privacy of users or customers
Examples of impacts on integrity
fo r
Examples of impacts on confidentiality
ep rin
Adverse change to the level of business objectives achieved
l-
Information Security Risk
at er ia
ISO 27000, clause 2.24
Potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization
Sa m
pl e
M
Note: It is measured in terms of a combination of the likelihood of an event and its consequence
64
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
37
Certified ISO/IEC 27001 | Lead Implementer | Participant Handbook
Risk Scenario
t
Example
ep rin
United Kingdom Corruption of several websites of the Conservative Party (Vital Security 01/03/2010)
Information asset
Content of the Conservative party website
R
The text of the corruption encourages Web site visitors to vote for the Labour Party. Messages left by the attackers include security evaluation of the site and political slogans.
Server hosting the Conservative party website
Security aspect
Integrity
fo r
Other asset
Security holes in the Web server
Threat
Hackers
Impact
Image of the Conservative party
65
N
ot
Vulnerability
l-
Control Objective and Control
at er ia
ISO 27000, clause 2.10-11
M
Technical control
Sa m
pl e
Managerial control
Administrative control
Legal control
Control Objective Statement describing what is to be achieved as a result of implementing controls
Control Methods to manage a risk Include policies, procedures, guidelines and practices or organizational structures Synonym: measure, countermeasure, security device 66
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
38
View more...
Comments
