1 / 21

Jatin Sehgal Quality M anager EY CertifyPoint 2010 -0 6 - 1 6

ISACA Lietuvos skyriaus (180) Birželio mėnesio susitikimas ISMS Implementation Pitfalls & Misconceptions. Jatin Sehgal Quality M anager EY CertifyPoint 2010 -0 6 - 1 6. Agenda. 01 Introduction to ISO/IEC 27003:2010 02 Completing the Deming Cycle (Plan-Do-Check-ACT)

yeva
Download Presentation

Jatin Sehgal Quality M anager EY CertifyPoint 2010 -0 6 - 1 6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ISACA Lietuvos skyriaus (180) Birželiomėnesio susitikimas ISMS ImplementationPitfalls & Misconceptions Jatin Sehgal Quality Manager EY CertifyPoint2010-06-16

  2. Agenda 01 Introduction to ISO/IEC 27003:2010 • 02 Completing the Deming Cycle (Plan-Do-Check-ACT) • 03 Achieving performance during ISMS implementation • 04 Defining Scope & Boundaries of ISMS • 05 Challenges faced by organizations when implementing an ISMS • 06 Common Pitfalls and Mistakes in ISMS Implementation.

  3. Introduction to ISO/IEC 27003:2010

  4. ISO 27003:2010 - Introduction • Introduction • Scope • Terms and definitions • Obtaining management approval for initiating an ISMS project • Defining ISMS scope, boundaries and ISMS policy • Conducting information security requirements analysis • Conducting risk assessment and planning risk treatment • ISMS improvement • Designing the ISMS • Appendix A : Checklist description • Appendix B : Roles and responsibilities for Information Security • Appendix C : Information about Internal Auditing • Appendix D: Structure of policies • Appendix E: Monitoring and measuring This International Standard focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005.

  5. What do you want to achieve?

  6. Completing the Deming Cycle (Plan-Do-Check-ACT)

  7. The DEMING CYCLE – Plan, Do, Check, Act Plan Act 3 Deming Cycle 1 2 Do Do Check

  8. Information Security Management System • A management system is a proven framework for managing and continually improving an organization's policies, procedures and processes. • An ISMS is part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. • A management system is a means by which business processes remain concurrent with business and are repeatable. Combined with the information security objectives, ISMS is defined using a Plan- Do-Check-Act cycle. • Plan-Do-Check-Act is a cyclical process • With each iteration you can expand the policy and objectives, and the scope of the ISMS.

  9. Information Security Management System • Documentation requirements • A successful ISMS Meeting Requirements of ISO 27001:2005 requires documentation • If an organization is planning to become certified, documentation will be essential • Certifying bodies performing audits will use documentation as integral component of certification process • This is where many companies fail! • Management requirements • ISO/IEC 27001:2005 defines certain management responsibility and requirements • These include commitments to the ISMS, resource management, and training, awareness, and readiness • Management needs to understand the key role they play in a successful ISMS • Information Security Control requirements • Based on the outcome of IS risk assessment and management decision (expectations)

  10. The ISMS in More Detail • Establish ISMS • Define the scope & Boundaries • Define ISMS policy • Define risk assessment approach • Identify and assess risks • Evaluate options for treatment of risks • Selection of controls (annex A) • Obtain management approval • Prepare a Statement of Applicability • Maintain and improve ISMS • Implement identified improvements • Take corrective and preventive actions • Communicate actions and improvements Plan Act Do • Implement and operate ISMS • Formulate and implement risk treatment plan • Implementing selected controls • Implement training and awareness programs • Manage operations of the ISMS • Manage resources for the ISMS • Implement procedures for detecting/handling security incidents • Monitor and review ISMS • Execute monitoring procedures • Review and measure effectiveness of ISMS • Conduct internal ISMS audits • Undertake management review • Update security plans • Record actions and events that impact ISMS Check

  11. Management framework policies relating to ISO 27001:2005 Requirement 4 • ISMS Design Level 1 Policy, scope risk assessment, statement of applicability Describes processes – who, what, when, where (4.1- 4.10) Level 2 Policies/Procedures Work Instructions, checklists, forms, etc. Level 3 Describes how tasks and specific activities are done Level 4 Provides objective evidence of compliance to ISMS requirements clause 3.6 Records Introduction to Information Security Management System (3)

  12. Achieving performance during ISMS implementation

  13. Achieving performance during ISMS implementation • Spend time to clearly define the scope & boundaries of ISMS. • Develop an ISMS Project Plan and get it approved by Management. • Identify Quick Win Solutions and Do not wait for the release of ISPP. • Keep the release date and effective date of ISMS with some gap to identify opportunities for improvement. • Keep management involved at each step and define critical success factors. • Categorize implementation of Security Controls based on the “High”, “Medium” and “Low” priority. • Identify implementation interdependencies at an initial stage and prioritize accordingly. • Keep pace with the changes in the security environment that might affect implementation. • Treat it like a formal security project. • Arrange workshops, awareness sessions and prepare communication strategies to spread knowledge from the beginning. • Secure required resources for the project before initiating.

  14. Defining Scope & Boundaries of ISMS

  15. Location Organization & Structure ISMS SCOPE Enterprise Assets Technology Defining Scope & Boundaries of ISMS • Office Buildings, • Rooms, • Remote Locations, • Sites, etc. • Hardware, • Software, • People, • Services, etc. • Departments, • Business Processes, • Roles, etc. • Applications, • Servers, • Network Infrastructure, • Domains/Security Zones, etc.

  16. Challenges faced by organizations when implementing an ISMS

  17. Challenges faced by organizations when implementing an ISMS • Lack of management commitment (inadequate governance/enforcement) and budget; • Bringing the cultural change in the organization (resistance by employees or feeling of security as an additional burden); • Lack of skilled resources; • Unclear or unrealistic scope and boundaries of ISMS (confusion on where to start and where to stop); • Legacy systems hinder the implementation of security controls; • Confusion related with automation or manual use of processes; • Too many tools to choose from, but none suiting to exact requirements; • Fear of loosing operations leading to a sluggish progress; • Lack of clarity of end results; • Roles not clear to employees; • Lack of knowledge of risk exposures or changes to the risk appetite; • Lack of ownership & integration amongst various (in scope) departments; • A perception of ISMS as a highly complex system and seemingly huge task; • To many versions of same document resulting in confusion.

  18. Common Pitfalls and Mistakes in ISMS Implementation

  19. Common Pitfalls • Pressure to go in for certification immediately after the implementation of an ISO 27001 ISMS. • Lose sight on the mandatory requirements of ISO 27001:2005. • Written policies and procedures that are not mapped to SoA and ISMS requirements; • Risk assessment results are not linked with selection of controls; • Evidence of management support not enough or clear; • Security policies are vague (too high level) or too complex; • Lack of understanding of security responsibilities and management intent; • Lack of resources for ISMS implementation leading to a unmanageably long project; • No way of fully understanding the security program deficiencies, and having a standardized way of improving upon the deficiencies; • Lack of knowledge of applicable regulations, laws, or policies; • Relying fully on technology or on manual procedures for all security solutions; • A “fire alarm” approach to any breaches instead of a calm proactive and detective approach; • A false sense of security with an undercurrent of confusion; • Lack of integration with business processes • Bypassing policies and taking exceptions, loosing the spirit of ISMS.

  20. Questions

  21. Ernst & Young CertifyPoint ThankYou Jatin Sehgal +31 6 2908 4825 Jatin.sehgal@nl.ey.com

More Related