Iso27001- Nashwan Mustafa

Internet Society © 1992–2016
Supporting content
ISO/IEC 27001:2013
INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS) OVERVIEW AND
INTRODUCTION
Presented by :
ENG. Nashwan Mustafa Mohammed Abdulatef
Feb 2018
Presentation title – Client nameCopyright Nashwan Mustafa 2018 ISO27001:2013

2Copyright Nashwan Mustafa 2018 ISO27001:2013
Profile of Trainer
• Name : Nashwan Mustafa Mohammed Abdulatef
• Years of Experience : 15 years
• Academic Background : B.Sc in Electrical Engineering (computer & controlling specialist)
from Sana’a (1997-2002), Master Degree in Information Technology from OUM (Open University
Malaysian ) (2010-2013).
• Qualification Certified:
 Cisco Certified in CCNA, CCNP, CCDP ARCH 300-320 and CCIE Security Written exam V4.0
with Cisco ID (CSCO11011027).
 ITIL Foundation V3 certified.
 ITIL Intermediate 2011 SOA, PPO, RCV, OSA, and MALC certified.
 ITIL Expert 2011 certified.
• Qualification Certificate:
 Training Course in CCNP in IMS Asia in Malaysia.
 Training Course in CCSP in Training Partner in Malaysia.
 Training Course in MCSE 2003 in New Horizon in Sana’a.
 Training Course in Sun administration 10 I,II from YCC in Sana'a.

Profile of Trainer
 Training Course in VMware Installation and configuration from SC in India.
 Training Course in ISO 27001 Training Course from Al-Jawdah Company Itd.
 Training Course in ITIL Foundation V3 in Excutrain in Sana’a.
 Training Course in CISSP in Karrox in India.
 Training Course in CISM in Karrox in India.
 Training Course in PMP in Karrox in India.
 Training Course in BCP in Karrox in India.
 Training Course in PCIP in Karrox in India.
 Training Course in ITIL Service Management in Karrox in India.
 Training Course in Ethical Hacking in Karrox in India.
 Training Course in ISO 27001 in Karrox in India.
 Training Course in CISA in Excutrain in Sana’a.
 Training Course in Information Security Governance in Excutrain in Sana’a.
 Training Course in ISMS ISO 27001 Introduction, Implementation, and Audit in Nota Asia
in Malaysia.
 Training Course in CRISC in Value in Sana’a.
 Training Course in ITIL Expert 2011 in Egybyte in Turkey.

Profile of Trainer
• Professional Background:-
 I have been working for fourteen years as network and security administrator in Public
Telecommunication Company (PTC), I work in many positions started from ( 2003-2010) as a
network engineer, head of information security section from (2010-2012), and now head of
technical planning & studies from (2012-Now).
• Consulting and IT Projects(2003-now):-
 Prepare and make the RFP for PTC Data Center.
 Prepare and make the RFP for many projects for PTC such as:-
 CBS(Convergent Billing System).
 IPCC (IP contact Center).
 E-Governance security second stage.
 Information security policy ISO 27001.
 PTC CCTV.
 PTC DR & BC (disaster recovery and business continuity plans).
 Work in PTC Yemen Restructuring Project done by a consulting company which is Detecon
Company.

Copyright Nashwan Mustafa 2018 ISO27001:2013
AGENDA
• What is Information Security Management System (ISMS)?
• What are the standards, laws, and regulations out there
that will help you build or assess your InfoSec Management
Program?
• What is ISO/IEC 27001:2013?
• What are the ISO/IEC 27001
Controls?
• What are the benefits of
adopting ISO 27001?
6

What is Information?
7

What is Information?
'Information is an asset which, like other important business
assets, has value to an organization and consequently needs
to be suitably protected’
ISO/IEC 27002:2005
8

INFORMATION LIFE-CYCLE AND DISPOSITION
Information can be :
 Created
 Stored
 Destroyed
 Processed
 Transmitted
 Used (for proper and improper purposes)
 Corrupted
 Lost
 Stolen
9

INFORMATION TYPES
Information can be :
 Printed or written on paper
 Stored electronically
 Transmitted by post or electronic means
 Shown on videos
 Displayed or published on web
 Verbal ie spoken in conversations
 Received by listener or receiver (intentionally or inadvertently)
‘…Whatever form the information takes, or means by
which it is shared or stored, it should always be appropriately protected’
(ISO/IEC 27002:2005)
10

Information Security
11

WHAT IS INFORMATION
SECURITY?
Reference: ISO/IEC 27001Information Security Management Systems
• Confidentiality - the property that information is not disclosed to
unauthorized individuals, entities, or processes
• Integrity - the property of safeguarding the accuracy and completeness of information
• Availability - the property of being accessible and usable upon demand by an authorized
individuals, entities, or processes
12

HOW DO WE ADDRESS RISKS TO
INFORMATION SECURITY?
 Understand the threats
 Mitigate the risks
 Security strategy – people, process, technology
 Establish security requirements:
 Risk assessment
 Legal, statutory, regulatory and contractual requirements
 Set of principles, objectives and business requirements for information processing that an
organization has developed to support its operations
13

INFORMATION SECURITY
FRAMEWORK
Protection of information can be achieved
by identifying and implementing a suitable
set of controls. The implementation of
controls can be managed systematically by
implementing Information Security
Management System (ISMS)
Adoption of ISMS is a strategic decision for an
organization
14

What is ISMS?
• Part of the overall management system, based on a business risk approach, to
establish, implement, operate, monitor, review, maintain and improve information
security (ISO definition)
Note: A management system is a set of interrelated or interacting elements of an organization to establish
policies and objectives and processes to achieve those objectives.
The scope of a management system may include the whole of the organization, specific and identified
functions of the organization, specific and identified sections of the organization, or one or more functions
across a group of organizations.
• Influenced by the organization’s needs and objectives, security requirements, the
processes employed and the size and structure of the organization.
• Expected to change over time.
• A holistic approach to managing information security – confidentiality, integrity, and
availability of information and data.
15

What are the InfoSec‐related standards, laws and regulations?
16
ISO 27000 Family of International Standards
Provides the best practice recommendations on InfoSec
management, risks and controls within the context of an overall
ISMS.
ISO 27000: Overview and Vocabulary (2014)
ISO 27001: ISMS Requirements (2013)
ISO 27002: Code of Practice (2013)
ISO 27003: ISMS Implementation Guidance (2010)
ISO 27004: ISM Measurement (2009)
ISO 27005: InfoSec Risk Management (2011)
ISO 27006: Requirements for Bodies Providing Audit and
Certification of ISMS (2011)
ISO 27007 – 27008: Guidelines for Auditing InfoSec
Controls (2011)
ISO 27014: Governance of InfoSec (2013)
ISO 27015: ISM Guidelines for Financial Services (2012)
‐ www.iso.org
Other Standards
Payment Card Industry Data Security
Standard (PCI DSS)
US National Institute of Standards and
Technology (NIST)
• Security and Privacy Controls for Federal
Information Systems and Organizations
(NIST Special Publication 800‐53)
• Framework for Improving Critical
Infrastructure Cybersecurity
(Cybersecurity Framework)
ISACA Cybersecurity Nexus
The IIA GTAG 15: Information Security
Governance (2010)

What are the InfoSec‐related standards, laws and regulations?
Governmental laws and regulations with (or will have) a significant effect on InfoSec
• UK Data Protection Act 1998
• The Computer Misuse Act 1990 (UK)
• Federal Information Security Management Act 2001 (US)
• Gramm‐Leach‐Bliley Act (GLBA) 1999 (US)
• Federal Financial Institutions Examination Council’s (FFIEC) security guidelines (US)
• Sarbanes‐Oxley Act (SOX) 2002 (US)
• State security breach notification laws (e.g. California) (US)
• Family Educational Rights and Privacy Act (US)
• Health Insurance Portability and Accountability Act (HIPAA) 1996 (US)
17

What is ISO/IEC 27001:2013?
18
• Leading International Standard for ISMS. Specifies the requirements for establishing,
implementing, maintaining, monitoring, reviewing and continually improving the ISMS within the context of
the organization. Includes assessment and treatment of InfoSec risks.
• Best framework for complying with information security legislation.
• Not a technical standard that describes the ISMS in technical detail.
• Does not focus on information technology alone, but also other important business assets, resources,
and processes in the organization.

19
World distribution of ISO/IEC 27001 certificates in 2013
2013 – 22,293 (up 14%)
2012 – 19,620
Japan – 7,084
India – 1,931
United Kingdom – 1,923
China – 1,710
Spain – 799
United States – 566
Australia ‐ 138
Canada – 66
Source: www.iso.org

20
World distribution of ISO/IEC 27001 certificates in 2016
There were over 33,000
ISO/IEC 27001
certificates worldwide,
about 20% more each
year

21
112 212 322 329 435 552 712 814 1445 1469
1064 1432 2172
3563
4800 5289
6379
7952 8663
10446
12532
4210
5550
5807
7394
8788
9665
10422
10116
10414
11994
14704
383
519
839
1303
1328
1497
1668
2002
2251
2569
2987
71
128
206
218
279
332
451
511
606
810
,0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
ISO/IEC 27001 - Worldwide total
Middle East
Central and South Asia
East Asia and Pacific
Europe
North America
Central / South America
Africa

22
Process approach for establishing, implementing, operating, monitoring, reviewing,
maintaining and improving an organization’s ISMS:

23
Eight (8) mandatory clauses (controls/control objectives) for organizations claiming
conformance to ISO/IEC 27001 standard:
• Clause 4 Context of the organization
• 4.1 Understanding the organization and its context
• 4.2 Understanding the needs and expectations of interested parties
• 4.3 Determining the scope of the information security management system
• 4.4 Information security management system
• Clause 5 Leadership
• 5.1 Leadership and commitment
• 5.2 Policy
• 5.3 Organizational roles, responsibilities and authorities
• Clause 6 Planning
• 6.1 Actions to address risks and opportunities
• 6.2 Information security objectives and planning to achieve them

24
Eight (8) mandatory clauses (cont…):
• Clause 7 Support
• 7.1 Resources
• 7.2 Competence
• 7.3 Awareness
• 7.4 Communication
• 7.5 Documented information
• Clause 8 Operation
• 8.1 Operational planning and control
• 8.2 Information security risk assessment
• 8.3 Information security risk treatment
• Clause 9 Performance Evaluation
• 9.1 Monitoring, measurement, analysis and evaluation
• 9.2 Internal audit
• 9.3 Management review

Copyright Nashwan Mustafa 2018 ISO27001:2013 25
Eight (8) mandatory clauses (cont…):
• Clause 10 Improvement
• 10.1 Nonconformity and corrective action
• 10.2 Continual improvement

14 Control Categories (Domain/Control Area) ‐ Discretionary Controls (Annex
A)
• A.5 Information security policies
• A.5.1 Management direction for information security
• A.6 Organization of information security
• A.6.1 Internal organization
• A.6.2 Mobile devices and teleworking
• A.7 Human resource security
• A.7.1 Prior to employment
• A.7.2 During employment
• A.7.3 Termination and change of employment
What are the ISO/IEC 27001 Controls?

A)
• A.8 Asset management
• A.8.1 Responsibility for assets
• A.8.2 Information classification
• A.8.3 Media Handling
• A.9 Access control
• A.9.1 Business requirements of access control
• A.9.2 User access management
• A.9.3 User responsibilities
• A.9.4 System and application access control
• A.10 Cryptography
• A.10.1 Cryptographic controls

A)
• A.11 Physical and environmental security
• A.11.1 Secure areas
• A.11.2 Equipment
• A.12 Operations security
• A.12.1 Operational procedures and responsibilities
• A.12.2 Protection from malware
• A.12.3 Backup
• A.12.4 Logging and monitoring
• A.12.5 Control of operational software
• A.12.6 Technical vulnerability management
• A.12.7 Information systems audit considerations

14 Control Categories (Domain/Control Area) ‐ Discretionary Controls (Annex A)
• A.13 Communications security
• A.13.1 Network security management
• A.13.2 Information transfer
• A.14 System acquisition, development and maintenance
• A.14.1 Security requirements of information systems
• A.14.2 Security in development and support processes
• A.14.3 Test data
• A.15 Supplier relationships
• A.15.1 Information security in supplier relationships
• A.15.2 Supplier service delivery management
• A.16 Information security incident management
• A.16.1 Management of information security incidents and improvements

14 Control Categories (Domain/Control Area) ‐ Discretionary Controls (Annex A)
• A.17 Information security aspects of business continuity management
• A.17.1 Information security continuity
• A.17.2 Redundancies
• Note: A comprehensive BCMS standard was published by ISO in 2012 – ISO
22301:2012
• A.18 Compliance
• A.18.1 Compliance with legal and contractual requirements
• A.18.2 Information security reviews
ISO/IEC 27002:2013 is a better reference for selecting controls when implementing an ISMS based on
ISO/IEC 27001:2013, either for certification purposes or alignment to a leading standard. Or it could simply be
used as a guidance document for implementing commonly accepted information security controls.

What are the benefits of ISO/IEC 27001:2013?
• Best framework for complying with information security legal, regulatory and contractual
requirements
• Better organizational image because of the certificate issued by a certification body
• Proves that senior management are committed to the security of the
organization, including customer’s information
• Focused on reducing the risks for information that is valuable for the organization
• Provides a common goal
• Optimized operations within the organization because of clearly defined
responsibilities and business processes
• Builds a culture of security

What are the benefits of ISO/IEC 27001:2013?
BSI Study on ISO 27001
• 87% of respondents stated that implementing ISO/IEC 27001 had a positive or very
positive outcome
• Ability to meet compliance requirements increased for 60% of organizations
• Number of security incidents decreased for 39%
• Down time of IT systems decreased for 39%
• Ability to respond to tenders increased for 43%
• Relative competitive position increased for 47%
• 51 % saw an increase in external customer satisfaction following the implementation of an ISMS
• 40% saw an increase in internal customer satisfaction
• 66% noted an increase in the quality control of information security processes and procedures
and 40% decrease in risk

SUMMARY
An organization needs to undertake the following steps in establishing, monitoring,
maintaining and improving its ISMS:
• Identify information assets and their associated information security
requirements
• Assess information security risks and treat information security risks [to an
acceptable level]
• Select and implement relevant controls to manage unacceptable risks [or to
reduce risks to acceptable levels]
• Monitor, maintain and improve the effectiveness of controls associated with the organization’s
information assets

SUMMARY
• Adoption of an ISMS should be a strategic decision for an organization.
• ISMS is a holistic approach to managing information security – confidentiality, integrity, and
availability of information and data.
• Laws and regulations are continuing to evolve to address information security risk and privacy.
ISO/IEC 27001:2013 is the best framework for complying with
information security legislation.
• ISO/IEC 27001:2013 is not a technical standard for IT only.
• Increasing trend in adopting a holistic approach (using ISO/IEC 27001:2013) in managing
information security risks.

Questions?
36

Thank You.
My contact :
Nashwan Mustafa
Eng_nashwan@yemen.net.ye
00967777013189
37

Iso27001- Nashwan Mustafa

More Related Content

What's hot

Similar to Iso27001- Nashwan Mustafa

More from Fahmi Albaheth

Recently uploaded

In this document

Iso27001- Nashwan Mustafa