jatin sehgal quality m anager ey certifypoint 2010 0 6 1 6 n.
Skip this Video
Download Presentation
Jatin Sehgal Quality M anager EY CertifyPoint 2010 -0 6 - 1 6

Loading in 2 Seconds...

play fullscreen
1 / 21

Jatin Sehgal Quality M anager EY CertifyPoint 2010 -0 6 - 1 6 - PowerPoint PPT Presentation

  • Uploaded on

ISACA Lietuvos skyriaus (180) Birželio mėnesio susitikimas ISMS Implementation Pitfalls & Misconceptions. Jatin Sehgal Quality M anager EY CertifyPoint 2010 -0 6 - 1 6. Agenda. 01 Introduction to ISO/IEC 27003:2010 02 Completing the Deming Cycle (Plan-Do-Check-ACT)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Jatin Sehgal Quality M anager EY CertifyPoint 2010 -0 6 - 1 6' - yeva

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

01 Introduction to ISO/IEC 27003:2010

  • 02 Completing the Deming Cycle (Plan-Do-Check-ACT)
  • 03 Achieving performance during ISMS implementation
  • 04 Defining Scope & Boundaries of ISMS
  • 05 Challenges faced by organizations when implementing an ISMS
  • 06 Common Pitfalls and Mistakes in ISMS Implementation.
iso 27003 2010 introduction
ISO 27003:2010 - Introduction
  • Introduction
  • Scope
  • Terms and definitions
  • Obtaining management approval for initiating an ISMS project
  • Defining ISMS scope, boundaries and ISMS policy
  • Conducting information security requirements analysis
  • Conducting risk assessment and planning risk treatment
  • ISMS improvement
  • Designing the ISMS
  • Appendix A : Checklist description
  • Appendix B : Roles and responsibilities for Information Security
  • Appendix C : Information about Internal Auditing
  • Appendix D: Structure of policies
  • Appendix E: Monitoring and measuring

This International Standard focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005.


The DEMING CYCLE – Plan, Do, Check, Act




Deming Cycle







Information Security Management System

  • A management system is a proven framework for managing and continually improving an organization's policies, procedures and processes.
  • An ISMS is part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security.
  • A management system is a means by which business processes remain concurrent with business and are repeatable. Combined with the information security objectives, ISMS is defined using a Plan- Do-Check-Act cycle.
  • Plan-Do-Check-Act is a cyclical process
    • With each iteration you can expand the policy and objectives, and the scope of the ISMS.

Information Security Management System

  • Documentation requirements
  • A successful ISMS Meeting Requirements of ISO 27001:2005 requires documentation
  • If an organization is planning to become certified, documentation will be essential
    • Certifying bodies performing audits will use documentation as integral component of certification process
  • This is where many companies fail!
  • Management requirements
  • ISO/IEC 27001:2005 defines certain management responsibility and requirements
    • These include commitments to the ISMS, resource management, and training, awareness, and readiness
  • Management needs to understand the key role they play in a successful ISMS
  • Information Security Control requirements
  • Based on the outcome of IS risk assessment and management decision (expectations)

The ISMS in More Detail

  • Establish ISMS
  • Define the scope & Boundaries
  • Define ISMS policy
  • Define risk assessment approach
  • Identify and assess risks
  • Evaluate options for treatment of risks
  • Selection of controls (annex A)
  • Obtain management approval
  • Prepare a Statement of Applicability
  • Maintain and improve ISMS
  • Implement identified improvements
  • Take corrective and preventive actions
  • Communicate actions and improvements




  • Implement and operate ISMS
  • Formulate and implement risk treatment plan
  • Implementing selected controls
  • Implement training and awareness programs
  • Manage operations of the ISMS
  • Manage resources for the ISMS
  • Implement procedures for detecting/handling security incidents
  • Monitor and review ISMS
  • Execute monitoring procedures
  • Review and measure effectiveness of ISMS
  • Conduct internal ISMS audits
  • Undertake management review
  • Update security plans
  • Record actions and events that impact ISMS



Management framework

policies relating to

ISO 27001:2005

Requirement 4

  • ISMS Design

Level 1

Policy, scope

risk assessment,

statement of applicability

Describes processes – who,

what, when, where (4.1- 4.10)

Level 2


Work Instructions,


forms, etc.

Level 3

Describes how tasks and specific activities are done

Level 4

Provides objective evidence of compliance to ISMS requirements clause 3.6


Introduction to Information Security Management System (3)


Achieving performance during ISMS implementation

  • Spend time to clearly define the scope & boundaries of ISMS.
  • Develop an ISMS Project Plan and get it approved by Management.
  • Identify Quick Win Solutions and Do not wait for the release of ISPP.
  • Keep the release date and effective date of ISMS with some gap to identify opportunities for improvement.
  • Keep management involved at each step and define critical success factors.
  • Categorize implementation of Security Controls based on the “High”, “Medium” and “Low” priority.
  • Identify implementation interdependencies at an initial stage and prioritize accordingly.
  • Keep pace with the changes in the security environment that might affect implementation.
  • Treat it like a formal security project.
  • Arrange workshops, awareness sessions and prepare communication strategies to spread knowledge from the beginning.
  • Secure required resources for the project before initiating.
defining scope boundaries of isms


Organization & Structure


Enterprise Assets


Defining Scope & Boundaries of ISMS
  • Office Buildings,
  • Rooms,
  • Remote Locations,
  • Sites, etc.
  • Hardware,
  • Software,
  • People,
  • Services, etc.
  • Departments,
  • Business Processes,
  • Roles, etc.
  • Applications,
  • Servers,
  • Network Infrastructure,
  • Domains/Security Zones, etc.
challenges faced by organizations when implementing an isms
Challenges faced by organizations when implementing an ISMS
  • Lack of management commitment (inadequate governance/enforcement) and budget;
  • Bringing the cultural change in the organization (resistance by employees or feeling of security as an additional burden);
  • Lack of skilled resources;
  • Unclear or unrealistic scope and boundaries of ISMS (confusion on where to start and where to stop);
  • Legacy systems hinder the implementation of security controls;
  • Confusion related with automation or manual use of processes;
  • Too many tools to choose from, but none suiting to exact requirements;
  • Fear of loosing operations leading to a sluggish progress;
  • Lack of clarity of end results;
  • Roles not clear to employees;
  • Lack of knowledge of risk exposures or changes to the risk appetite;
  • Lack of ownership & integration amongst various (in scope) departments;
  • A perception of ISMS as a highly complex system and seemingly huge task;
  • To many versions of same document resulting in confusion.
common pitfalls
Common Pitfalls
  • Pressure to go in for certification immediately after the implementation of an ISO 27001 ISMS.
  • Lose sight on the mandatory requirements of ISO 27001:2005.
  • Written policies and procedures that are not mapped to SoA and ISMS requirements;
  • Risk assessment results are not linked with selection of controls;
  • Evidence of management support not enough or clear;
  • Security policies are vague (too high level) or too complex;
  • Lack of understanding of security responsibilities and management intent;
  • Lack of resources for ISMS implementation leading to a unmanageably long project;
  • No way of fully understanding the security program deficiencies, and having a standardized way of improving upon the deficiencies;
  • Lack of knowledge of applicable regulations, laws, or policies;
  • Relying fully on technology or on manual procedures for all security solutions;
  • A “fire alarm” approach to any breaches instead of a calm proactive and detective approach;
  • A false sense of security with an undercurrent of confusion;
  • Lack of integration with business processes
  • Bypassing policies and taking exceptions, loosing the spirit of ISMS.
thank you jatin sehgal 31 6 2908 4825 jatin sehgal @ nl ey com

Ernst & Young CertifyPoint


Jatin Sehgal

+31 6 2908 4825