The document provides an agenda for a workshop on ISO/IEC 27000:2018 Information Security Management Systems. The agenda covers understanding ISMS, an overview of ISO/IEC 27000:2018, exploring the requirements, navigating the controls, planning implementation, deploying ISMS, monitoring and evaluation, and continual improvement. The workshop will help participants understand how to establish, implement, and improve an organization's information security using the ISO standard.
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Information Security Management System with ISO/IEC 27000:2018
1. v3.1.2
ISO/IEC 27000:2018
Developed and Facilitated by Goutama Bachtiar
IT Advisor, Consultant, Auditor and Investigator
Information Security Management Systems
Image: Hacker Moon
2. Workshop Agenda
2
1. Understanding Information Security
Management System (ISMS)
2. Overview of ISO/IEC 27000:2018
3. Exploring the Requirements
4. Navigating the Controls
ISO 27000:2018
Goutama
Bachtiar
Digitally signed
by Goutama
Bachtiar
Date: 2019.03.18
15:07:36 +07'00'
3. Workshop Agenda (cont’d)3
5. Planning the Implementation
6. Deploying ISMS
7. Monitoring, Measurement and Evaluation
8. Conducting Continual Improvement
ISO 27000:2018
5. 5
• Consists of policies, procedures, guidelines, and
associated resources and activities, collectively
managed by an organization, in the pursuit of
protecting its information assets.
• A systematic approach for establishing, implementing,
operating, monitoring, reviewing, maintaining and
improving an organization’s information security to
achieve business objectives.
ISO 27000:2018
Defining ISMS
6. 6
• Based upon a risk assessment and the organization’s
risk acceptance levels designed to effectively treat and
manage risks.
• Surveillance Audits conducted annually by ISO’s
Accredited Body.
• Recertification Audit conducted every 3 (three) years by
ISO’s Accredited Body.
ISO 27000:2018
Defining ISMS (cont’d)
7. 7
• Also describes controls an organization needs to
implement to ensure that it is sensibly protecting
Confidentiality, Availability, and Integrity of assets
from Threats and Vulnerabilities.
• When it comes to Risk Management, it requires proper
asset identification and valuation steps, including
evaluating the value of confidentiality, integrity,
availability, and replacement of assets.
ISO 27000:2018
Defining ISMS (cont’d)
8. 8
• Either applied to the entire organisation or only a
specific area where the information it seeks to protect is
segmented (the scope).
• Includes not only technical controls but also controls to
treat additional, more common risks related to people,
resources, assets and processes.
• Controls are applied based on the likelihood and
potential impact of the risks.
ISO 27000:2018
ISMS Characteristics
9. 9
• Helps you make appropriate decisions about the risks
that are specific to your business environment.
• Dependent on support and involvement from the entire
business – not just the IT department – from the cleaner
right up to the CEO.
• Not an IT function but a business management process.
ISO 27000:2018
ISMS Characteristics (cont’d)
10. 10
• Threats
Unwanted events that could cause the deliberate or
accidental loss, damage, or misuse of information assets.
• Vulnerabilities
How susceptible information assets and associated
controls are to exploitation by one or more threats.
ISO 27000:2018
Going Further with Risk Management
11. 11
• Impact and Likelihood/Frequency/Probability
The magnitude of potential damage to information assets
from threats and vulnerabilities and how serious of a risk
they pose to the assets.
Cost Benefit Analysis may also be part of the impact
assessment or separate from it.
• Mitigation
The proposed method(s) for minimizing the impact and
likelihood of potential threats and vulnerabilities.
ISO 27000:2018
Going Further with Risk Management (cont’d)
16. 16
• Clause 1: Scope
The first clause details the scope of the standard.
• Clause 2: Normative References
All the normative references are contained in ISO/IEC 27000,
Information technology – Security techniques – Information
security management systems – Overview and vocabulary,
which is referenced and provides valuable guidance.
• Clause 3: Terms and Definitions
Refer to the terms and definitions contained in ISO/IEC 27000.
ISO 27000:2018
Key Requirements
17. 17
• Clause 4: Context of the organization
Identify all external and internal issues relevant to your
organization and your information or information that is entrusted
to you by 3rd parties.
Then establish all “interested parties” and stakeholders as well
as how they are relevant to the information.
Need to identify requirements for interested parties which could
include legal, regulatory and/or contractual obligations. Required
to decide on the scope of your ISMS, which needs to link with
the strategic direction of your organization, core objectives and
the requirements of interested parties.
ISO 27000:2018
Key Requirements (cont’d)
18. 18
• Clause 5: Leadership
All about the role of “top management,” which is the group of
people who direct and control your organization at the highest
level.
Top management need to establish ISMS and information
security policy, ensuring it is compatible with the strategic
direction of the organization.
ISO 27000:2018
Key Requirements (cont’d)
19. 19
• Clause 5: Leadership
Need to make sure these are made available, communicated,
maintained and understood by all parties.
Must ensure ISMS is continually improved and direction and
support are given.
They can assign ISMS relevant responsibilities and authorities,
but ultimately they remain accountable for it.
ISO 27000:2018
Key Requirements (cont’d)
20. 20
• Clause 6: Planning
Outlines how an organization plans actions to address risks
and opportunities to information.
Focuses on how an organization deals with information
security risk and needs to be proportionate to the potential
impact they have.
Organizations are also required to produce a “Statement of
Applicability” (SoA).
ISO 27000:2018
Key Requirements (cont’d)
21. 21
• Clause 6: Planning
SoA provides summary of the decisions an organization has
taken regarding risk treatment, control objectives and controls
you have included, and those you have excluded and why you
have decided to include and exclude the controls in the SOA.
Another key area of this clause is the need to establish
information security objectives and standard defines the
properties that information security objectives must have.
ISO 27000:2018
Key Requirements (cont’d)
22. 22
• Clause 7: Support
All about getting right resources, right people and right
infrastructure in place to establish, implement, maintain and
continually improve ISMS.
It deals with requirements for competence, awareness and
communications to support ISMS and it could include
making training and personnel available, for example.
ISO 27000:2018
Key Requirements (cont’d)
23. 23
• Clause 7: Support
Also requires all personnel working under an organization’s
control to be aware of the information security policy, how they
contribute to its effectiveness and the implications of not
conforming.
The organization also needs to ensure internal and external
communications relevant to information security and ISMS are
appropriately communicated.
This includes identifying what needs to be communicated to
whom, when and how this is delivered.
ISO 27000:2018
Key Requirements (cont’d)
24. 24
• Clause 7: Support
Also requires all personnel working under an organization’s
control to be aware of the information security policy, how they
contribute to its effectiveness and the implications of not
conforming.
The organization also needs to ensure internal and external
communications relevant to information security and ISMS are
appropriately communicated.
This includes identifying what needs to be communicated to
whom, when and how this is delivered.
ISO 27000:2018
Key Requirements (cont’d)
25. 25
• Clause 8: Operation
About execution of plans and processes that are the
subject of previous clauses.
It deals with the execution of the actions determined and
the achievement of the information security objectives. In
recognition of the increased use of outsourced functions in
today’s business world, these processes also need to be
identified and controlled.
ISO 27000:2018
Key Requirements (cont’d)
26. 26
• Clause 8: Operation
Any changes, whether planned or unintended need to be
considered here and the consequences of these on ISMS.
Also deals with performance of information security risk
assessments at planned intervals, and the need for documented
information to be retained to record the results of these.
Finally, there is a section that deals with the implementation of
the risk treatment plan, and again, the need for the results of
these to be retained in documented information.
ISO 27000:2018
Key Requirements (cont’d)
27. 27
• Clause 9: Performance evaluation
All about monitoring, measuring, analysing and evaluating your
ISMS to ensure that it’s effective and remains so.
Helps organizations to continually assess how they are
performing in relation to objectives of the standard to continually
improve.
Need to consider what information you need to evaluate the
information security effectiveness, the methods employed and
when it should be analysed and reported.
ISO 27000:2018
Key Requirements (cont’d)
28. 28
• Clause 9: Performance evaluation
Internal audits will need to be carried out as well as
management reviews. Both of these must be performed at
planned intervals and the findings will need to be retained as
documented information.
It should be noted that management reviews are also an
opportunity to identify areas for improvement.
ISO 27000:2018
Key Requirements (cont’d)
29. 29
• Clause 10: Improvement
Concerned with corrective action requirements.
Will need to show how you react to nonconformities, take action,
correct them and deal with the consequences.
Will also need to show whether any similar nonconformities exist
or could potentially occur and show how you will eliminate the
causes of them so they do not occur elsewhere.
ISO 27000:2018
Key Requirements (cont’d)
30. 30
• Clause 10: Improvement
Required to show continual improvement of the ISMS, including
demonstrating the suitability and adequacy of it and how
effective it is. However how you do this is up to you.
ISO 27000:2018
Key Requirements (cont’d)
31. 31
ISO/IEC 27001 (ISMS Requirements) also includes Annex A
which outlines 114 controls to help protect information in a
variety of areas across the organization.
ISO/IEC 27002 (Code of Practice for InfoSec Controls) also
provides best practice guidance and acts as a valuable
reference for choosing, as well as excluding, which controls are
best suited for your organization.
ISO 27000:2018
Key Requirements (cont’d)
32. 32
• Kindly set all mobile phones/devices on silent mode
ISO 27000:2018
35. 35
• Improvement and or enhancement of Information
Security
• Good Corporate/Organization Governance
• Conformity
• Cost saving
• Building Credential/Credibility
ISO 27000:2018
Benefits
36. 36
• Improvement and or enhancement of Information
Security
• Good Corporate/Organization Governance
• Conformity
• Cost saving
• Building Credential/Credibility
ISO 27000:2018
Benefits (cont’d)
Source: BSI Benefits Survey, 2017
47. 47
References
• ISO/IEC 27000:2018 Overview and Vocabulary
• Published on February 2018. 27 pages.
• URL
https://www.iso.org/standard/73906.html
https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-
5:v1:en
ISO 27000:2018
Requirements in Detail
48. 48
References
• ISO/IEC 27001:2013 ISMS Requirements
• Published on 25 September 2013. 23 pages.
• URL
https://www.iso.org/standard/54534.html
ISO 27000:2018
Requirements in Detail (cont’d)
50. 50
References
• ISO 27002 2013 Code of Practice for Information
Security Controls
• Intended for best practices in the implementation
• Published on 25 September 2013. 80 pages.
• URL: https://www.iso.org/standard/54533.html
ISO 27000:2018
Information Security Controls
52. 53
References
ISO 27003 2017 ISMS Implementation Guidance
Published on 01 March 2017. 45 pages.
URL: https://www.iso.org/standard/63417.html
ISO 27000:2018
Implementation Guidance
53. 54
• Mission, objectives, values and strategies
• External environment
• Internal environment
• Key processes
• Infrastructure
ISO 27000:2018
Understanding the Organization
54. 55
• Interested parties
• Business Requirements
• ISMS Objectives
• Legal, regulatory and Contractual obligations
ISO 27000:2018
Understanding the Organization (cont’d)
55. 56
• Identify security processes, procedures, plans and
measurements.
• Identify actual level of compliance
• Evaluate effectiveness and maturity level of processes
• Gap analysis
ISO 27000:2018
Analyzing the Existing System
56. 57
• Business case
• Project team
• Steering Committee
• Project plan
• Management approval
ISO 27000:2018
Leadership and Project Approval
57. 58
• Defines the boundaries (organizational, information
• system, physical) and applicability of the ISMS
• Helps determine the amount of effort
• Scope can be limited
• Organizational unit(s)
• Geographic area
• Product or Service
ISO 27000:2018
Scope
58. 59
Identify
• Key characteristics of the organization
• Organizational processes
• Descriptions of roles and responsibilities for the ISMS
• List of information assets
• List of information systems
• Details and reasons for exclusions
ISO 27000:2018
Scope (cont’d)
60. 61
• Appropriate to the purpose of the organization
• Commitment to meeting ISO objectives
• Available to the organization as documents
• Communicated within the organization
• Available to interested parties, as appropriate
ISO 27000:2018
Security Policy Requirements
61. 62
• ISMS Policy should cover all clauses of ISO 27001
• Security policy can be a single document or separate policy
for each ISO 27002 clause
• Can be high level statement of policies with more detail
given in subordinate policies
ISO 27000:2018
Security Policy Requirements (cont’d)
62. 63
• Summary
• Overview
• Scope
• Objectives
• Principles
• Responsibilities
ISO 27000:2018
Structure of Policy Document
63. 64
• Enforcement
• Related policies
• Definitions
• Review and approval information
• Version history
ISO 27000:2018
Structure of Policy Document (cont’d)
65. 66
• Select risk assessment methodology that will provide
comparable and reproducible results
• Determine risks and opportunities that need to be
addressed
• Establish and maintain risk criteria
• Select risk treatment options
• Assess control changes, as appropriate
• Formulate risk treatment plan
ISO 27000:2018
Risk Assessment
66. 67
Shall include the following:
1. The necessary control objectives and controls
2. Justification for inclusions, whether they are
implemented or not,
3. The justification for exclusions of controls from ISO
27001, Annex A
- Must be validated and approved
- One of the first document that will be analysed by the
certification auditor
ISO 27000:2018
Statement of Applicability
68. 70
• Governance structure
• Information Security Committee (normally chaired by
Chief Information Security Officer (CISO))
• Operational committees, as appropriate
Note: InfoSec Committee should be described in ISMS
Policy
▪ Membership
▪ Responsibilities
▪ Agenda items for meetings
ISO 27000:2018
Organizational Structure
69. 71
Documented information required by the standard
Documented information determined by organization as
being necessary for effectiveness of ISMS
Extent of documented information can differ by
organization:
▪ Size of the organization
▪ Types of activities, processes, products and
▪ services
▪ Complexity of processes and their interactions,
▪ Competence of personnel
ISO 27000:2018
Document Management
71. 73
• Controls should be specific and concise
• Should address:
• Who What When
• Where Why How
• Example:
The network administrator (Who) makes sure that
backups are completed (What) by reviewing backup logs
(How) each morning (When).
Following the review, the network administrator
completes and signs a checklist (Where) that is
retained for future reference (Why).
ISO 27000:2018
Design of Controls & Procedures
72. 74
The organization shall determine the need for internal
and external communications relevant to ISMS
• What to communicate;
• When to communicate;
• With whom to communicate;
• Who shall communicate; and
• The processes by which communication shall be
effected
ISO 27000:2018
Communication
73. 75
Interested parties to consider:
• Employees
• Investors
• Suppliers
• Customers/Clients
• Media
• Communities
ISO 27000:2018
Communication (cont’d)
74. 76
Ensure the competence of those involved in the
operations of the ISMS on the basis of education,
training or experience
• Identify required skills
• Evaluate education / training needs
• Implement a training program
A user who has not been properly informed, trained and
made aware of the importance of information security is
a potential risk to the security of the organization
ISO 27000:2018
Awareness and Training
75. 77
An awareness program is focused on encouraging
better security behaviour
• Policy dissemination
• Information about threats
• Individual responsibility for security
ISO 27000:2018
Awareness and Training (cont’d)
76. 78
▪ The organization shall plan, implement and control
the processes needed to meet information security
requirements, and to implement the actions
determined to address identified risks.
▪ The organization shall also implement plans to
achieve information security objectives.
▪ The organization shall keep documented information
to the extent necessary to have confidence that the
processes have been carried out as planned.
ISO 27000:2018
Implementation of Controls
77. 79
▪ The organization shall control planned changes and
review the consequences of unintended changes,
taking action to mitigate any adverse effects.
▪ The organization shall ensure that outsourced
processes are determined and controlled.
ISO 27000:2018
Implementation of Controls (cont’d)
78. 80
▪ Ensure that security events are detected and
identified
▪ Educate users about the risk factors that could cause
security incidents
▪ Treat security incidents in the most appropriate and
effective way
ISO 27000:2018
Incident Management
79. 81
▪ Reduce the possible impact of incidents on the
operations of the organization
▪ Prevent future security incidents and reduce their
change of occurrence
▪ Improve security controls of the organization by
correcting any deficiencies identified following the
analysis of security incidents
ISO 27000:2018
Incident Management (cont’d)
80. 82
▪ Once ISMS project is complete, ISMS is transferred
to the operations of the organization
▪ Top management shall demonstrate leadership and
commitment with respect to the ISMS by ensuring
that the needed resources are available
▪ The organization shall determine and provide the
resources needed for the establishment,
implementation, maintenance and continual
improvement of the ISMS
ISO 27000:2018
Operations Management
82. 85
▪ Identifying the
measurement objectives
▪ Selecting attribute
objects that can be
measured
▪ Create performance
indicators
▪ Evaluate if objectives are
achieved
▪ Improve the management
system
ISO 27000:2018
Monitoring and Measuring
83. 86
▪ Once ISMS project is complete, ISMS is transferred
to the operations of the organization
▪ Top management shall demonstrate leadership and
commitment with respect to the ISMS by ensuring
that the needed resources are available
▪ The organization shall determine and provide the
resources needed for the establishment,
implementation, maintenance and continual
improvement of the ISMS
ISO 27000:2018
Internal Audit
84. 87
❖ Types of Audits
➢ First Party Audits (Internal Audit)
➢ Second Party Audits (Principal Audit)
➢ Third Party Audits (Independent Audit)
❖ Audit Charter
❖ Access and Independence
❖ Audit Procedures
❖ Audit Activities
ISO 27000:2018
Internal Audit
85. 88
External/Certification Audit
▪ Stage 1
▪ Stage 2
▪ Surveillance in 2nd Year and 3rd Year
Non-conformity
▪ Major
▪ Minor
ISO 27000:2018
Internal Audit (cont’d)
86. 89
❖ Performed by top management at least annually
❖ Agenda
▪ Status of previous review
▪ Changes
▪ Non-conformities
▪ Monitoring and measuring results
▪ Audit results
▪ Fulfilment of information security objectives
▪ Feedback of interested parties
▪ Results of risk assessment/risk treatment
▪ Continual improvement opportunities
ISO 27000:2018
Management Review