How to gain and maintain ISO 27001 certification

Similar documents
How to Share Best Security Practices

Information Security Management Systems

ISO 27001: Information Security and the Road to Certification

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

ISO 27001:2005 & ISO 9001:2008

EUDAT - Open Data Services for Research

Information Security Awareness Training

Governance and Management of Information Security

Preparing yourself for ISO/IEC

INTRODUCTION TO ISO 9001 REVISION - COMMITTEE DRAFT

An Overview of ISO/IEC family of Information Security Management System Standards

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

NSW Government Digital Information Security Policy

ISO/IEC 27001:2013 webinar

Integrated Information Management Systems

Client information note Assessment process Management systems service outline

Company Management System. Business Continuity in SIA

CFPB Readiness Series: Compliant Vendor Management Overview

Security audit advice For holders of all remote gambling operator licences including specified remote lottery licences

Quality Management Standard BS EN ISO 9001:

Cybercrime & Cybersecurity: the Ongoing Battle International Hellenic University

Quality Management System Certification. Understanding Quality Management System (QMS) certification

Cyber Security - What Would a Breach Really Mean for your Business?

ISO Information Security Management Services (Lot 4)

How To Implement An Information Security Management System

Information Security Standards by Dr. David Brewer Gamma Secure Systems Limited Diamond House, 149 Frimley Road Camberley, Surrey, GU15 2PS

Sector Development Ageing, Disability and Home Care Department of Family and Community Services (02)

How small and medium-sized enterprises can formulate an information security management system

Training Catalogue

Copyright, Language, and Version Notice The official language of this [Certification Protocol] is English. The current version of the [Certification

ITIL vs. ISO/IEC 20000: Similarities and Differences & Process Mapping

Managing e-health data: Security management. Marc Nyssen Medical Informatics VUB Master in Health Telematics KIST

Information Security Management System Policy

How To: Implement Change Successfully

Information Security Management System Information Security Policy

Supplier Assurance Framework Good Practice Guide

Information Security Management System (ISMS) Policy

Polish Financial Supervision Authority. Guidelines

Procurement Policy Note Use of Cyber Essentials Scheme certification

NEW SCHEME FOR THE INFORMATION SECURITY MANAGEMENT WITH ISO 27001:2013

Security Transcends Technology

Integrated Management System Software

Western Australian Auditor General s Report. Information Systems Audit Report

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

Assessing the Effectiveness of a Cybersecurity Program

ISO 14001:2004 vs. ISO 14001:2015

EXAM PREPARATION GUIDE

IRAP Policy and Procedures up to date as of 16 September 2014.

Cloud Security Standards. Aziza Al Rashdi Director, Cyber Security Professional Services Oman National CERT Information Technology Authority

ISO 9001 Quality Management Systems. Tips for Internal Auditing

BS BUSINESS CONTINUITY MANAGEMENT

Need to protect your information? Take action with BSI s ISO/IEC

(Instructor-led; 3 Days)

Preparing for Unannounced Inspections from Notified Bodies

HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO AUDITS, CERTIFICATION AND TRAINING

INFORMATION SECURITY: UNDERSTANDING BS BS 7799 is the most influential, globally recognised standard for information security management.

How To Build An Open Source Data Infrastructure

NSW Government Digital Information Security Policy

Understanding Management Systems Concepts

quality, health & safety and environment training and consulting

Certification Process Requirements

Our Commitment to Information Security

PII Compliance Guidelines

REQUIREMENTS FOR CERTIFICATION BODIES TO DETERMINE COMPLIANCE OF APPLICANT ORGANIZATIONS TO THE MAGEN TZEDEK SERVICE MARK STANDARD

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

QUALITY MANAGEMENT IN VTS

COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES

ISO/IEC Information Security Management System Vs. ITIL IT Security Management

Certifying Information Security Management Systems

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.

IT Governance: The benefits of an Information Security Management System

Human Factors in Information Security

Don t let your SIeM become your Nightmare!

Auditing data protection a guide to ICO data protection audits

Log management and ISO 27001

ISO Information Security Management Systems Foundation

Outline for the CEN Supply chain security (SCS) Good Practices guidebook

Quality Management System ( QMS ) Kinyun Australia Pty Ltd

Notes on the certification and surveillance of management systems for companies with subsidiaries

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version)

Practical Overview on responsibilities of Data Protection Officers. Security measures

Business Continuity Management

for Information Security

An IACS user viewpoint for Cyber Security Management System

Enabling Information PREVIEW VERSION

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

IA Metrics Why And How To Measure Goodness Of Information Assurance

REGULATIONS ON OPERATIONAL RISK MANAGEMENT OF THE BUDAPEST STOCK EXCHANGE LTD.

Transcription:

Public How to gain and maintain ISO 27001 certification Urpo Kaila, Head of Security CSC IT Center for Science ltd. urpo.kaila@csc.fi, security@csc.fi GÉANT SIG ISM 1 st Workshop, 2015-05-12, imperial.ac.uk

Agenda! Introduction! Scope and objectives of security! ISO/ IEC 27001:2013! How CSC gained the certification! Learning from the certification experience! Ideas for cooperation 2

About CSC! CSC offers IT services for research, higher education, culture, and government! CSC provides scientific software and databases and Finland s supercomputing environment that researchers can use via the Funet network! CSC - IT Center for Science Ltd. is a government owned, non-profit company administered by the Ministry of Education and Culture 270 Employees 3

CSC Services Computing Services Research Information Management Services Funet Network Services Education Management and Student Administration Services Identity and Access Management Services Datacenter and Capacity Services (IaaS) Training Services Consultation and Tailored Solutions Ministry of Education and Culture Other ministries and state administration Higher education institutions Research institutions Companies

About myself! Industry background Previously IT Manager Later Presales manager/ Technical director in an IT security company! At CSC since 2003 Previously manager for Internal IT, Datacenters Information Security Manager In charge of risk management, information security, operational security, incidents, security agreements, physical security, cyber security! Security Officer for the EUDAT project A Collaborative Data Infrastructure for European researchers to preserve, find, access, and process data in a trusted environment 5

Example of EUDAT Services: B2DROP B2DROP is a secure and trusted data exchange service for researchers and scientists to keep their research data synchronized and up-to-date and to exchange with other researchers. An ideal solution to:! Store and exchange data with colleagues and team! Synchronize multiple versions of data! Ensure automatic desktop synchronization of large files

A pan European Consortium a network of collaborating, cooperating centres, combining the richness of numerous community-specific data repositories with the permanence and persistence of some of Europe s largest scientific data centres e-science Data Factory

Scope and objectives for security! Technical approach to security Firewalls, vulnerabilities, intrusions, malware,! Security management approach Business objectives, availability, processes, governance! Narrow but deep scope: Incidents, IT risks, technology! Broader scope: people, processes,business risks, stakeholders, management 8

What is information security all about?! Information security is about protecting assets (systems, data, services and reputation) against risks with security controls! Assets can be protected to prevail their Confidentiality Integrity Availability! Information Security: a building block of quality implemented by security controls management accountable but responsibility of all staff

Security vs. usability Usability The perceived benefit and quality of a service/product Security The direct or indirect benefits and cost of security controls Should be in a reasonable balance based on risk management 10

ISO/ IEC 27001:2013! Cuddle name : ISO27k! Background: BS7799! Update of the standard :2005 - :2013! Is the international standard for information security management systems! Organisations can apply for certification covering a scope of it s activities by an accredited certification body 11

Other standards and best practices! COBIT! National security standards IT-Grundschutzhandbuch! ISO/IEC 15408 (Common criteria)! SCI (Security for Collaborating Infrastructures)! SANS Best Practices! TERENA Best Practices! Industry related regulation (for operators, e.g.)! Skills oriented certifications: CISSP, GCIH, GCED, CISM, 12

ISO 27001 practicalities! The big global players Google, MS, and Amazon has also achieved the certification for some of their core functions! Successful certification requires Documented management support An approved Statement of Applicability Systematic management reviews of your information security management system (ISMS) ISMS should be known, in use and documented 13

Why ISO 27001?! The standard can provide a comprehensive guidance for your ISMS! A systematic framework and checklist to motivate all stakeholders - managament, administrators, all staff, customers, providers to information security! A clear indication to all stakeholders of a serious effort to implement comprehensive ISMS 14

ISO27001 Pros and Cons! ISO 27001 will not guarantee good information security! True. Also possible to create a compliant but a counter productive ISMS and achieve certification! ISO 27001 will require excess bureacracy Depends. It is up to you to define how to comply with the standard! Certification is expensive Depends. You don t have to use expensive consultants to create your ISMS. The audits are not that expensive but not free either. 15

ISO27001 Pros and Cons (Contd.)! Security should not be a management concern! Wrong.! ISO 27001 is just about creating policies nobody reads.! Wrong, the policies and guidelines must be known and in use to achieve certification! After achieving certification everything is forgotten! Wrong. Maintaining certification is often harder than achieving it requires continuous improvement! We are so good that we don t need standards! The ad hoc way is more efficient and secure 16

The structure of the standard! Ten high level clauses and Annex A! New controls in the 2013 version: A.6.1.5 Information security in project management A.12.6.2 Restrictions on software installation A.14.2.1 Secure development policy A.14.2.5 Secure system engineering principles A.14.2.6 Secure development environment A.14.2.8 System security testing A.15.1.1 Information security policy for supplier relationships A.15.1.3 Information and communication technology supply chain A.16.1.4 Assessment of and decision on information security events A.16.1.5 Response to information security incidents A.17.2.1 Availability of information processing facilities 17

Annex A A.5: Information security policies (2 controls) A.6: Organization of information security (7 controls) A.7: Human resource security (6 controls) A.8: Asset management (10 controls) A.9: Access control (14 controls) A.10: Cryptography (2 controls) A.11: Physical and environmental security (15 controls) A.12: Operations security (14 controls) A.13: Communications security (7 controls) A.14: System acquisition, development and maintenance (13 controls) A.15: Supplier relationships (5 controls) A.16: Information security incident management (7 controls) A.17: Business continuity management (4 controls) A.18: Compliance; (8 controls) 18

The Audit (1/2)! Must be preceded by Approval of SOA Internal audits/reviews (Pre-audit)! During audit A systematic enquiry if SOA is compliant with the standard and implanted comprehensively Management and staff are interviewed Auditors gather systematically evidence to verify compliance with the standard Verifying skills and security culture also a crucial part of the audit 19

The Audit (2/2)!! After audit Non- compliances þ Reporting fixes of non-compliances ý Obtaining certification status ý Surveillance audits (once p.a.) ý Re-audits (every third year) ý Enlarging audit scope? 20

How CSC gained the certification (1/2)! Attended training on BS7799 in 2004! Frustration with insufficient commitment and the ad hoc approach on security! Saw risks with over focusing on technical implementations and with emotional reactions to security hype! Frustration with non-coherent national security standards! Began to motivate management to apply for ISO 27001 certification 21

How CSC gained the certification (2/2)! CSC gained ISO27001 certification for Datacenter Kajaani on summer 2013! Certification scope enlarged to cover all data centers 2014! Certification scope enlarged to cover all ICT platforms! Certification for compliance with the 2013 version of the standard! Surveillance certification 2015 with no non-conformities! New services to be included in next phase 22

23

Learning from the certification experience! The decision to strive for ISO 27001 certification included some risks but has shown to be very beneficial for CSC! The certification process helped us to: Implement a comprehensive ISMS Motivate management and all staff Improve security culture and management! Now the ISO 27001 certifications status is a part of CSC communication package 24

Learning from (contd.)! Successful certification requires an active, experienced and goal oriented manager Sometimes you must use the word must! Certification also requires sensitivity and good listening skills! At least one sponsor in the management board is necessary! Certification improved risk management and management commitment a lot 25

Learning from (contd.)! The most challenging requirements were in operations and in developments! The very core in CSC ISMS is the internal production catalogue with defined owners,admins, BCP s, DRP s, classifications and review cycles! The certification has improved a lot trust to CSC services and to CSC as an organisation NOW we suddenly have very security conscious customers suggesting huge contract fines for security breaches! The certification made CSC management look professional and good, also most staff seems to feel that it was a good idea 26

Maintaining certification status! Often harder than obtaining certification! After the first phase, people tend to forget to update guidelines and procedures, new services and people do not always comply! Good security training and constant awareness campaigns help to keep people motivated! Regular management reviews must be continued invest in risk management! Try to streamline and make your ISMS more agile 27

Would ISO 27001 certification be something for my organisation?! Start with studying the standard and related literature The standard requires professional interpretation! Do an initial gap-analysis in writing! Sketch an draft version of your SOA (contact me for improved templates)! Do you have or will you get management support?! Would it help your stakeholders?! Are you ready to become a less liked person on your organisation at least for some time (3-10 years)! Meet peer organisations on the same path 28

Ideas for further cooperation! CSC has a long and rewarding history in cooperation on security TF-CSIRT, FIRST, (ISC)2, SANS, Currently a joint project with Finnish universities for security compliance and peer audits! I look forward to share and jointly develop best ISMS practices with our European peer organisations Cooperatin on service level, on organisational level and between infrastrucures (GÉANT/EUDAT/..) Peer reviews? Liaison with SCI?! Upcoming EU research project for piloting ISMS 29

This has of course been a high-level overview, the devil lies in the details. Any comments, criticism and questions are welcome. Lets keep in touch: Urpo.kaila@csc.fi +358-9-457 2253 LinkedIn (unique name) Twitter: @utsirp 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information