Difference between revisions of "ISO"

How/Where do I start?

STEP 1 Management

First get support from your top management. They must demonstrate their commitment and determination to implement an ISO27001 Information Security Management System in your organisation. Without top management commitment, no information security initiative can succeed.

To provide evidence of commitment to the development and implementation of an ISMS and continually improve its effectiveness, top management should:

1. make clear to the organisation the importance of meeting customer, statutory and regulatory requirements,
2. define the organisation's information security policy and making this known to every member of staff
3. ensure that information security objectives are established at all levels and for all functions
4. ensure the availability of those resources required for the development and implementation of the ISMS
5. lead the required management review meetings
6. encourage the involvement of all staff
7. identify and communicate the key objectives to be achieved through the ISMS, such as:
8. keeping confidential information secure
9. providing customers and stakeholders with confidence in how we manage risk
10. allowing the secure exchange of information
11. ensuring that legal obligations are met
12. providing a competitive advantage
13. better managing and minimising risk exposure
14. raising awareness of security issues

STEP 2 Appointing the team

Top management should appoint an Information Security Management Representative (ISMR), as its project manager to plan and oversee implementation, and a supportive team, including representatives of all organisational functions who fall within the scope.

The "Information Security Management Representative" will have to (and be keen to) become expert in and champion ISO27001, have the necessary attributes and authority to lead the implementation team and, should you go for third party certification, to represent your organisation to the certifier. The ISMR should:

1. have the total backing of the CEO or equivalent
2. have a genuine and passionate commitment to Information Security in general and the implementation of an ISO 27001 ISMS in particular
3. have the ability and presence to influence staff at all levels and functions of the organisation
4. be organised, a clear and logical thinker, computer literate
5. have a wide understanding of the processes that underlie business operations
6. have a good knowledge of Information Security methods in general and ISO 27001 in particular (or a quick learner, training would be highly advantageous)

ISO 27001 requires that the ISMR has clear responsibility for:

1. ensuring that ISMS defined, implemented, maintained and improved in conformance with the requirements of ISO 27001
2. reporting to top management on how well, or poorly, the ISMS is performing, including identifying any needs for improvement

STEP 3 Staff Awareness Training

It is important to inform all relevant staff, as early as possible, that you plan to adopt an ISO 27001 ISMS. You will need to explain the concept of ISO 27001 and how it will affect all staff so as to gain buy‐in and support.

Training programs should be structured for different categories of staff ‐ senior managers, middle‐level managers, supervisors and operatives. This training should cover:

1. the basic concepts of ISMSs and the standard,
2. the overall impact on the company's strategic goals
3. the changed work processes, and the likely work culture implications of the ISMS

In addition, initial training may also be necessary on such issues as process mapping.

STEP 4 Decide on the scope of your ISMS

4.1. General

Top management must define the scope of your ISMS implementation to match the scope of the information that the ISMS is aiming to protect. Getting the scope right for your purposes can be tricky, so we will go into a little detail.

It doesn't matter how or where this information is stored, you are setting out to protect this information no matter where, how, and by whom this information is accessed.

So, for example, if you have mobile devices, then even if they contain no sensitive information, they would fall within the scope if they can remotely access secure information stored on your network.

If you go for certification, the auditor will check if all the elements of the ISMS work well within your scope, he won't check the departments or systems that are not included in your scope.

Basically, ISO 27001 says you have to do the following when defining the scope:

1. take into account internal and external issues defined in clause 4.1
2. take into account all the requirements defined in clause 4.2
3. consider interfaces and dependencies between what is happening within the ISMS scope and the outside world

Although it is not required by the standard, it is often helpful to include a short description of your location (you could use floor plans to describe the perimeter) and organisational units (e.g., org charts) in your documented scope.

• • You can define your scope directly on the Cetbix platform under the content Scope.

4.2. Dependencies

To best visualise this, draw your processes (all business processes, not just security or IT processes) that are included in your ISMS scope, and then outside of this circle draw the processes that are provided from outside of your scope.

Once you know the dependencies, you have to identify the interfaces. Once you have identified the interfaces and their inputs/outputs you can include them in the scope if they impact on information security.

4.3. 27001 Example Scopes

1. The Information Security Management System (ISMS) applies to the control of our entire business, premises and resources within the UK. Premises and resources outside of the UK are excluded from the ISMS scope.
2. The ISMS is scoped to include all business processes conducted by the IT department at XYS motors. All other business units are excluded from scope.
3. The ISMS will protect the confidentiality, integrity and availability of XYS motors customer data at all times while in UK offices. This includes IT department, call centres and XYS office locations.

STEP 5 Perform a Gap Assessment

The first major task of the ISMR is to conduct a comparison of your existing ISMS with the requirements of the ISO27001 standard. This is often referred to as "gap assessment" and should determine:

1. what existing company policies and procedures already meet ISO 27001 requirements
2. what existing policies and procedures need to be modified to meet ISO 27001 requirements
3. what additional policies and procedures need to be created to meet ISO 27001 requirements

This can be done using the Cetbix ISO27005 questionnaires or the BSI questionnaires on your ISMS dashboard..

STEP 6 Initial asset review and data collection

At this phase, you need to start determining your assets. While this step isn't absolutely necessary, it is often useful, in that you will better understand the task ahead and better able to predict timescales, to do an initial scan of assets and their associated risks before drawing up a detailed implementation plan.

6.1 Asset identification

Guided by the included Appendix A Controls 'Asset Management Controls' document, carry out an initial fist scan of information assets:

Firstly, list out those information processing facilities that are used by more than one department, such as:

1. the company website
2. the front office (visitor log, employee attendance, material check-in and check-out, security checks, etc.)
3. Local Area Network (server computer, server operating system software, routers, client computers, etc.)
4. ERP software
5. client database
6. access control system, etc.

All these assets can be inventoried using the Cetbix Asset Inventory on your dashboard.

Then look at information assets within each department (both electronic and hardcopy), such as:

1. CRM software
2. customer supplied specifications and other proprietary items
3. email / hardcopy communication with customers, etc.
4. marketing department database and systems
5. R&D data of the design department
6. testing software and test reports
7. designs and specifications
8. databases

All these assets can be inventoried using the Cetbix Asset Inventory on your dashboard.

6.2 Initial information security risk assessment

ISO 27001 sets out the process you should adopt to identify, analyse, evaluate and treat the risks to your information assets: Guided by the Control of Risks and Opportunities Procedure, conduct an initial risk assessment for each functional area to:

1. identify the risks and risk owners
2. identify the affected information assets and their owners
3. quantify the risk
4. prioritise risks for treatment

If the same risk applies to more than one area, you may put them together when treating the risk.

In addition to the simple risk assessment approach that we have included, there are plenty of mature, risk management frameworks, such as : ISO/IEC 27005, ISO 31000, NIST SP800-37 (RMF)

Risks arise from your existing assets, so consider;

1. What information do we have?
2. Who are responsible for them?
3. Which of those should we protect?
4. In what priority should we protect them?
5. What costs are we willing to treat these risks?

All this is assessed on the Cetbix asset inventory on your dashboard - when you click on an asset, you are taken to the "audit page"

In your considerations:

1. use the ISMS defined context
2. define risk appetite and tolerance: how much is too much risk?

Consider watching this video

6.3 Prepare of tentative 'Statement of Applicability'

Bearing in mind the list of identified risks, go through the control checklist (based on Annex A of the standard) and identify those control objectives and controls which are applicable and why and also record those which you consider to not be applicable, and why. Cetbix automatically generates your SOA report for you.

6.4 Risk Treatment Plan

Review the findings of the initial risk assessment and prepare an initial risk treatment plan. Remember, only risk owners can accept risks and their treatment! Cetbix automatically generates your RTP report for you. Other reports such as Risk Register, Asset Register and other reports are generated automatically on Cetbix.

Why is there no score or graph?

The Cetbix ISMS concept is that risk is zero if there are no threats or vulnerabilities, which means that nothing is shown on the graph.