Transcript ISO/IEC 27001 - University of Illinois at Urbana–Champaign

ISO/IEC 27001
Winnie Chan
BADM 559
Professor Shaw
12/15/2008
ISO/IEC 27001 Objective
• To provide a guide for establishing,
implementing, reviewing, and maintaining a
firm’s Information Security Management System
(ISMS)
– Using a Continual Improvement Approach Known as the
Plan-Do-Check-Act (PDCA) Cycle
PDCA Cycle
• Plan Stage
– Involves establishment of a Firm’s Security Objectives and Methods to
Achieve Those Are Drafted Out Using a Risk Assessment Approach
– Appropriate Information Security Controls Determined
• Do Stage
– Plan is Implemented
• Act Stage
– Analyze Results and Compare Actual Accomplishments to Planned
Objectives
• Check Stage
– Continuously Makes Necessary Changes Until the Best Future Result
From the ISMS is Obtained.
ISO/IEC 27001 History
• First part of the growing ISO/IEC 27000 (ISO 27K) Family
– Series of Information Security Standards Developed to Protect
the Reliability, Confidentiality, and Accessibility of Essential Data
that Firms Rely On
• Derived From the 1999 British Standard (BS) 7799- Part 2
• In October 2005:
– Adopted By the International Organization for Standardization
(ISO) and the International Electrotechnical Commission (IEC)
• Also Known As “Information Security ManagementSpecification with Guidance for Use”
ISO/IEC 27001 Structure
• 8 Major Sections:
– Scope, Normative References, Terms and Definitions, ISMS,
Management Responsibility, Internal ISMS Audits, Management
Review of the ISMS, and ISMS Improvements
• 3 Main Annexes:
– Control Objectives and Controls
– Organisation for Economic Co-Operation and Development
(OECD) Principles
– ISO/IEC 27001, and the correspondence between ISO 9001
(Quality Management Systems Standard) , ISO 14001
(Environmental Management Systems Standard) and ISO/IEC
27001.
Certification Process
• Desktop Audit
– Accredited Certification Body Auditor
• Examines a Firm’s Relevant Documents Like its Statement of
Applicability (SoA) and Risk Treatment Plan (RTP)
• On-Site Audit
– Certification Body
• Sends an Audit Team to Perform an In-Dept Assessment of a Firm’s
Information Security System’s Implementation
• Firm Agrees to Surveillance Schedule
– Certification Body Periodically Checks Firm’s ISMS Every 6-9
Months
• Issuance of Certificate
– Certificate Only Lasts for 3 years after Initial Certification
Pros to Certification
• Certified Firms:
– Meets US Legislative Requirements
• Sarbanes Oxley Section 404
• Statement of Auditing Standards (SAS) 70
• Health Insurance Portability and Accountability Act (HIPAA) Requirements
– Have Reduced Regulation Costs
– May Get Insurance Reduction Premiums
– Results in Improved
• Confidence from Suppliers, Customers, and Stakeholders
– Have Competitive Advantage
Update on ISO/IEC 27001
• ISO/IEC 27001 currently being revised by
renown experts in information security
area
– Angelika Plate
– Matthieu Grall
• Revised version Expected to Be Published
Sometime in 2009 or 2010