Implementation of ISO/IEC 27001
ISO 27001 (formerly BS7799) describes an approach known as PDCA:'Plan Do Check Act' is a broad stage by stage approach which covers a range of standards.
ISO 27001 (formerly BS7799) summarizes a 10 stage process.
- Define an information security policy
- Define scope of the information security management system
- Combine teams to provide the planning, implementation, assess and check the ISO 27001 implementation.
- Identifying information assets and classifying them.
- Perform a security risk assessment
- Manage the identified risk and valuing them against the CIA.
- Select controls to be implemented and applied
- Prepare an SoA (a "statement of applicability").
- Forming an internal audit check system to maintain this strategy.
- Inclusion of accredited auditors to obtain the certification.
Summarization.(in-detail)
Providing a planning strategy in a meeting with the immediate boss, hence discussing the framework/standard aimed to be followed.
Assembling the Project team / organization structure for this implementation:
a) Forming a steering group of senior management to provide support to the executive management during the project stage.
b) Forming a working group comprising of middle level managers from all department for planning and implementation during project and maintenance stage.
Aligning with business goals and defining top level security policy:
a) A top level policy provides a clear management direction and commitment and establishes agreed roles and responsibilities.
b) Top level security policy may include scope, legal and regulatory obligations, roles and responsibilities, strategic approach to risk management, action in the event of the breach of policy.
Mapping information flow:
a) Including the operations team into the scope of ISMS and getting information on the operational processes.
b) Getting list of key system from the IT department.
c) Mapping process flows, which are the core processes which if ignored, can fail the organizational objectives.
d) Mapping information flow by the help of process flow which is the information created, processed, transmitted, stored and deleted in the realization of the product.
Identifying information Assets and Dependents asset
a) Using the process model, for each scope we identify the all assets under each parameter, and then identify which of these assets are information assets.
b) Information assets are those what may be considered as information, that is the information received, created, processed, transmitted, stored or deleted as a direct part of the product realization or as part of the support processes / functions / activities.
c) Dependant’s assets are those assets that may not be information and on which the receipt, creation, processing, transmission, storage or destruction of information depends.
d) Identifying the assets with the dispatch desk.
Approval:
a) Submitting the list of the assets to the steering group of approval.
Classification of Assets:
a) Categorizing the assets into physical information, electronic information, non-electronic information, people, services, software etc depending upon the organizational infrastructure to be assessed.
Developing Risk Scenarios:
a) Developing risk scenarios and assessing the vulnerabilities and threats.
b) Establishing the vulnerabilities to the assets.
c) Establishing the threats to the assets.
d) Establishing the likelihood of the threats.
e) Calculating the risks to the assets.
f) Valuing the assets hence expressed in terms of potential impacts of unwanted incidents such as loss of confidentiality, integrity and or availability (CIA) of information.
Risk Assessment:
a) Meeting with the working group to develop a risk assessment strategy.
b) Performing impact & probability analysis in terms of CIA by assigning impact & likelihood ratings to all risks scenarios in conjunction with the business owners of all the assets.
c) Calculating the risk = function of probability and impact.
d) Identifying the critical, high, medium and low risk factors while rating.
e) Creating risks deliverables (Risk assessment outputs) which may include the summary report to the management for decision making related to the management of risks, controls selected from ISO/IEC 17799-2005 & worksheets from the risk assessment spreadsheet (Attaching copies to the risk assessment summary report).
Statement of Applicability:
a) A mandatory requirement for ISO 27001 certification.
b) Including description of control objectives and controls with clause references in the SoA.
c) Indication of whether a control objective or control is applicable to your ISMS or not, in the SoA.
d) Including in the SoA, a remark column to explain why a particular control has not been included, including a reference for the senior management acceptance for the same.
e) Identifying control objectives and controls.
f) Including any plans to transfer risks.
g) Assess and quantify residual risks.
h) Provide cross reference for acceptance of residual risks by senior management (steering group).
i) Listing the control objectives and controls that are relevant and applicable to the organizations ISMS, based on the results and conclusions of the risk assessment.
j) Also listing the control objectives and controls from ISO/IEC 17799-2005 that have not been selected, and justification for exclusion; (justifying exclusions provides a cross-check that no controls have been inadvertently omitted).
Risk Treatment Plan:
a) Should include design, implementation, audit , review and maintenance of the information secutiy management system.
b) It should cover areas such as physical security, technical and logical security, creation and implenetation of policies and procedures and personnel (personal) security (including awareness and training).
Policies and procedures:
a) Preparing a draft of policies and procedures with the working group and submitting to the steering group for the approval.
b) Drafting the background, purpose of policy/procedure, policy of statements/procedure, enforcement standards, responsibilities, accountability method, reviewing and monitoring standards. Providing also the reference to the other documents.
Implementation plan:
a) Preparing a draft for the implementation to be submitted to the working group.
b) Including the task description, milestone description, dependency, resources needed duration and responsibilities factors into the project report.
Audit:
a) Approaching the audit firms which are qualified with accredited certification.
b) Highlighting and focusing on details before forging the agreement to the audit firm.
c) Forging the agreement to the audit firm.
d) Providing mandatory services prior to the actual certification audit.
e) Recognizing the steps of audit to be performed.
f) Identifying the certificate issue procedure.
g) Identifying and maintaining the rules of certificates.
ISMS:
a) Preparing meeting agenda with the working group for managements review.
b) Preparing minutes of management review meeting with target dates and responsibilities.
c) Preparing corrective and preventive action plans after the review with dates and responsibilities.
Hassan Syed
http://securityassessmentframework.blogspot.com/
http://groups.yahoo.com/groups/issaf