Information Technology - Security Techniques – Information Security Management Systems – Requirements. Known as ISO 27001. Information Technology - Security. Techniques - Code of. Information Security. Alan Calder & Steve Watkins (2012). “ISO is a well-respected international information security standard that outlines the key processes and approaches a business needs to manage information security risk in a practical way.” Why do we need it? “Information security is a business problem, not an IT problem. ISO 27001 certification consultant offers Information Security Management System awareness and auditor training presentation ppt slides. Pivot Point Security is dedicated to helping you get certified for your cybersecurity. Here is an introductory presentation on the ISO 27001 and how it can protect your data.
ISO 27001 is the international standard that describes best practice for an ISMS (information security management system).
The Standard takes a risk-based approach to information security. This requires organisations to identify information security risks and select appropriate controls to tackle them.
Those controls are outlined in Annex A of the Standard. There are 114 ISO 27001 Annex A controls, divided into 14 categories.
Contents
Annex A.12 – Operations security (14 controls)
This annex ensures that information processing facilities are secure, and is comprised of seven sections.
Annex A.12.1 addresses operational procedures and responsibilities, ensuring that the correct operations are in place.
Annex A.12.2 addresses malware, ensuring that the organisation has the necessary defences in place to mitigate the risk of infection.
Annex A.12.3 covers organisations’ requirements when it comes to backing up systems to prevent data loss.
Annex A.12.4 is about logging and monitoring. It’s designed to make sure that organisations have documented evidence when security events occur.
Annex A.12.5 addresses organisations’ requirements when it comes to protecting the integrity of operational software.
Annex A.12.6 covers technical vulnerability management, and is designed to ensure that unauthorised parties don’t exploit system weaknesses.
Finally, Annex A.12.7 addresses information systems and audit considerations. It’s designed to minimise the disruption that audit activities have on operation systems.
Annex A.13 – Communications security (7 controls)
This annex concerns the way organisations protect information in networks.
It’s divided into two sections. Annex A.13.1 concerns network security management, ensuring that the confidentiality, integrity and availability of information in those networks remains intact.
Meanwhile, Annex A.13.2 deals with the security of information in transit, whether it’s going to a different part of the organisation, a third party, a customer or another interested party.
Annex A.14 – System acquisition, development and maintenance (13 controls)
The objective of Annex A.14 is to ensure that information security remains a central part of the organisation’s processes across the entire lifecycle.
Its 13 controls address the security requirements for internal systems as well as those that provide services over public networks.
Annex A.15 – Supplier relationships (5 controls)
This annex concerns the contractual agreements organisations have with third parties.
It’s divided into two section. Annex A.15.1 addresses the protection of an organisation’s valuable assets that are accessible to, or affected by, suppliers.
Meanwhile, Annex A.15.2 is designed to ensure that both parties maintain the agreed level of information security and service delivery.
Annex A.16 – Information security incident management (7 controls)
This annex is about how to manage and report security incidents. Part of this process involves identifying which employees should take responsibility for certain actions, thus ensuring a consistent and effective approach to the lifecycle of incidents and response.
Annex A.17 – Information security aspects of business continuity management (4 controls)
The aim of Annex A.17 is to create an effective system to manage business disruptions.
Its divided into two sections. Annex A.17.1 addresses information security continuity – outlining the measures that can be taken to ensure that information security continuity is embedded in the organisation’s business continuity management system.
Annex A.17.2 looks at redundancies, ensuring the availability of information processing facilities.
Annex A.18 – Compliance (8 controls)
This annex ensures that organisations identify relevant laws and regulations. This helps them understand their legal and contractual requirements, mitigating the risk of non-compliance and the penalties that come with that.
Who is responsible for implementing Annex A controls?
ISO 27001’s security requirements aren’t simply within the remit of the organisation’s IT department, as many people assume.
Rather, the Standard addresses each of the three pillars of information security: people, processes and technology.
The IT department will play a role in risk treatment. Most obviously in technology, but also in developing the processes and policies that ensure those technologies are used properly.
Most controls will require the expertise of people from across your organisation. This means you should create a multi-departmental team to oversee the ISO 27001 implementation process.
Using the 14 domains of ISO 27001
Organisations aren’t required to implement all 114 of ISO 27001’s controls.
Iso 27001 Ppt
They’re simply a list of possibilities that you should consider based on your organisation’s requirements.
Annex A provides an outline of each control. You should refer back to it when conducting an ISO 27001 gap analysis and risk assessment.
These processes help organisations identify the risks they face and the controls they must implement to tackle them.
Iso 27001 Ppt Presentation
The only problem with Annex A is that it only provides a brief overview of each control. While this is good for reference use, it’s not helpful when actively implementing the control.
That’s where ISO 27002 comes it. It’s a supplementary standard in the ISO 27000 series, providing a detailed overview of information security controls.
The Standard dedicates about one page to each control, explaining how it works and how to implement it.