ISO 27001 Awareness

Awareness Program on Information
Security management System

(ISO 27001 Understanding and Implementation)
STQC Directorate,
Department of Information Technology,
Min. of Comm. and IT
India
Contents
 ISMS Overview
 ISMS Standards (ISO 27001 and other standards)
 Implementing ISMS
 Defining Security Policies
 ISMS Certification
ISMS Awareness
Dependence on Information Systems
Present day Organizations are highly dependent on information systems to
manage business and deliver products/services
l Dependence on IT and other information for

development, production and delivery
l Various Internal Applications like

- Financial databases
- Employee time booking
- Providing helpdesk and other services
- Providing remote access to customers / employees
- Remote Access of client systems
- Interaction with the outside world through e-mail,
internet
l Usage of information Systems to manage third parties

and outsourced suppliers
4/19/2019 ISMS Implementation and Certification

What is Information ?
Information is an asset that, like other important business assets, is
essential to an organization’s business and consequently needs to be
suitably protected. (ISO/ IEC 27002)
Asset: Anything that has value to the organization
Information Life Cycle

Can exist in many forms
 data stored on computers Information can be :
 transmitted across networks
 printed out Created Stored Destroyed ?
 written on a paper
 sent by fax Processed Transmitted Copied
 stored on disks
Used – (for proper and improper purposes)
 held on microfilm
 spoken in conversations over the telephone Lost! Corrupted!
 ..
Whatever form the information takes, or means by which it is shared

or stored, it should always be appropriately protected throughout its
life cycle
Risk to Information Systems because of
High User knowledge

Theft , Sabotage, Version Control
of IT sys.
Misuse, Hacking Problems
VSAT
Leased
Dial In INET
Unrestricted Access Systems / Network

Failure Lack of documentation
Virus
Fire
Natural calamities

How To Detect a Phisy Site
•Verify Through Your Web Browser Properties
• On the Properties page, select “Certificates.” If an (EV)
SSL Certificate is being used, you’ll be able to review its
information here.
• If you are using a different Web browser, consult its
help function
• If you are using Internet Explorer, right-click anywhere
on the page and choose “Properties.” (You can also
reach “Properties” by selecting the “File” menu at the
top of the browser window and scrolling down to
”Properties.”)

And the Challenge is...
Protection of Information and Information Systems to
meet Business and Legal Requirement by
 Provision and demonstration of secure environment to clients
 Managing security between projects from competing clients
 Preventing loss of product knowledge to external attacks, internal
thefts
 Preventing Leak of confidential information to competition
 Meeting Parent company requirements
 Ease of access to large mobile work force
 Providing access to customers where off site development is
undertaken with the client.
 Introduction of new technologies and tools
 Managing Legal Compliance
 Managing costs Vs risk

Are you a good neighbour?
 Many companies would not want to implement strong security measures

thinking that they do not have anything that others would want – probably
what they do not realize is that they could become launch pads for
attacks on others
 While firewalls can protect you from out side attacks, generally they are
not configured to protect outside world from yours

What is needed?
Management concerns
Market reputation
Security Measures/
Controls
Business continuity
Technical
Disaster recovery
Procedural
Business loss
Physical
Loss of confidential data
Logical
Loss of customer confidence
Personnel
Legal liability
Management
Cost of security

Information Security ……
Information Security is about protecting Information

through selection of appropriate Security Controls
 protects information from a range of threats

 ensures business continuity
 minimizes financial loss
 maximizes return on I
n
fo
r
ma
ti
o
n
Sy
st
e
ms
investments and business
opportunities L
o
g
i
c
aS
lc
ey
t
i
r
u
P y
t
i
O
r
g
a
ni
s
at
i
on
a
la
n
dP
e
c
o
ru
dS
l
a
rc
ei
r
u
h
y
s
i
c
aS
lc
er
u
y
t

Information Security - Some viewpoints
 Security is risk management (no absolutes)

 Security is a process
 Human element : the source & soln. of the problem
 Confidentiality, integrity, and availability = Security
 Dependability and expected behavior

Objectives of Information Security
Preservation of
Confidentiality :
Ensuring that information is available to only those authorised to
have access.
Integrity :
Safeguarding the accuracy and completeness of information &
processing methods.
Availability :
Ensuring that information and vital services are available to
authorised users when required.

Information Security Model

But the Problem is….
“To determine how much is too much, so that we can

implement appropriate security measures to build
adequate confidence and trust”

Why Information Security Management
System
 Information security that can be achieved through

technical means is limited
 Security also depends on people, policies, processes
and procedures
 Resources are not unlimited
 It is not a once off exercise, but an ongoing activity
All these can be addressed effectively and efficiently

only by establishing a proper Information Security
Management System(ISMS)

Who needs ISMS ?
 Every organization, company, firm institution handling
information :
– Banks
– Call Centers
– IT Companies
– Government (e.g. tax office)
– Manufacturing Companies
– Consultancy Firms
– Hospitals
– Schools and Universities
– Insurance Companies
– These are examples … Every company which values
information and needs to protect it

Information Security Management System
With an ISMS we are not intending to make the system ‘hacker

proof’, but develop a mechanism which can, to a large extent
 Anticipate potential problems
 Prepare through proactive measures
 Protect against considerable damages
 Ensure recovery and restoration
“Failure is not when you fall down, but when

you fail to get up”

ISMS Standards
 ISO/ IEC 27001 : 2005
– A specification (specifies requirements for implementing,
operating, monitoring, reviewing, maintaining & improving a
documented ISMS)
– Specifies the requirements of implementing of Security control,
customised to the needs of individual organisation or part thereof.
– Used as a basis for certification
 ISO/IEC 27002 : 2005 (Originally ISO/IEC 17799:2005)
– A code of practice for Information Security management
– Provides best practice guidance
– Use as required within your business
– Not for certification
Both ISO 27001 and ISO 27002 security control clauses are fully
harmonized
ISO/IEC 27000 family review including
future development
Information security management systems –
Overview and vocabulary
ISO/IEC 27000:2009
ISMS Certification scheme

ISO/IEC 27006:2007
ISMS Requirements
Risk management ISO/IEC 27001:2005 ISMS Measurement
ISO/IEC 27005:2008 ISO/IEC 27004:2009?
Annex A (FCD)
ISMS Implementation
guidelines ISMS Code of practice Guidelines on ISMS auditing
ISO/IEC 27003:2009 ISO/IEC 27002 ISO/IEC 27007?
(ISO/IEC17799 : 2005)
(FCD)(Sept,09?)
Specific standards and guidelines

Note : Status as on 13th Jul.,09

PDCA Model applied to ISMS processes
Plan
Establish
ISMS
Act
Do
Interested
Interested Development,
Implement & Maintain & Parties
Parties Maintenance and
Operate ISMS Improvement Cycle Improve ISMS
Information Monitor & Managed

Security Review ISMS Information
Requirements Security
& Expectations Check

Reproduced by GLOBAL
ENGINEERING DOCUMENTS
With The Permission of IEEE
Under Royalty Agreement
IEEE/EIA Standard
IEEE/EIA 12207.0-1996
(A Joint Standard Developed by IEEE and EIA)
ISO 27001:2005 structure
Industry Implementation of
International Standard
ISO/IEC 12207 : 1995
(ISO/IEC 12207) Standard for Information

1. Scope
2. Normative References
Technology-
Software life cycle processes
March 1998
THE INSTITUTE OF ELECTRICAL

AND ELECTRONICS
ENGINEERS, INC.
ELECTRONIC INDUSTRIES ASSOCIATION
ENGINEERING DEPARTMENT
3. Terms & Definitions

4. Information Security Management System
4.1 General
4.2 Establish and manage ISMS
4.3 Documentation
5. Management Responsibility
5.1 Management Commitment
5.2 Resource Management
6. Internal ISMS Audits
7. Management Review of the ISMS
8. ISMS Improvement
8.1 Continual Improvement
8.2 Corrective Actions
8.3 Preventive Actions
Annexure A,B & C

ISO 27001 requirements
 Requirements contained in the ISMS

framework (Sections 4-8)
 ISMS control requirements (Annexure A)

ISMS Process Framework requirements
(ISO 27001)
 Information security management system (Cl. 4.0)
– Establishing and managing the ISMS
– Documentation requirements
 Management responsibility (Cl. 5.0)
– Management commitment
– Resource management
 Internal ISMS audits (Cl. 6.0)
 Management review of the ISMS (Cl. 7.0)
 ISMS improvements (Cl. 8.0)
– Continual improvement
– Corrective action
– Preventive action

ISMS control requirements
Annexure – A : Control objectives

& controls
Security Control Clauses of ISO 27001
A.5 Security Policy
A.6 Organization of Information Security
A.7 Asset Management
A.8 Human A.9 Physical & A.10 Communications A.12 Info. Systems
Resource environmental & operations Acquisition
Security security management development &
maintenance
A.11 Access control
A.13 Information Security Incident Management
A.14 Business Continuity Management
A.15 Compliance

ISO 27001: Control objectives and
controls
39 Control
objectives
Specifies Satisfies
requirements objectives
133 Controls
11 Security Control clauses

ISO 27002 Structure
 1 introductory clause on Risk assessment and Treatment.

 11 security Control Clauses (fully harmonised with ISO 27001)
 39 main Security categories each containing
– Control Objective and
– One or more control to support achievement of control objective
 Control descriptions each containing
– Control statement
– Implementation Guidance
– Other Information

A.5 Security policy
A.5.1 Information security policy
Objective : To provide management direction and support
for information security.
Controls :
– Information security policy document
– Review of policy

A.6 Organization of information security
A.6.1 Internal organization
A.6.2 External parties
Third Party
Agreements
Examples of External parties?

A.7 Asset management
A.7.1 Responsibility for assets
A.7.2 Information classification

Top secret
Secret
Confidential
Restricted
Public

A.8 Human resources security
A.8.1 Prior to employment

COVERS
A.8.2 During employment Employees √
A.8.3 Termination or change of Contractors √

employment
Third party
users
√

A.9 Physical and environmental security
A.9.1 Secure areas
A.9.2 Equipment security

A.10 Communications and operations
management
A.10.1 Operational procedures and responsibilities
A.10.2 Third party service delivery management
A.10.3 System planning and acceptance
A.10.4 Protection against malicious and mobile codeToo much load !
A.10.5 Back-up
A.10.6 Network security management
A.10.7 Media handling
A.10.8 Exchange of information
A.10.9 Electronic commerce services
A.10.10 Monitoring

A.11 Access control
A.11.1 Business requirement for access control
A.11.2 User access management
A.11.3 User responsibilities Internet

A.11.4 Network access control
A.11.5 Operating system access control
A.11.6 Application and information access control
A.11.7 Mobile computing and teleworking

A.12 Information systems acquisitions,
development and maintenance
A.12.1 Security requirements of information systems
A.12.2 Correct processing in applications
A.12.3 Cryptographic controls
A.12.4 Security of system files
A.12.5 Security in development and support processes
A.12.6 Technical vulnerability management

A.13 Information security incident
management
A.13.1 Reporting information security events
and weaknesses
A.13.2 Management of information security

incidents & improvements
• What is an information security event?

• What is an information security incident?
• Examples?
• Incident management process?

A.14 Business continuity management
A.14.1 Information security aspects of BCM
Objective : To counteract interruptions to business
activities and to protect critical business processes from
the effect of major failure or disasters and to ensure their
timely resumption.
Controls :
– Including information security in the BCM management
process
– Business continuity and risk assessment
– Developing and implementing continuity plans including
Information security
– Business continuity planning framework
– Testing, maintaining and re-assessing business continuity
plans
Difference between incident and disaster ?

A.15 Compliance
A.15.1 Compliance with legal requirements
A.15.2 Compliance with security policies and

standards, and technical compliance
A.15.3 Information systems audit considerations

Control objectives and controls
“Not all the controls described will be relevant to

every situation, nor can they take account of local
environmental or technological constraints, or be
present in a form that suits every potential user in
an organization.”

Benefits of ISO 27001
 A single reference point for identifying a range of controls
needed for most situations where information systems
are used
 Facilitation of trading in trusted environment
 An internationally recognized structured methodology
 A defined process to evaluate, implement, maintain and
manage information security
 A set of tailored policy, standards, procedures and
guidelines
 The standard provides a yardstick against which security
can be judged

Process for developing an ISMS
Selection of controls
(ISO 27001)
Information
Legal Requirements Security
Management
Business Requirements System
Security Requirements
Risk Assessment
Policy,
Threats & Assets Procedures
Vulnerabilities identification & Controls
Assessment & valuation

Action Plan for ISMS Implementation
 Project Initiation
 Formation of Security organization including CISO
 Identify roles and responsibilities of groups
 Management intent on ISO 27001 initiative communicated to all
 Framing and Approval of Scope and Security Policy Statement
 Communication to all
 Risk Analysis/Assessment
– Methodology of RA
– Asset Identification
– Training on RA
– Actual RA
– Asset classification guideline (Labeling/Handling)
– Risk Treatment Plan & Actual implementation
 Preparation of SOA

Action Plan for ISMS Implementation-2
 Gap Analysis / Status Appraisal (May also be done before RA )
 Vulnerability assessment, Application Security Testing (May also be
done before RA )
 Documentation of Policies and Procedures
 Identification and documentation of Legal requirements and Business
Requirements
 Security Awareness training
 Implementation of Policies and Procedures
 Business Continuity Planning
– Carrying out BIA
– Writing BCP
– BCP Organisation
– Training
– BCP Testing and Updation

Action Plan for ISMS Implementation-3
 Monitor and Review ISMS effectiveness
– Internal ISMS Audits
– Management Reviews
 Improve ISMS
 Apply for Certification

ISMS Documentation
 Documented statements of the ISMS policy and

objectives.
 Procedures and controls in support of the ISMS
 Risk Assessment methodology
 Risk Assessment Report
 Risk Treatment Plan
 documented procedures needed to ensure effective planning,
operation and control of information security processes. e.g
– Incident management
– Business Continuity Planning
– Change Control Procedure
 Records
 ….
Documents and records can be in any form or type of medium

Defining Information security
policies
What is a Policy?
The term policy is defined as a high-level statement

of an organization's beliefs, goals and objectives
and the general means for attainment for a
specified subject area. A policy is brief
(recommended) and set at a high level.

Why Security Policy
“The best security technology with a bad policy like a grass hut
with a steel gate.”
“The policy on security is the organization’s statement of

intent that provides the foundation for management
and staff alike.”

Security Policy Framework
 Policies define appropriate behavior

 Policies set the stage in terms of what tools and
procedures are needed.
 Policies communicate a consensus.
 Policies provide a foundation for HR action in
response to in appropriate behavior.
 Policies may help prosecute cases.

Example : Policies required
 Information security  Freeware Policy
 Policy on Outsourcing  Anti- Virus Policy
 Acceptable Use Policy  Desktop Security Policy
 E-mail security  Backup Policy
 Internet Policy  Media Disposal Policy
 Password Policy  Business Continuity
 Clear Desk and Clear management
Screen  Remote authentication
 Access Control Policy
 Mobile computing  Cryptographic Control
/Teleworking

Basic policy requirements
 Policies must:
– be implementable and enforceable
– be concise and easy to understand
– balance protection with productivity
– be updated regularly to reflect the evolution of the organization
 Policies should:
– state reasons why policy is needed
– describe what is covered by the policies - whom, what, and where
– define contacts and responsibilities to outside agencies
– discuss how violations will be handled
– be able to meet business objectives.

Other Policies and documentation
 Policies
– are not specific and detailed descriptions of a problem,
– do not provide steps that are needed to implement the
policy
 Therefore, an organization must develop

standards, guidelines and procedures that offer
employees, management and others, a clearer
method of implementing the policy and meeting
the business needs.

Security procedures
 Policies only define "what" is to be protected.

Procedures define "how" to protect resources
and are the mechanisms to enforce policy.
 Procedures define detailed actions to take for
specific incidents.
 Procedures provide a quick reference in times of
crisis.
 Procedures help eliminate the problem of a
single point of failure (e.g., an employee
suddenly leaves or is unavailable in a time of
crisis).

Example: Procedures required by
organization
 Information labelling & Handling  Information Exch. Thru fax, voice
 Reporting s/w Malfunction  User Reg. & de-Reg
 Disciplinary Process Incident  Allocation of Passwords
 Management Migration of software  Review of User access rights
 Acceptance criteria for new info.  Monitoring of Use of Info. System
Sys  Key management system
 Control against Malicious s/w  Control of operational software
 Handling & storage of info  Change control
 Authorization of publicly avail.  Identification of appl. Legislation
Systems

Records
Evidence generated as a consequence of the

operation of the ISMS to identify the path through a
process and
to demonstrate compliance.
 Manual
 Automatic
• Provide evidence of conformance to requirements

• Demonstrate effective operation of Security system

Examples : Records generated
 Inventory of assets  Maintenance of operator log
 Confidentiality agreement  Review of user access rights
 Terms and conditions of  Capacity utilisation Logs)
employment
 Process performance records
 Equipment maintenance
(e.g. Internal audits,
 Incident related data Management review, Training
etc.)
 Risk identification & control in
contract
 Testing record for acceptance of
new systems
 Testing of backup copies

Policy deployment
should be supported by
 Process People
 People
Process
 Technology
Technology

User Responsibilities
90
Are you aware of your own Policies ?
 Acceptable use policy

 Password policy
 File encryption policy for mobile devices
 Clear desk and Clear Screen Policy
 Disciplinary Policy

Training and Awareness on ISMS
 The need for training and awareness must be

identified
 Input should come from everywhere in the
organization
– Users, security personnel, management
 The programme should be implemented when the
controls are implemented
 There can be detailed Function Specific Trainings
also.

Awareness Training : Issues that need
to be addressed
 Information security, its needs, its importance to the company
– Importance of Information to the business of the organisation
– Concept of C,I,A
– ISMS Policy
– Do’s and Don’ts
– Security incident, Security weaknesses, software malfunctions.
 General security controls as practiced in the company: Physical entry controls,
ID Badges, Visitor policy, Fire Drills/ Fire Safety
 Asset Identification, Information Labelling and handling.
 Correct use of Information processing facilities
 Policies like e-mail, internet, Freeware policy, virus protection, backup, Password
management, media handling, mobile computing (if applicable)
 Incident reporting; Help Desk reporting etc.
 Clear screen clear desk policy
 Any Legal responsibility

 Repercussions for Violations/ Disciplinary process for violation

Do’s and Don’ts
 Do keep your use of the Internet to a minimum
 Do check that any information you access on the Internet is accurate, complete and
current.
 Do check the validity of the information found.
 Do respect the legal protections to data and software provided by copyright and
licenses.
 Do inform the I.T. Department immediately of any unusual occurrence.
 Do not download text or images which contain material of a pornographic, racist or
extreme political nature, or which incites violence, hatred or any illegal activity.
 Do not download content from Internet sites unless it is work related.
 Do not download software from the Internet and install it upon the Organisation’s
computer equipment.
 Do not use the Organisation’s computers to make unauthorised entry into any other
computer or network.
 Do not disrupt or interfere with other computers or network users, services, or
equipment.
 Do not represent yourself as another person.
 Do not use Internet access to transmit confidential, political, obscene, threatening, or
harassing materials.
94
Users Responsibility
 Adhering to policies, guidelines and procedures pertaining to the
protection of Institutional Data.
 Reporting actual or suspected vulnerabilities in the confidentiality,
integrity or availability of Institutional Data to a manager or the
Information Security Office.
 Reporting actual or suspected breaches in the confidentiality,
integrity or availability of Institutional Data to the Information
Security Office.
 You are individually responsible for protecting the data and
information in your hands. Security is everyone's responsibility.
 Recognise which data is sensitive. If you do not know or are not
sure, ask.
 Even though you cannot touch it, information is an asset,
sometimes a priceless asset.
 Use the resources at your disposal only for the benefit of the
Organisation.
 Understand that you are accountable for what you do on the
system.
95
Data Custodian
 Understanding and reporting on how Data is stored,
processed and transmitted by the organization and by
third-party Agents.
 Implementing appropriate physical and technical
safeguards to protect the confidentiality, integrity and
availability of organization’s Data.
 Documenting and disseminating administrative and
operational procedures to ensure consistent storage,
processing and transmission of organization’s Data.
 Provisioning and de-provisioning access to
organization’s Data as authorized by the Data Owner.
 Understanding and reporting on security risks and how
they impact the confidentiality, integrity and availability
of organization’s Data.
96
How to select a good password
 Use at least Eight characters – 15 is better

 Use random mixture of characters – upper and lower
case letters, numbers, punctuation, spaces and symbols
 Do not use a word found in a dictionary, English or
foreign
97
Things to Avoid in Password
 Do not add a single digit or symbol before or after a

word – for example, “microsoft1”
 Do not double up a single word – for example,
“msoftmsoft”
 Do not simply reverse a word- tfosorcim
 Do not remove the vowels – “io”
 Key sequences that can easily be repeated – for
example, “qwerty”, “asdf” etc
 Do not garble letters – for example, converting e to 3, L
or I to 1, o to 0 as in “z3r0-10v3”
98
Changing you password
 Change your password regularly such as once a month

 Change your password after you return from a trip
 You should also change your password whenever you
suspect that somebody knows it or even that they may
guess it – for example, if someone stood behind you
while you typed it
99
Protecting password
 Do not store your password on your computer, except in

an encrypted form
 Password cache that comes with windows (.pwl files) is
NOT secure; so whenever prompts you to “save
password,” don’t
 Do not tell anyone your password, not even your system
administrator
 Never send your password via email or other unsecured
channels
 Write your password down, but do not leave the paper
lying around; lock the paper away somewhere
 Be very careful when entering your password with
somebody else in the same room
100
Password Good Sense
101
Route to ISMS certification
 Step 1 - Preliminary information
 Step 2 - Application
 Step 3 - Pre-assessment(Optional)
 Step 4 – Assessment
– Assessment stage 1
• (gaining understanding of the ISMS)
– Assessment stage 2
• (verifying conformity))
 Step 5 - Post assessment
– Decision on Certification,
– Issue of Certificate
– Certfificate Validity,
 Step 6 - Surveillance
 Step 7 - Reassessment

Benefits of Certification
 Public demonstration
 Enhanced corporate image
 Accountability/ re-assurance ISMS
 Drives forward improvement process
 Ensures management commitment
 A positive response from potential customers
 Can be part of integrated approach
9001/14001/ISMS
 Staff motivation

Some sources for additional Information
 CERT (www.cert.org)
 SANS (www.sans.org)
 CIAC (www.ciac.llnl.gov/ciac)
 AUSCERT (www.auscert.org.au)
 SURFNET (http://cert.surfnet.nl/home-eng.html)
 NIST (http://icat.nist.gov/icat.taf)
 FIRST (www.first.org)
 BSI (www.bsi.org)
 STQC(www.stqc.nic.in)
 www.cisecurity.com
 www.csrtnist.com

Thank U for your attention!
Contact :rakesh@mit.gov.in

ISO 27001 Awareness

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

ISO 27001 Awareness

Diunggah oleh

Hak Cipta:

Format Tersedia

Awareness Program on Information

Security management System

l Dependence on IT and other information for

l Various Internal Applications like

l Usage of information Systems to manage third parties

4/19/2019 ISMS Implementation and Certification

Information Life Cycle

Whatever form the information takes, or means by which it is shared

High User knowledge

Unrestricted Access Systems / Network

4/19/2019 ISMS Implementation and Certification

4/19/2019 ISMS Implementation and Certification

4/19/2019 ISMS Implementation and Certification

 Many companies would not want to implement strong security measures

4/19/2019 ISMS Implementation and Certification

4/19/2019 ISMS Implementation and Certification

Information Security is about protecting Information

 protects information from a range of threats

4/19/2019 ISMS Implementation and Certification

 Security is risk management (no absolutes)

4/19/2019 ISMS Implementation and Certification

4/19/2019 ISMS Implementation and Certification

4/19/2019 ISMS Implementation and Certification

“To determine how much is too much, so that we can

4/19/2019 ISMS Implementation and Certification

 Information security that can be achieved through

All these can be addressed effectively and efficiently

4/19/2019 ISMS Implementation and Certification

4/19/2019 ISMS Implementation and Certification

With an ISMS we are not intending to make the system ‘hacker

“Failure is not when you fall down, but when

4/19/2019 ISMS Implementation and Certification

ISMS Certification scheme

Specific standards and guidelines

4/19/2019 ISMS Implementation and Certification

Information Monitor & Managed

4/19/2019 ISMS Implementation and Certification

(ISO/IEC 12207) Standard for Information

Software life cycle processes

THE INSTITUTE OF ELECTRICAL

3. Terms & Definitions

4/19/2019 ISMS Implementation and Certification

 Requirements contained in the ISMS

4/19/2019 ISMS Implementation and Certification

4/19/2019 ISMS Implementation and Certification

Annexure – A : Control objectives

A.6 Organization of Information Security

A.7 Asset Management

A.13 Information Security Incident Management

A.14 Business Continuity Management

4/19/2019 ISMS Implementation and Certification

11 Security Control clauses

4/19/2019 ISMS Implementation and Certification

 1 introductory clause on Risk assessment and Treatment.

4/19/2019 ISMS Implementation and Certification

4/19/2019 ISMS Implementation and Certification

A.6.2 External parties

Examples of External parties?

4/19/2019 ISMS Implementation and Certification

A.7.1 Responsibility for assets

A.7.2 Information classification

4/19/2019 ISMS Implementation and Certification

A.8.1 Prior to employment

A.8.2 During employment Employees √