Jatin sehgal quality m anager ey certifypoint 2010 0 6 1 6
1 / 21

Jatin Sehgal Quality M anager EY CertifyPoint 2010 -0 6 - 1 6 - PowerPoint PPT Presentation

  • Uploaded on

ISACA Lietuvos skyriaus (180) Birželio mėnesio susitikimas ISMS Implementation Pitfalls & Misconceptions. Jatin Sehgal Quality M anager EY CertifyPoint 2010 -0 6 - 1 6. Agenda. 01 Introduction to ISO/IEC 27003:2010 02 Completing the Deming Cycle (Plan-Do-Check-ACT)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Jatin Sehgal Quality M anager EY CertifyPoint 2010 -0 6 - 1 6' - yeva

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Jatin sehgal quality m anager ey certifypoint 2010 0 6 1 6

ISACA Lietuvos skyriaus (180) Birželiomėnesio susitikimas

ISMS ImplementationPitfalls & Misconceptions

Jatin Sehgal Quality Manager EY CertifyPoint2010-06-16


01 Introduction to ISO/IEC 27003:2010

  • 02 Completing the Deming Cycle (Plan-Do-Check-ACT)

  • 03 Achieving performance during ISMS implementation

  • 04 Defining Scope & Boundaries of ISMS

  • 05 Challenges faced by organizations when implementing an ISMS

  • 06 Common Pitfalls and Mistakes in ISMS Implementation.

Iso 27003 2010 introduction
ISO 27003:2010 - Introduction

  • Introduction

  • Scope

  • Terms and definitions

  • Obtaining management approval for initiating an ISMS project

  • Defining ISMS scope, boundaries and ISMS policy

  • Conducting information security requirements analysis

  • Conducting risk assessment and planning risk treatment

  • ISMS improvement

  • Designing the ISMS

  • Appendix A : Checklist description

  • Appendix B : Roles and responsibilities for Information Security

  • Appendix C : Information about Internal Auditing

  • Appendix D: Structure of policies

  • Appendix E: Monitoring and measuring

This International Standard focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005.

The DEMING CYCLE – Plan, Do, Check, Act




Deming Cycle






Information Security Management System

  • A management system is a proven framework for managing and continually improving an organization's policies, procedures and processes.

  • An ISMS is part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security.

  • A management system is a means by which business processes remain concurrent with business and are repeatable. Combined with the information security objectives, ISMS is defined using a Plan- Do-Check-Act cycle.

  • Plan-Do-Check-Act is a cyclical process

    • With each iteration you can expand the policy and objectives, and the scope of the ISMS.

Information Security Management System

  • Documentation requirements

  • A successful ISMS Meeting Requirements of ISO 27001:2005 requires documentation

  • If an organization is planning to become certified, documentation will be essential

    • Certifying bodies performing audits will use documentation as integral component of certification process

  • This is where many companies fail!

  • Management requirements

  • ISO/IEC 27001:2005 defines certain management responsibility and requirements

    • These include commitments to the ISMS, resource management, and training, awareness, and readiness

  • Management needs to understand the key role they play in a successful ISMS

  • Information Security Control requirements

  • Based on the outcome of IS risk assessment and management decision (expectations)

The ISMS in More Detail

  • Establish ISMS

  • Define the scope & Boundaries

  • Define ISMS policy

  • Define risk assessment approach

  • Identify and assess risks

  • Evaluate options for treatment of risks

  • Selection of controls (annex A)

  • Obtain management approval

  • Prepare a Statement of Applicability

  • Maintain and improve ISMS

  • Implement identified improvements

  • Take corrective and preventive actions

  • Communicate actions and improvements




  • Implement and operate ISMS

  • Formulate and implement risk treatment plan

  • Implementing selected controls

  • Implement training and awareness programs

  • Manage operations of the ISMS

  • Manage resources for the ISMS

  • Implement procedures for detecting/handling security incidents

  • Monitor and review ISMS

  • Execute monitoring procedures

  • Review and measure effectiveness of ISMS

  • Conduct internal ISMS audits

  • Undertake management review

  • Update security plans

  • Record actions and events that impact ISMS


Management framework

policies relating to

ISO 27001:2005

Requirement 4

  • ISMS Design

Level 1

Policy, scope

risk assessment,

statement of applicability

Describes processes – who,

what, when, where (4.1- 4.10)

Level 2


Work Instructions,


forms, etc.

Level 3

Describes how tasks and specific activities are done

Level 4

Provides objective evidence of compliance to ISMS requirements clause 3.6


Introduction to Information Security Management System (3)

Achieving performance during ISMS implementation

  • Spend time to clearly define the scope & boundaries of ISMS.

  • Develop an ISMS Project Plan and get it approved by Management.

  • Identify Quick Win Solutions and Do not wait for the release of ISPP.

  • Keep the release date and effective date of ISMS with some gap to identify opportunities for improvement.

  • Keep management involved at each step and define critical success factors.

  • Categorize implementation of Security Controls based on the “High”, “Medium” and “Low” priority.

  • Identify implementation interdependencies at an initial stage and prioritize accordingly.

  • Keep pace with the changes in the security environment that might affect implementation.

  • Treat it like a formal security project.

  • Arrange workshops, awareness sessions and prepare communication strategies to spread knowledge from the beginning.

  • Secure required resources for the project before initiating.

Defining scope boundaries of isms


Organization & Structure


Enterprise Assets


Defining Scope & Boundaries of ISMS

  • Office Buildings,

  • Rooms,

  • Remote Locations,

  • Sites, etc.

  • Hardware,

  • Software,

  • People,

  • Services, etc.

  • Departments,

  • Business Processes,

  • Roles, etc.

  • Applications,

  • Servers,

  • Network Infrastructure,

  • Domains/Security Zones, etc.

Challenges faced by organizations when implementing an isms
Challenges faced by organizations when implementing an ISMS

  • Lack of management commitment (inadequate governance/enforcement) and budget;

  • Bringing the cultural change in the organization (resistance by employees or feeling of security as an additional burden);

  • Lack of skilled resources;

  • Unclear or unrealistic scope and boundaries of ISMS (confusion on where to start and where to stop);

  • Legacy systems hinder the implementation of security controls;

  • Confusion related with automation or manual use of processes;

  • Too many tools to choose from, but none suiting to exact requirements;

  • Fear of loosing operations leading to a sluggish progress;

  • Lack of clarity of end results;

  • Roles not clear to employees;

  • Lack of knowledge of risk exposures or changes to the risk appetite;

  • Lack of ownership & integration amongst various (in scope) departments;

  • A perception of ISMS as a highly complex system and seemingly huge task;

  • To many versions of same document resulting in confusion.

Common pitfalls
Common Pitfalls

  • Pressure to go in for certification immediately after the implementation of an ISO 27001 ISMS.

  • Lose sight on the mandatory requirements of ISO 27001:2005.

  • Written policies and procedures that are not mapped to SoA and ISMS requirements;

  • Risk assessment results are not linked with selection of controls;

  • Evidence of management support not enough or clear;

  • Security policies are vague (too high level) or too complex;

  • Lack of understanding of security responsibilities and management intent;

  • Lack of resources for ISMS implementation leading to a unmanageably long project;

  • No way of fully understanding the security program deficiencies, and having a standardized way of improving upon the deficiencies;

  • Lack of knowledge of applicable regulations, laws, or policies;

  • Relying fully on technology or on manual procedures for all security solutions;

  • A “fire alarm” approach to any breaches instead of a calm proactive and detective approach;

  • A false sense of security with an undercurrent of confusion;

  • Lack of integration with business processes

  • Bypassing policies and taking exceptions, loosing the spirit of ISMS.

Thank you jatin sehgal 31 6 2908 4825 jatin sehgal @ nl ey com

Ernst & Young CertifyPoint


Jatin Sehgal

+31 6 2908 4825

[email protected]