A Basic Introduction to ISO 27001

1
www.infosectrain.com
A Basic Introduction to ISO 27001
2
InfosecTrain
About Us
InfosecTrain is one of the finest Security and
Technology Training and Consulting organization,
focusing on a range of IT Security Trainings and
Information Security Services. InfosecTrain was
established in the year 2016 by a team of
experienced and enthusiastic professionals, who
have more than 15 years of industry experience.
We provide professional training, certification
consulting services related to all areas of
Information Technology and Cyber Security.
3
(No Transcript)
4
A Basic Introduction to ISO 27001

• Information security is a global issue affecting
  international trading, mobile communications,
  social media, and the various systems and
  services that make our digital world and national
  infrastructures. Managing information security is
  an even more crucial issue, as it includes using
  and managing the policies, procedures, processes,
  control measures, and supporting applications,
  services, and technologies that are needed to be
  protected. Information security management needs
  to be effective, suitable, and appropriate if it
  is to protect information from the risks that
  businesses and society face in this digital age.
  Information could be disclosed and accessible to
  unauthorized users, corrupted or modified either
  in some unauthorized or accidental way or lost or
  unavailable due to a system failure. An
  organization requires to assess its risks in
  terms of the potential impact that a security
  incident might have on its business and the
  likelihood of this security incident occurring.
  It needs to adopt an approach to risk assessment
  that is effective, suitable, and appropriate to
  its business, and this approach is known as ISO
  implementation.

• CCISO Certification

5
What is ISO?

• The International Standards Organization (ISO) is
  a non-governmental organization that holds a
  unique position between the public and private
  sectors. Its members include national standards
  organizations who often are a part of government
  structures in their countries or mandated by
  these governments. The role of ISO is to
  facilitate the international coordination and the
  standardization of industrial standards. To reach
  these objectives, ISO publishes technical
  standards. These standards contribute to the
  development, manufacturing, and delivery of
  products and services that are more effective,
  safer, and clearer. They facilitate fair trade
  between countries. In addition, they bring a
  technical foundation for health, security, and
  environmental legislation to governments and
  they help to transfer technologies to developing
  countries. ISO standards are also used to protect
  consumers and general users of products and
  services.
• What is ISO 27001?
• ISO 27001 is the international standard that
  provides the specification for an Information
  Security Management System (ISMS). This
  systematic approach consists of people,
  processes, and technology that helps you protect
  and manage all your organizations information
  through risk management. It is a set of normative
  requirements for establishing, implementing,
  operating, monitoring, and reviewing to update
  and develop an Information Security Management
  System (ISMS). ISO 27001 is also used for
  selecting security controls tailored to each
  organizations needs based on industry best
  practices.

6

• ISO 27001 checklist
• An ISO 27001 checklist is used to define if an
  organization satisfies the international standard
  requirements for implementing an efficient ISMS
  (Information Security Management System).
  Information Security Officers apply an ISO 27001
  template when managing internal ISO 27001 audits.
  This checklist is divided into 14 categories from
  section 5 to section 18, and all section includes
  various things that are as follows
• Section 5 Information Security Policies
• Security policies exist
• All policies approved by management
• Evidence of compliance
• Section 6 Organization of Information Security
• Roles and responsibilities defined
• Segregation of duties defined
• Verification body/authority contacted for
  compliance verification
• Establish contact with special interest groups
  regarding compliance
• Evidence of information security in project
  management
• Defined policy for mobile devices
• Defined policy for working remotely

7

• Section 7 Human Resources Security
• Defined policy for screening employees prior to
  employment
• Defined policy for HR terms and conditions of
  employment
• Defined policy for management responsibilities
• Defined policy for information security
  awareness, education, and training
• Defined policy for disciplinary process regarding
  information security
• Defined policy for HR termination or change-of
  employment policy regarding information security
• Section 8 Asset Management
• Complete inventory list of assets
• Complete ownership list of assets
• Defined acceptable use of assets policy
• Defined return of assets policy
• Defined policy for classification of information
• Defined policy for labeling information
• Defined policy for handling of assets

8

• Defined policy for management of removable media
• Defined policy for disposal of media
• Defined policy for physical media transfer
• Section 9. Access Control
• Defined policy for user asset registration and
  de-registration
• Defined policy for user access provisioning
• Defined policy for management of privileged
  access rights
• Defined policy for management of secret
  authentication information of users
• Defined policy for review of user access rights
• Defined policy for removal or adjustment of
  access rights
• Defined policy for use of secret authentication
  information
• Defined policy for information access
  restrictions
• Defined policy for secure log-in procedures
• Defined policy for password management systems
• Defined policy for use of privileged utility
  programs
• Defined policy for access control to program
  source code

9

• Section 10. Cryptography
• Defined policy for use of cryptographic controls
• Defined policy for key management
• Section 11. Physical and Environmental Security
• Defined policy for physical security perimeter
• Defined policy for physical entry controls
• Defined policy for securing offices, rooms, and
  facilities
• Defined policy for protection against external
  and environmental threats
• Defined policy for working in secure areas
• Defined policy for delivery and loading areas
• Defined policy for equipment siting and
  protection
• Defined policy for supporting utilities
• Defined policy for cabling security
• Defined policy for equipment maintenance

10

• Defined policy for removal of assets
• Defined policy for security of equipment and
  assets off-premises
• Secure disposal or re-use of equipment
• Defined policy for unattended user equipment
• Defined policy for clear desk and clear screen
  policy
• Section 12. Operations Security
• Defined policy for documented operating
  procedures
• Defined policy for change management
• Defined policy for capacity management
• Defined policy for separation of development,
  testing, and operational environments
• Defined policy for controls against malware
• Defined policy for backing up systems
• Defined policy for information backup
• Defined policy for event logging
• Defined policy for protection of log information
• Defined policy for administrator and operator log

11

• Defined policy for clock synchronization
• Defined policy for installation of software on
  operational systems
• Defined policy for management of technical
  vulnerabilities
• Defined policy for restriction on software
  installation
• Defined policy for information system audit
  control
• Section 13. Communication Security
• Defined policy for network controls
• Defined policy for security of network services
• Defined policy for segregation in networks
• Defined policy for information transfer policies
  and procedures
• Defined policy for agreements on information
  transfer
• Defined policy for electronic messaging
• Defined policy for confidentiality or
  non-disclosure agreements
• Defined policy for system acquisition,
  development, and maintenance

12

• Section 14. System Acquisition, Development, and
  Maintenance
• Defined policy for information security
  requirements analysis and specification
• Defined policy for securing application services
  on public networks
• Defined policy for protecting application service
  transactions
• Section 15. Supplier Relationships
• Defined policy for supplier relationships
• Section 16. Information Security Incident
  Management
• Defined policy for information security
  management
• Section 17. Information Security Aspects of
  Business Continuity Management
• Defined policy for redundancies
• Section 18. Compliance
• Defined policy for identification of applicable
  legislation and contractual requirements
• Defined policy for intellectual property rights
• Defined policy for protection of records
• Defined policy for privacy and protection of
  personally identifiable information
• Defined policy for regulation of cryptographic
  control

13

• Defined policy for compliance with security
  policies and standards
• Defined policy for technical compliance review
• Reasons to adopt ISO 27001
• The ISO 27001 standard provides better awareness
  of information security mechanisms to measure the
  effectiveness of the management system. It also
  provides the opportunity to identify the
  weaknesses of the ISMS and to provide
  corrections.
• It also gives accountability to the highest
  management for information security and
  satisfaction of conditions of the customer and
  other stakeholders.
• How can I get ISO 27001 Certification?
• InfosecTrain provides certification training and
  necessary preparation guidance for ISO 27001
  certification exams. It is one of the best
  consulting organizations, focusing on a wide
  range of IT security training. Highly skilled and
  qualified instructors with years of industry
  experience to deliver interactive training
  sessions on ISO 27001 standard certification
  exam. You can visit the following link to prepare
  for the ISO certification exam.

14
(No Transcript)
15
ABOUT OUR COMPANY
OUR CONTACT
InfosecTrain welcomes overseas customers to come
and attend training sessions in destination
cities across the globe and enjoy their learning
experience at the same time.
 44 7451208413
https//www.facebook.com/Infosectrain/
sales_at_infosectrain.com
https//www.linkedin.com/company/infosec-train/
www.infosectrain.com
https//www.youtube.com/c/InfosecTrain