ISMS Certification Challenges
-
Upload
vicente-aceituno -
Category
Technology
-
view
855 -
download
1
description
Transcript of ISMS Certification Challenges
![Page 1: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/1.jpg)
First Legion Consulting
ISMS Certification Challenges in Ten Minutes (Promise)
Vicente AceitunoISM3 Consortium
November, 2006
![Page 2: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/2.jpg)
First Legion Consulting
ISMS Certification
Why companies go for ISMS certification? The main reason is that they want to show
they are serious about information security This doesn’t necessarily mean that they are
serious about information security.
![Page 3: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/3.jpg)
First Legion Consulting
ISMS Certification
What is certification good for? It is a driver for implementation of better ISM
practices.
![Page 4: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/4.jpg)
First Legion Consulting
ISMS Certification – What is good for?
![Page 5: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/5.jpg)
First Legion Consulting
ISMS Certification - Trust
Establishing trust relationships.
![Page 6: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/6.jpg)
First Legion Consulting
ISMS Certification - Trust
![Page 7: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/7.jpg)
First Legion Consulting
ISMS Certification - Trust
A way to evidence the organization's stance on security; A part of a contract to ensure commitment by one of the
parties to security management; A selling point for vendors; A possible requirement for outsourcing providers; A mechanism to ensure mutual understanding of the
services obtained from an security outsourcing provider. Trust relationships with Third Parties, like Partners,
Customers and Suppliers.
![Page 8: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/8.jpg)
First Legion Consulting
ISMS Certification - Trust
![Page 9: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/9.jpg)
First Legion Consulting
ISMS Certification - Spain
ISMS Certification in Spain. ISO27001: 8 UNE71502 (in Spanish): 30+
Language Issue: Few people over 30 speak English in Spain. This was a major driver for translating and improving a bit BS7799-2 = UNE71502.
Drawback: BS7799-2, UNE71502 and ISO27001 followed one another quickly. This caused confusion in the market.
![Page 10: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/10.jpg)
First Legion Consulting
ISMS Certification - Challenges
Challenges (1/3) Certification doesn’t guarantee performance.
Performance depends on the budget, the capability and the commitment of those involved in running it.
Certification only guarantees that the cause of faults is not poor process design.
Poor performers and bogus certifications lower the reputation of the certification and damage the reputation of all certificate holders.
Bogus certifications might arise from choosing scope and controls to be accredited.
![Page 11: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/11.jpg)
First Legion Consulting
ISMS Certification - Challenges
Specification
![Page 12: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/12.jpg)
First Legion Consulting
ISMS Certification - Challenges
Different Implementations
![Page 13: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/13.jpg)
First Legion Consulting
ISMS Certification - Challenges
If you get the same certificate
![Page 14: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/14.jpg)
First Legion Consulting
ISMS Certification - Challenges
For different implementations
![Page 15: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/15.jpg)
First Legion Consulting
ISMS Certification - Challenges
The market reputation you will get is that of the worst implementation
![Page 16: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/16.jpg)
First Legion Consulting
ISMS Certification - Challenges
Challenges (2/3): Some threats fall out of the scope of information
security:– Human error;– Incompetence;– Fraud;– Corruption.
![Page 17: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/17.jpg)
First Legion Consulting
ISMS Certification - Challenges
![Page 18: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/18.jpg)
First Legion Consulting
ISMS Certification – Challenges
Challenges (3/3): Certification alone doesn’t take capability levels
beyond “Managed”:– Undefined. The process might be used, but it is not
defined.– Defined. The process is documented and used.– Managed. The process is Defined and the
results of the process are used to fix and improve the process.
– Controlled. The process is Managed and milestones and need of resources is accurately predicted.
– Optimized. The process is Controlled and improvement leads to a saving in resources.
![Page 19: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/19.jpg)
First Legion Consulting
ISMS Certification - Challenges
1. Incidents Happen, ISO27001 or no ISO27001.
2. Security is a negative result (No Incidents equals Security).
3. But if just One Incident happening meant the ISMS has Failed, then all ISO27001 would be Failures.
4. How can you tell a successful ISO27001 from a failed one? Can that depend on a single Incident? How many Incidents are too many?
5. How can you improve cost-effectively an ISMS if you don’t know when good is good enough?
![Page 20: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/20.jpg)
First Legion Consulting
ISMS Certification - Summary
Certification doesn’t guarantee performance.
Bad performers damage the reputation of all certificate holders.
Pick and choose ISMS and narrow Statements of Applicability are a threat for the success of ISMS certificates.
Criteria to determine success or otherwise of ISMS systems are badly needed.
![Page 21: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/21.jpg)
Learn to implement High PerformanceSecurity Management Processeshttp://cli.gs/ism3
Web www.inovement.esVideo Blog youtube.com/user/vaceitunoBlog ism3.comTwitter twitter.com/vaceitunoPresentationsslideshare.net/vaceituno/presentationsArticles slideshare.net/vaceituno/documents
![Page 22: ISMS Certification Challenges](https://reader033.fdocuments.net/reader033/viewer/2022061223/54c55f754a7959b0658b4586/html5/thumbnails/22.jpg)
First Legion Consulting
ISMS Certification
You can check the information security management methodology ISM3 at: www.ism3.com
THANKS