ISO 27001 Certification: An All-Access Pass
-
date post
13-Sep-2014 -
Category
Business
-
view
237 -
download
1
description
Transcript of ISO 27001 Certification: An All-Access Pass
![Page 1: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/1.jpg)
Connect with A-lign
Stay tuned - The webinar will begin at 2PM EST
![Page 2: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/2.jpg)
![Page 3: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/3.jpg)
Presenter
Gene Geiger, CPA, CISSP, PCIP, QSA, ISO 27k LADirector at A-lign
![Page 4: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/4.jpg)
• An Overview of ISO 27001• Certification Preparation• Steps to Certification• Ongoing Maintenance• Q & A
Agenda
![Page 5: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/5.jpg)
• Risk Driven Standard• BS 7799 – 1990’s• ISO 27001:2005• ISO 27001:2013
History of ISO 27001
![Page 6: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/6.jpg)
Understanding ISO 27001
• Security Framework– Living processes– Monitors & improves information security– Requires management involvement– Requires ongoing activities– Requires evidence from ISMS activities
![Page 7: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/7.jpg)
Understanding ISO 27001
• Key Terms/Concepts– Information security management system– Plan-do-check-act– Risk assessment– Statement of applicability– Continuous improvement– Management of security system & other
compliance standards
![Page 8: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/8.jpg)
Polling Question 1
What is the most important component of an ISMS?
A. Management Involvement
B. Documented Policies
C. Defining the Scope
![Page 9: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/9.jpg)
Why Conform With ISO 27001
• Conformance vs. Compliance• International Operations/Customers• Meet Contractual Obligations• Gain Competitive Advantage• Evaluate Security Practices
![Page 10: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/10.jpg)
• 27001 ISMS Specifications• 27002 Controls• 27003 Implementation Guide• 27004 Metrics• 27005 Risk Management• 27006 Certification Guide• 27007 Auditing Guide• 27008 Technical Auditing
Overview of ISO 27000 Suite
ISO 27000 Suite
![Page 11: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/11.jpg)
Polling Question 2
Which ISO 27000 standard is an organization certified against?
A. 27002
B. 27007
C. 27001
D. 27004
![Page 12: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/12.jpg)
ISO 27001 ComponentsOrganizational Context & Stakeholders
Information Security Leadership & High-Level Support for Policy
Planning an ISMS; Risk Assessment; Risk Treatment
Supporting an ISMS
Making an ISMS Operational
Reviewing the System's Performance
Corrective Action
![Page 13: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/13.jpg)
ISO 27001 Components
A.5 Information Security Policies
A.6 Organization of Information Security
A.7 Human Resource Security
A.8 Asset Management
A.9 Access Control
A.10 Cryptography
A.11 Physical & Environmental Security
A.12 Operations Security
![Page 14: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/14.jpg)
ISO 27001 Components
A.13 Communications Security
A.14 System Acquisition, Development & Maintenance
A.15 Supplier Relationships
A.16 Information Security Incident Management
A.17Information Security Aspects of Business Continuity Management
A.18 Compliance
![Page 15: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/15.jpg)
Certification Preparation
• Management commitment & approval
• Define ISMS scope & boundaries
• Information security requirements analysis
• Conduct risk assessment & treatment plan
• Design the ISMS• Six to nine months
ISO 27003 Information technology — Security Techniques Information security management system implementation guidance
![Page 16: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/16.jpg)
• Selecting Certification Body– Accredited– Unaccredited– Independence
• Scheduling Audit– Stage 1 audit– Stage 2 audit
• Calculating On-Site Time
Steps to Certification
![Page 17: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/17.jpg)
Polling Question 3
It is best to have your certification auditor help you develop your ISMS.
A. True
B. False
![Page 18: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/18.jpg)
• Certification Received– Three year
• Surveillance Audit– Years 2 & 3– Timing
• Revocation/Suspension
Steps to Certification
![Page 19: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/19.jpg)
• Previous Audit Concerns– External audits– Certification audits– Internal audits
• Internal Audit– Selecting the team
• Management Review– Not a check-the-box process
Ongoing Maintenance
![Page 20: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/20.jpg)
• Continual Improvement– Policies/processes/technology– Measure it
• Changes in the Environment• Complaints/Issues Tracking
Ongoing Maintenance
![Page 21: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/21.jpg)
Polling Question 4
A Dedicated Internal Audit Department is not required to be ISO 27001 certified.
A. True
B. False
![Page 22: ISO 27001 Certification: An All-Access Pass](https://reader033.fdocuments.net/reader033/viewer/2022061104/5414c0578d7f72536c8b46e8/html5/thumbnails/22.jpg)
• Understand the Level of Effort• Obtain Outside Training• Communicate with your CB• Be Proactive
Recommendation