ISO 27001 Practical Guide

 

IS ISO/ O/IE IEC C 2700 27001 1 impl im plement ementati ation on – challenges challe nges and and pra pr actical solution sol utions s October 2015

 

 Ab  A b o u t Pres Pr esen entt er Garbovskis, Information Security Lea Intars Garbovskis, Lead d  Accenture Latvia Intars is leading the Accenture Latvia Security Practice and acting as the Information Security Lead for delivery centers in Latvia, Mauritius, Morocco, France, the Netherlands. He is Certified Information System Systems s Auditor, ISO 27001 Lead Auditor with more than 10 years of professional IT consulting, project management, informat information ion systems' auditing and ISMS implementation implementation experience. Specialties: ISO 27001 implementation, implementat ion, IT Governance and project management, management, IS Auditing, Business  Analysis, ISO/IEC ISO/IEC 2 20000, 0000, ITIL ITIL,, CobIT, Business Continuity/Disaster Continuity/Disaster Recovery Recovery..

Copyright © 2015 Accenture Al l rights reserved.

 

 Ag  A g end en d a

• ISO/IEC ISO/IEC 27001:2013: 27001:2013: Information Information Security Security Management Management System System • Key chellang anges • Effe Effect ctiv ive e solut solutio ions ns and and tact tactic ics s • Why Why ISO ISO/I /IEC EC 2700 27001: 1:20 2013 13? ?

Copyright © 2015 Accenture Al l rights reserved.

 

ISO/IEC 27001:2013: Information Security Management System The standard has been prepared to provide requirements forestablishing forestablishing,, implementing implementing,, maintaining and maintaining  and continually improving an information security management system (ISMS). The main objective of ISMS – preserve the confid entia entiality, lity, inte integrity grity and ava availablility ilablility of information.. information  Applicable to all organizations, regardless regar dless of type, size or nature. Structure of th e standa standard: rd: •

7 man manda dato torry cla claus use es.

•

114 contro controls ls spread spread across across 14 domains domains and 35 control control objectives objectives..

Copyright © 2015 Accenture Al l rights reserved.

 

Key chellanges

Top management commitment and suppor t

Copyright © 2015 Accenture Al l rights reserved.

Raise awareness

Systematically follow

asecurity nd build buil d culture

implemented ISMS processes

Ensure continual improvement of ISMS

Copyright © 2015 Accenture Al l rights reserved.  

Effecti Effe ctive ve solution solu tion s and tactics (1)

Formally assigned responsibilities

Provided the needed resources (with required competences!)

and authority  authority 

Continual and natural management example (role model)   model)

Management approved ISMS implementation and maintenance plan

Communication

Clearly defined

to ALL interested parties

ISMS scope, objectives and benefits

Copyright © 2015 Accenture Al l rights reserved.  

Effecti Effe ctive ve solution solu tion s and tactics (2) Effective Effective s ecurity awareness aware ness pro grams* • Set a c clear lear g goal, oal, d define efine metrics metrics and measure the progress

Livi ng IS ISMS MS maintenance and improvement plan • Assign Assign an owner of the the ISMS ISMS maintenance and improvement plan

• Invol Involve ve the the rright ight audie audience nce • Choos Choose e the relev relevant ant topics topics and most effective communication channels • Plan for longlong-term term culture culture

• Regular Regular reporti reporting ng to the top management (use a simple dashboard) • Ensure Ensure regular regular follow follow-ups -ups with the interested parties to ensure implemented ISMS processes are followed, identified risks are closed, new risks are identified

Evaluatio n of IS Evaluatio ISMS MS effectiveness • Define performanc performance e evaluati evaluation on metrics that will monitored • Def Define ine when when a and nd who who will will analyse the metrics • Use th the e meseament meseament results results to evaluate effectiveness and make decisions for continual ISMS improvement

Source: https://securitycultureframework.net

Copyright © 2015 Accenture Al l rights reserved.  

Why ISO/IEC 27001:2013?

Benefits:

Holistic, structured and risk-based IS management approach -> Improved IS across the whole organisation.

Demonstrates credibility and trust. Provides customers and stakeholders with confidence that IS is adequately managed.

Competitive advantage in the market.

Increased awareness of interested parties. Improved security culture within the organisation.

Cost savings through reduction in security incidents.

Copyright © 2015 Accenture Al l rights reserved.  

IT Governance Governanc e researc research h ISO 27001 Global Report 2015: Drivers  based on survey findings  Drivers

96% 70%

Feel ISO 27001 plays an important role in improving cyber security defence.

Reveal improving information security as the biggest driver for implementi implementing ng ISO 27001.

Implementing an ISMS allows an organisation to define and monitor risk levels internally internally,, thus driving management decisions to balance expenditure against potential business harm. Improving IS across the whole organisation is the single most important benefit. Others include: mee meeting ting industry requirements requirements to comply with best practice, and gaining a competitive advantage.

66%

Were asked by their clients about their ISO 27001 status in the past 12 months.

Respondents reveal that ISO 27001 is a regular requirement for contracts and tendering for new business.

23%

Have full time ISMS Managers employed at their company.

This activity is generally delegated to various other roles within the organisation (e.g. IT IT Managers). 44% admit that the person managin managing g their ISMS does not have formal ISO 27001 qualifications.

Source: ISO 27001 27001 Global Global Repor t 2015 by IT Governance

Copyright © 2015 Accenture Al l rights reserved.  

IT Governance Governanc e researc research h ISO 27001 Global Report 2015: Challenges based on survey findings  Challenges

45%

40%

20%

State “obtaining employee buy-in and raising staff awareness” is one of the biggest challenges in implement implementing ing ISO 27001.

Seek external help for certification.

Find it ainformation challenge “convincing board that security is athe critical business issue”.

Engaging staff with the right level of competence and expertise is fundamental to the success and the long-term effectiveness effectiveness of an ISMS. Increasing IS awareness among non-technical staff is essential – employees are the weakest link. The absence of full time staff and formal training for ISMS management may contribute to this result. Large organisat organisations ions with dedicated dedicated ISMS staff staff still benefit from external help and advice as implementation can be more complex.

Reasons behind this challenge include securing sufficient budget allowance, gaining permission to employ sufficient resources and having Leadership agree to complete certification.

Source: ISO 27001 27001 Global Global Repor t 2015 by IT Governance

Copyright © 2015 Accenture Al l rights reserved.  

Tha Thank nk you! you !

Copyright © 2015 Accenture Al l rights reserved.  

 Ac  A c c ent en t u r e Secu Sec u r i t y Serv Ser v i c es