1 / 8

ISO/IEC 27001

ISO/IEC 27001. Winnie Chan BADM 559 Professor Shaw 12/15/2008. ISO/IEC 27001 Objective. To provide a guide for establishing, implementing, reviewing, and maintaining a firm’s Information Security Management System (ISMS)

hayes-levine
Download Presentation

ISO/IEC 27001

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISO/IEC 27001 Winnie Chan BADM 559 Professor Shaw 12/15/2008

  2. ISO/IEC 27001 Objective • To provide a guide for establishing, implementing, reviewing, and maintaining a firm’s Information Security Management System (ISMS) • Using a Continual Improvement Approach Known as the Plan-Do-Check-Act (PDCA) Cycle

  3. PDCA Cycle • Plan Stage • Involves establishment of a Firm’s Security Objectives and Methods to Achieve Those Are Drafted Out Using a Risk Assessment Approach • Appropriate Information Security Controls Determined • Do Stage • Plan is Implemented • Act Stage • Analyze Results and Compare Actual Accomplishments to Planned Objectives • Check Stage • Continuously Makes Necessary Changes Until the Best Future Result From the ISMS is Obtained.

  4. ISO/IEC 27001 History • First part of the growing ISO/IEC 27000 (ISO 27K) Family • Series of Information Security Standards Developed to Protect the Reliability, Confidentiality, and Accessibility of Essential Data that Firms Rely On • Derived From the 1999 British Standard (BS) 7799- Part 2 • In October 2005: • Adopted By the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) • Also Known As “Information Security Management- Specification with Guidance for Use”

  5. ISO/IEC 27001 Structure • 8 Major Sections: • Scope, Normative References, Terms and Definitions, ISMS, Management Responsibility, Internal ISMS Audits, Management Review of the ISMS, and ISMS Improvements • 3 Main Annexes: • Control Objectives and Controls • Organisation for Economic Co-Operation and Development (OECD) Principles • ISO/IEC 27001, and the correspondence between ISO 9001 (Quality Management Systems Standard) , ISO 14001 (Environmental Management Systems Standard) and ISO/IEC 27001.

  6. Certification Process • Desktop Audit • Accredited Certification Body Auditor • Examines a Firm’s Relevant Documents Like its Statement of Applicability (SoA) and Risk Treatment Plan (RTP) • On-Site Audit • Certification Body • Sends an Audit Team to Perform an In-Dept Assessment of a Firm’s Information Security System’s Implementation • Firm Agrees to Surveillance Schedule • Certification Body Periodically Checks Firm’s ISMS Every 6-9 Months • Issuance of Certificate • Certificate Only Lasts for 3 years after Initial Certification

  7. Pros to Certification • Certified Firms: • Meets US Legislative Requirements • Sarbanes Oxley Section 404 • Statement of Auditing Standards (SAS) 70 • Health Insurance Portability and Accountability Act (HIPAA) Requirements • Have Reduced Regulation Costs • May Get Insurance Reduction Premiums • Results in Improved • Confidence from Suppliers, Customers, and Stakeholders • Have Competitive Advantage

  8. Update on ISO/IEC 27001 • ISO/IEC 27001 currently being revised by renown experts in information security area • Angelika Plate • Matthieu Grall • Revised version Expected to Be Published Sometime in 2009 or 2010

More Related