Information Security Management System ISMS Introduction

1
Information Security Management System
(ISMS)Introduction

• Inger Nordin

2
Agenda

• Information Security Management System, ISMS
• Introduction to Business needs and advantages of
  information security
• Brief history and standards, ISO/IEC 177992000
  and BS 7799-22002
• Implementation of an ISMS
• Risk management
• Process approach
• Accreditation and certification ISMS
• EA Guidelines
• ISMS Certification
• Comparison ISMS, ISO 90012000 and ISO 140011996
• Certification status in Sweden and other
  countries
• Lessons learned
• Future trends
• Further information

3
Introduction setting the scene Is Information
Security Important?
Information is the key to success and growth for
an organisation.

• 15.000 hospital records found in a waste bin
• 30.000 passwords to Internet accounts published
  on the Internet
• 25 people from the development department moved
  to a competitor
• Banks pay millions to blackmailing crackers
• 300.000 account numbers stolen - some published
  on the WEB
• Suspected spy employed by ABB
• Fire in a tunnel outside of Stockholm, Sweden

4
Introduction setting the sceneInformation
Security important for the survival of a
company
5
Introduction Business needs and advantages of
ISMSBusiness dependent on ISMS?

• Fastest growing interest today - the market is
  global...
• Singapore, India, Japan, China, Australia,
  Finland, Denmark, Sweden, Taiwan, Korea, Ireland,
  Germany, England, ...
• Certified companies in 25 countries (China,
  Japan, Holland, England, Sweden, Norway, Finland,
  USA, etc.)
• Benchmark
• mergers and acquisitions
• outsourcing
• supplier control
• trade between companies
• Business Continuity Planning!!!

Customer Requirement
Trust

6
IntroductionBenefits of implementing a Business
Management System (BMS)

• Heightened security awareness
• Identification of critical assets
• Providing a structure for continuous improvement
• Confidence factor internally as well as
  externally
• Ensuring that the knowledge capital will be
  stored in a business management system
• Management awareness
• Enabling future demands from clients,
  stockholders and partners to be met
• More businesses

Certified ISMS

7
Introduction brief historyThe Development of
7799 up to today
ISO 17799-2???

2002
BS 7799 part 22002
2001
SS-ISO/IEC 17799
ISO/IEC 17799
2000
Swedish Standard SS 62 77 99 Part 1 2
New issues of BS 7799 Part 1 2
1999
Project ISMS starts in Sweden
1998
BS 7799
1995
Initiative from Department of Trade and Industry
8
Introduction mapping of standards
9
IntroductionInformation Security - structure
Information Security
25
75
Administrative Security
IT-Security
EDP-Security
Communication Security

10
IntroductionWhat is information security?
Confidentiality
TRACEABILITY
Integrity

Availability

11
IntroductionHow to identify the security
requirements?
1. Security risks
2. Legal and contractual requirements
3. Internal principles, objectives and
requirements
CORRECT controls and required degree of
flexibility from the START!

12
IntroductionInformation Security Management
System - ISMS
Interested parties Managed information
security
Interested parties Information security
requirements and expectations
Plan
Establish the ISMS
Development, maintenance and improvement cycle
Implement and operate the ISMS
Maintain and improve the ISMS
Act
Do
Monitor and review the ISMS
Check


13
IntroductionRisk assessment and risk management
Consequence

Probability
14
IntroductionSecurity level
Risks
Costs

15
Introduction Comparison SHALL and SHOULD
standards

• BS 7799-22002 -- SHALL
• 1 Scope
• Normative references
• Terms and definitions
• Information security management system
• Management responsibility
• Management review of the ISMS
• ISMS improvement
• Annex A (normative) Control objectives and
  controls- table mapping ISO/IEC 17799
• Annex B (informative) Guidance on use of the
  standard
• Annex C (informative) Comparison between ISO
  90012000, ISO 140011996 and BS 7799-22002
• Annex D (informative) Changes to internal
  numbering

• ISO/IEC 177992000 -- SHOULD
• 1 Scope
• 2 Terms and definitions
• 3 Security policy
• 4 Organizational security
• 5 Asset classification and control
• 6 Personnel security
• 7 Physical and environmental security
• 8 Communications and operations management
• 9 Access control
• 10 Systems development and maintenance
• 11 Business continuity management
• 12 Compliance

16
Changes from BS 7799, part 21999 toBS
7799-22002

• Adopted to ISO 9001 and ISO 14001
• Better description of management system
• Focus on Plan, Do, Check and Act - process
• Focus on risk assessment, risk handling, ...
• Corresponding tables
• BS 7799, part 2, ISO 90012000 och ISO 14001
• BS 7799, part 21999 and BS 7799, part 22002
• BS 7799-2 and ISO/IEC 17799 should be viewed as
  an entity
• Requirements in part 2 including description of
  the ISMS and Annex A with all the ISO/IEC 17799
  controls

17
ISO/IEC 177992000Chapter 1 Scope

• This standard gives recommendations for
  information security management for use by those
  who are responsible for initiating, implementing
  or maintaining security in their organization.
• It is intended to provide a common basis for
  developing organizational security standards and
  effective security management practice and to
  provide confidence in inter-organizational
  dealings.
• Recommendations from this standard should be
  selected and used in accordance with applicable
  laws and regulations.

18
BS 7799-22002Chapter 1 Scope

• This standard specifies the requirements for
  establishing, implementing, operating,
  monitoring, reviewing, maintaining and improving
  a documented ISMS within the context of the
  organizations overall business risks.
• It specifies requirements for the implementation
  of security controls customized to the needs of
  individual organizations or part thereof.
• The ISMS is designed to ensure adequate and
  proportionate security controls that adequately
  protect information assets and give confidence to
  customers and other interested parties. This can
  be translated into maintaining and improving
  competitive edge, cash flow, profitability, legal
  compliance and commercial image.

19
Introduction 3 Terms and definitions

• 3.1 availability
• ensuring that authorized users have access to
  information and associated assets when required
  ISO/IEC 177992000
• 3.2 confidentiality
• ensuring that information is accessible only to
  those authorized to have access ISO/IEC
  177992000
• 3.3 information security
• preservation of confidentiality, integrity and
  availability of information
• 3.4 information security management system, ISMS
• that part of the overall management system, based
  on a business risk approach, to establish,
  implement, operate, monitor, review, maintain and
  improve information security
• 3.5 integrity
• safeguarding the accuracy and completeness of
  information and processing methods ISO/IEC
  177992000

20
Introduction 3 Terms and definitions

• 3.6 risk acceptance
• decision to accept a risk ISO Guide 73
• 3.7 risk analysis
• systematic use of information to identify sources
  and to estimate the risk ISO Guide 73
• 3.8 risk assessment
• overall process of risk analysis and risk
  evaluation ISO Guide 73
• 3.9 risk evaluation
• process of comparing the estimated risk against
  given risk criteria to determine the significance
  of risk ISO Guide 73
• 3.10 risk management
• coordinated activities to direct and control an
  organization with regards to risk ISO Guide 73
• 3.11 risk treatment
• treatment process of selection and implementation
  of measures to modify risk ISO Guide 73

21
ISMS Implementation according to BS
7799-22002Process Approach
Plan
Establish the ISMS a) Define scope of the ISMS b)
Define an ISMS policy c) Define a systematic
approach to risk assessment d) Identify risks e)
Assess the risks f) Identify and evaluate
options for the treatment of risks g) Select
control objectives and controls for the treatment
of risks h) Prepare a Statement of Applicability



22
ISMS Implementation according to BS 7799-22002
Process Approach
Do
Implement and operate the ISMS a) Formulate a
risk treatment plan b) Implement the risk
treatment plan c) Implement controls d) Implement
training and awareness programmes e) Manage
operations f) Manage resources g) Implement
procedures and other controls for incident
handling



23
ISMS Implementation according to BS 7799-22002
Process Approach
Check
Monitor and review the ISMS a) Execute monitoring
procedures and other controls b) Undertake
regular reviews of the effectiveness of the
ISMS c) Review the level of residual risk and
acceptable risk d) Conduct internal ISMS
audits e) Undertake management review of the
ISMS f) Record actions and events that could
have an impact on the effectiveness or
performance of the ISMS



24
ISMS Implementation according to BS 7799-22002
Process Approach
Act
Maintain and improve the ISMS a) Implement the
identified improvements b) Take appropriate
corrective and preventive actions c) Communicate
the results and actions and agree with all
interested parties d) Ensure that the
improvements achieve their intended objectives



25
ISMS Implementation according to BS 7799-22002
Process Approach
Development, maintenance and improvement cycle



26
ISMS ImplementationContinual Improvement
Performance
Information Security Management
System development
Assurance (information security)
Time
27
IntroductionWho needs ISMS?

• Every organisation, company, firm institution
  handling information BASICALLY
  EVERYBODY!!!!!!!!!!!!!!!
• Banks
• IT companies
• Government (example tax office)
• Consultancy Firms
• Hospitals
• Schools and Universities
• Insurance Companies
• Certificate Service Providers, CSPs
• .just to name a few!