ISO/IEC 27000 family

PRESENTED BY LAURENT DEHEYER

internal use only – all right reserved 1

 1. WHAT? INTRODUCTION TO ISO27000
2. WHY?
1. BUSINESS LANDSCAPE
2. KEY BENEFIT
3. HOW?
1. CHALLENGES
2. ENABLERS
3. METHODOLOGY

Objectives

internal use only – all right reserved 2

Your Guest

Laurent Deheyer
Approach GRC Consulting Director
CISM – ISACA Member
ISO 27001 Lead Implementer/Certified Trainer
Certified Data Protection Officer [GDPR]

internal use only – all right reserved 3

 140

Number of 120

ISO/IEC 100

27001 80

certifications
60

is exploding
40

20

in Belgium 0

2006 2017

Source: www.iso.org/the-iso-survey.html
ISO/IEC 27001-data per country and sector 2006 to 2017
4
 Organisations processing
company confidential data

• IT
• Services

Trends GDPR • Transport & Communication

• B2B

ISO/IEC •
•
Boom: Startup
SaaS

27001
• Some uncommon requests

Organisations
processing personal
data 5
ISO/IEC introduction

• ISO: International Organization for Standardization

• Worldwide federation of national standards bodies from 146 countries, one from eachcountry, e.g.,– NBN - Institut
Belge de Normalisation (Belgium)

• ISO was established in 1947 (www.iso.ch )

• Mission: to promote the development of standardization and related activities in the world with a view to facilitating
the international exchange of goods and services, and to developing cooperation in the spheres of intellectual,
scientific, technological and economic activity.

• 2.937 technical bodies

• ISO's work results in international agreements which are published as International Standards (IS)

• 20 500 standards and standards-type documents

internal use only – all right reserved 6

 ISO/IEC 27001 is about managing Information Security

• Internationally recognized Standard

• Part of ISO27000 family
• Set the specification for an Information security management
system (ISMS)
• Based upon Information Risk Management
• Focus on Continuous Improvement
• Certification by accredited body - valid 3 years, re-audit every
year

Note: newly release 27001:2017  includes very minors changes

7
 What do you want to protect?
CONFIDENTIALITY, INTEGRITY, AVAILABILITY of organisations ASSETS

You want to protect your ‘assets’. There are several definitions for the term ‘asset’, generally speaking an asset could be
defined as ‘an item of value’ for a company in order to run its business, including servers, laptops, smartphones people,
confidential/private information, Intellect Property, applications, customer’s data, ..
Employees
Intellectual
Property

Hardware
Applications Information

8
8
ISO/IEC 27K-series
 47 published standards to date

terminology ISO27000 – OVERVIEW & TERMINOLOGY

ISO27001 – ISMS REQUIREMENTS
ISO/IEC 27K-series (Information Security)

normative ISO27701 – PIMS REQUIREMENTS (and guidelines)

ISO27006 – requirements for certification bodies

acting as PII processors

(PII) in public clouds
identifiable information
protection of personally
ISMS code of practice

ISMS implementation

Info Sec controls for

ISMS Measurement

Info Sec risk mgt

cloud services
guidance

27003

27018
27017
27004
27002

27005
Informative
(implementation
guidance)

internal use only – all right reserved 9

 ISO27701 Privacy Certification- Context & Implementation Guidance

• ISO27701- an international standard for Privacy Information Management System, PIMS

• ISO27701- provides guidance to implement & continually improve measures to ensure privacy of PII

• Integrates related requirements & guidance of below standards/regulation

• GDPR- a regional regulation (with international scope) on personal data (little guidance, not certifiable)
• ISO29100- an international privacy protection framework
• ISO29151- an international code of practice for PII
• ISO27001/2- international standard on Information Security

• ISO27701- comprises clauses & Annexes that are sequentially aligned with ISO27001/2, the GDPR, ISO29100, etc

• PIMS (ISO27701)- certifiable (subject to or together with 27001 ISMS certification).

• ISO27001 plus ISO27701 certifications meet privacy & information security requirements of the GDPR (but it does not amount to GDPR
certification because there is still no official certification for the GDPR)

• Terminology- (a) ISO27701 privacy/PII = GDPR protection/data (b) ISO27701 PII principal (sometimes data subject) = GDPR data subject
(c) ISO27701 PII Controller (or Privacy Stakeholder) = GDPR data Controller (d) ISO27701 PII Processor = GDPR data Processor

internal use only – all right reserved 10

 Compliance Market
Management Demand

Key
benefits
Sales Cyber
Efficiency Threats

11
 What are the roadblocks?

Organisation priorities

Human factor

Initial investment
Lack of
understanding
12
 What are the pitfalls?

Lack of role and

responsibilities
Technical vs.
Organisational
controls

Bad planning

The wrong scope

Stakeholders expecations 13
 Key Enablers

People Methodologie GRC, Tools

s and
Technologies

Startup Small & Large

Medium 14
 Methodology
STRIVE FOR A SUCCESSFULL IMPLEMENTATION

The overall methodology used is based on the PDCA model ISO27000 Standard
(Plan, Do, Check, Act):
Gap analysis ‘As Is’ vs
requirements

Plan Phase I
Establish the ISMS Identifying risks

Defining action plan

Act Do Define & implement

Maintain & Improve Implement & operate Security Policy
ISMS ISMS
Defining controls

Check
Monitor & review Internal audit Phase II
ISMS
Corrective action

improvement
This model is not dedicated for security, it is widely used to implement
standards like ISO 9000 (Quality), ISO 14001 (Environment)…
internal use only – all right reserved 15
TOP most difficult parts during the projects
Survey from Approach’s consultants based upon their experiences

PLAN DO

• Scope definition • Change Management

• Asset identification • Data/Information classification

• Management commitment • Secure SDLC

• Business Continuity Management

internal use only – all right reserved 16

Question to ask during scope definition exercice

• What is the business needs?

• Do you have a clear organisational chart?

• How many people would be affected inside the company?

• For multi-site organisation, can you map services delivered from which locations?
• Can you identify the business applications and processes supporting the service in scope
for you certification?

• Can you define what should NOT be in scope, identify the boundaries and interfaces?

internal use only – all right reserved 17

BACKUP

internal use only – all right reserved 18

General information on ISO

• General information at: www.iso.org on

• ISO Code of Conduct http://www.iso.org/iso/codes_of_conduct.pdf

(Implementation suggestions for ISO Code of Conduct

http://www.iso.org/iso/suggestions_for_implementation_of_the_iso_code_of_conduct.pdf)

• Standards http://www.iso.org/iso/home/standards.htm

(benefits, certification, management system standards, education about standards)

• About ISO http://www.iso.org/iso/home/about.htm

(structure, members, consumers, conformity assessment, developing countries, training)

• Standards development http://www.iso.org/iso/home/standards_development.htm (technical committees,

deliverables, who develops standards, why get involved?, resource area)

• News http://www.iso.org/iso/home/news_index.htm

• ( ISO standards in action, ISO Magazines, events, media Kit)

• ISO store http://www.iso.org/iso/home/store.htm

internal use only – all right reserved 19
ISO27001 vs ISAE3402 SOC2

ISO27001 ISAE3402 SOC2

• Focus on Risk Management • Focus on Risk Management

• Best Practices (guidelines) • Principles (trust services)
• Certificate • Report (type 1 / type 2)
• All processes • Selection of processes

« looking forward » « looking backward »

internal use only – all right reserved 20

Privacy with SOC 2
Service Organisation Control Reports (AICPA)

• Based on the SSAE 18 standard

SOC 1 (financial reporting)
Type 1: point in time

• 5 criteria categories: Type 2 : period in time

• security
• availability
SOC 2 • processing integrity
• confidentiality 1. Notice & communication of
objectives
• privacy 2. Choice & consent.
3. Collection
4. Use, retention, and disposal.
5. Access
• SOC 2 « light », can be freely 6. Disclosure & notification

SOC 3 distributed. 7.
8.
Quality
Monitoring and enforcement.

internal use only – all right reserved 21

Approach at a glance

internal use only – all right reserved 22

Our Business at a Glance
Approach in a few words

Our Company Our Mission Success Stories

Sustainable Certification Our

Growth & Compliance Locations

23
 Why Approach ?
Global Approach to Cyber Security

Expertise & Talent Methodologies Assets

Pragmatic proven methods tailored to
your context and needs

We cover the entire cyber security value chain, from governance and strategy
through ​to resilient technical designs, architectures and implementations.

Because we have our own software factory, we are uniquely positioned

to develop highly secure solutions for our clients.
24
Get Access to the Cyber Security Ecosystem
The Approach Network

Authorities Government & Regulators

Partner Companies Network of Experts

Certification Bodies Schools & Universities

25
Our Portfolio of Solutions
How can we help you?

Cyber Governance, Application Infra & Ops Digital Identity

Resilience Risk & Compliance Security Security & Trust

27
Some of our Customers
… and how we help them

CSIRT GDPR

Training
Architecture
Review

Software Factory

PKI ,GDPR, ISO

27001

Secure Software
Factory, WAF

Software Factory

28
Thank you !
Let’s keep in touch

APPROACH LOUVAIN-LA-NEUVE APPROACH ANTWERPEN

7 rue Edouard Belin 1435 Mont-Saint-Guibert 1-3 Rouaansekaai 2000 Antwerpen

Tel : +32 10 83 21 10 Email : Sales@approach.be Website : www.approach.be

29
What our customers say about us
Testimonials

Approach Approach Approach

Kris DE RYCK Jean DE CRANE Stéphane RIES

Belgian Mobile ID CEO Isabel Group CEO LuxTrust Deputy CEO & COO

30