Whitepaper - ISO-27001
Whitepaper - ISO-27001
Whitepaper - ISO-27001
WHITEPAPER
ISO 27001
INFORMATION TECHNOLOGY – SECURITY TECHNIQUES
INFORMATION SECURITY – MANAGEMENT SYSTEMS - REQUIREMENTS
www.pecb.com
CONTENT
____
3
Introduction
4
An overview of ISO 27001:2013
4
Key clauses of ISO 27001:2013
5
Context of the Organization
6
Clause 5: Leadership
7
Clause 6: Planning
8
Clause 7: Support
8
Clause 8: Operation
8
Clause 9: Performance Evaluation
9
Clause 10: Improvement
11
Intergration with other Management Systems
12
Information Security Management - The Business Benefits
12
Implementation of a SCSMS with IMS2 Methodology
14
Certification of Organizations
15
Training and Certifications of Professionals
16
Choosing the Right Certification
PRINCIPAL AUTHORS
Eric LACHAPELLE, PECB
Mustafe BISLIMI, PECB
Organizations of any size and type, regardless whether they are involved directly or indirectly in information
technology, should engage in a preventive, protective, preparatory, and mitigation process. It is not sufficient
to simply draft a response plan that anticipates and minimizes the consequences of information security
incidents; thus, organizations need to take adaptive and proactive measures in order to reduce the probability
of such an event.
Information security, as specified in ISO 27001, is critical in adding value to current quality systems in any
organization, to identify and manage threats and vulnerabilities of prioritized information assets and to
additionally increase trust by the incorporation of interested parties. It also allows independent audits or
reviews to be conducted in relation to those processes.
ISO/IEC 27001:2013 is developed with the intent to help organizations improve their information security
and minimize the risk of business disruptions. This standard crowns earlier partial attempts by other
standards, which contributed to the Information Security Management, such as BSS 7799, COBIT, ITIL,
PCIDSS, SOX, COSO, HIPAA, FISMA, and FIPS.
10% of organizations that suffered a breach in the last year were so badly damaged by the attack that
they had to change the nature of their business.
.
ISO/IEC 27001:2013 is intended to bring information security under a formally specified management
control. It has more than one hundred specific requirements.
The requirements set in ISO 27001 are generic, flexible and useful to all types of organizations. Thus, this
ISO Standard, being a Management System, can be aligned with other Management Systems such as
Quality Management, Business Continuity Management and other management systems due to their
similar structure.
To establish an ISMS the organization needs to define the ISMS which includes the following steps:
CLAUSE 5: LEADERSHIP
____
LEADERSHIP AND COMMITMENT: Top management shall demonstrate leadership and commitment with
respect to the information security management system by:
• Ensuring the information security policy and the information security objectives are established and are
compatible with the strategic direction of the organization;
• Ensuring the integration of the information security management system requirements into the
organization’s processes;
• Ensuring that the resources needed for the information security management system are available;
• Communicating the importance of effective information security management and of conforming to
the information security management system requirements;
• Ensuring that the information security management system achieves its intended outcome(s);
• Directing and supporting persons to contribute to the effectiveness of the information security
management systems;
• Promoting continual improvement; and
• Supporting other relevant management roles to demonstrate their leadership as it applies to their areas
of responsibility.
CLAUSE 6: PLANNING
___
When planning for the information security management system, the organization shall consider the issues
and the requirements referred in the standard and determine the risks and opportunities that need to be
addressed to:
• Ensure the information security management system can achieve its intended outcome(s);
• Prevent, or reduce, undesired effects; and
• Achieve continual improvement.
The organization shall plan:
• Actions to address these risks and opportunities; and
• How to:
• Integrate and implement the actions into its information security management system
processes;
• Evaluate the effectiveness of these actions.
• Competence,
• Awareness,
• Communication, and
• Documented information.
CLAUSE 8: OPERATION
____
The organization shall plan, implement and control the processes needed to meet information security
requirements, and to implement the actions determined in the standard. The organization shall perform
information security risk assessments at planned intervals, and shall also implement the information
security risk treatment plan.
Identifying
Evaluating the need for actions to ensure that the nonconformities are not repeated
The organization shall continually improve the suitability, adequacy and effectiveness of the information
security management system.
LINK BETWEEN ISO 27001 AND OTHER INFORMATION SECURITY STANDARDS AND
GUIDELINES
The ISO 27001 International Standard is useful as part of the certification process against ISO 22301
(Business Continuity). The ISO 27001 objectives in clause A.14 (Business Continuity Management) can be
used to comply with ISO 22301.
• To implement and execute a risk assessment, an organization could refer to ISO/IEC 27005:2011, or in a
broader context to ISO 31000:2009 – Risk management – Principles and guidelines.
• To execute the assessment itself, an organization could refer to ISO 31010:2009 – Risk management –
Risk assessment techniques.
The general requirements are ordinarily identified in every management system. These requirements assist in:
• determining and applying objectives according to the organization’s habits and needs;
• upholding the objectives based on strong management commitment by monitoring and reviewing;
• documenting pertinent management system processes;
• regular ‘health-checks’ via internal or external audits;
• and gaining benefits through continual improvement as achieved by a regular management review.
In addition, the table below presents the general requirements of several standards, which also serves as
a comparing tool between ISMS and other management systems. This will authorize the organization to
envision “combined audits” in order to achieve their compliance goals with adequate effort and budget.
The diagram below shows how the contents of a few important standards are related:
Development
Internal audit
Management Report
Corrective/preventive actions
Document management Process approach
Incident Management Organization: roles and Supplier Management
Change Management responsibilities Customer satisfaction
Availability Quality (of services)
Continuity
Security
Capacity
ISO/IEC 20000
Today an effective information security management is not about being forced into taking action to address
external pressures, but its importance relies on recognizing the positive value of information security when
good practice is embedded throughout your organization.
PROTECTION OF THE
RESPECT OF THE INTERESTED CONFIDENCE OF
COST REDUCTION REPUTATION
PARTIES CLIENTS
AND BRAND
The adoption of an effective information security management process within an organization will have
benefits in a number of areas, examples of which include:
Most companies now realize that it is not sufficient to implement a generic, “one size fits all” security plan.
For an effective response, with respect to maintaining the information security system, such a plan must
be customized to fit to a company. A more difficult task is the compilation of an implementation plan that
balances the requirements of the standard, the business needs and the certification deadline.
There is no single blueprint for implementing ISO 27001 that will work for every company, but there are
some common steps that will allow you to balance the frequent conflicting requirements and prepare you
for a successful certification audit.
PECB has developed a methodology (please see example below) for implementing a management system;
the “Integrated Implementation Methodology for Management Systems and Standards (IMS2)”, and it is
based on applicable best practices. This methodology is based on the guidelines of ISO standards and also
meets the requirements of ISO 27001.
1.1 Initiating the SMS 2.1 Organizational strategy 3.1 Monitoring, Measurement, 4.1 Treatment of Non-conformities
Analysis and Evaluation
1.2 Understanding the organization 2.2 Document Management 4.2 Continuous Improvement
3.2 Internal Audit
1.3 Analyze the existing System 2.3 Design of Controls and Procedures
3.3 Management Review
IMS2 is based on the PDCA cycle which is divided into four phases: Plan, Do, Check and Act. Each phase
has between 2 and 8 steps for a total of 21 steps. In turn, these steps are divided into 101 activities and
tasks. This ‘Practical Guide’ considers the key phases of the implementation project from the starting point
to the finishing point and suggests the appropriate ‘best practice’ for each one, while directing you to further
helpful resources as you embark on your ISO 27001 journey.
Plan
Do
BCMS
Projects
Check
Act
The sequence of steps can be changed (inversion, merge). For example, the implementation of the
management procedure for documented information can be completed before the understanding of the
organization. Many processes are iterative because of the need for progressive development throughout
the implementation project; for example, communication and training.
By following a structured and effective methodology, an organization can be sure it covers all minimum
requirements for the implementation of a management system. Whatever methodology used, the
organization must adapt it to its particular context (requirements, size of the organization, scope, objectives,
etc...) and not apply it like a cookbook.
The following common processes for an organization that wishes to be certified against ISO 28000 are:
1. Implementation of the management system: Before being audited, a management system must be in
operation for some time. Usually, the minimum time required by the certification bodies is 3 months.
2. Internal audit and review by top management: Before a management system can be certified, it must
have had at least one internal audit report and one management review.
3. Selection of the certification body (registrar): Each organization can select the certification body
(registrar) of its choice.
4. Pre-assessment audit (optional): An organization can choose to perform a pre-audit to identify any
possible gap between its current management system and the requirements of the standard.
5. Stage 1 audit: A conformity review of the design of the management system. The main objective is
to verify that the management system is designed to meet the requirements of the standard(s) and the
objectives of the organization. It is recommended that at least some portion of the Stage 1 audit should be
performed on-site at the organization’s premises.
6. Stage 2 audit (On-site visit): The Stage 2 audit objective is to evaluate whether the declared management
system conforms to all requirements of the standard is actually being implemented in the organization
and can support the organization in achieving its objectives. Stage 2 takes place at the site(s) of the
organization’s sites(s) where the management system is implemented.
7. Follow-up audit (optional): If the auditee has non-conformities that require additional audit before
being certified, the auditor will perform a follow-up visit to validate only the action plans linked to the non-
conformities (usually one day).
8. Confirmation of registration: If the organization is compliant with the conditions of the standard, the
Registrar confirms the registration and publishes the certificate.
It serves to demonstrate that a certified professional holds defined competencies based on best practices.
It also allows organizations to make intelligent choices of employee selection or services based on the
competencies that are represented by the certification designation. Finally, it provides incentives to the
professional to constantly improve his/her skills and knowledge and serves as a tool for employers to
ensure that training and awareness have been effective.
PECB training courses are offered globally through a network of authorized training providers. They are
available in several languages and include introduction, foundation, implementer and auditor courses.
The table below gives a short description relating PECB’s official training courses for information security
management system based on ISO 27001..
Although a specified set of courses or curriculum of study is not required as part of the certification process,
the completion of a recognized PECB course or program of study will significantly enhance your chance
of passing a PECB certification examination. The list of approved organizations that offer PECB official
training sessions is found on our website http://pecb.com/partnerEvent/event_schedule_list.
The ISO 27001 Lead Implementer certifications are professional certifications for professionals needing to
implement ISMS and, in case of the ISO 27001 Lead Implementer Certification, manage an implementation
project.
The ISO 27001 Auditor certifications are credentials for professionals needing to audit an ISMS and, in case
of the “ISO 27001 Lead Auditor” Certification, needing to manage a team of auditors.
The ISO 27001 Master certification is a professional certification for professionals needing to implement an
ISMS, master the audit techniques, and manage (or be part of) audit teams and audit program.
Based on your overall professional experience and acquired qualifications, you will be granted one or more
of these certifications based on projects or audits activities you have performed in the past, or you are
currently working on.
Professional
Certification Exam Audit experience Project experience
experience
Foundation
Foundation None None None
Exam
Two years Project activities
Lead
Provisional One year of work totaling
Implementer None
Implementer experience 200 hours
Exam
in the field of certification
Five years Project activities
Lead
Lead Two years of work totaling
Implementer None
Implementer experience 300 hours
Exam
in the field of certification
Provisional Lead Auditor
None None None
Auditor Exam
Two years
Audit activities
Lead Auditor One year of work
Auditor totaling None
Exam experience
200 hours
in the field of certification
Five years
Audit activities
Lead Auditor Two years of work
Lead Auditor totaling None
Exam experience
300 hours
in the field of certification
Lead Auditor
Exam Ten years
Audit activities Project activities
Lead Two years of work
Master totaling totaling
Implementer experience
500 hours 500 hours
Exam in the field of certification
customer@pecb.com
Customer Service
www.pecb.com