STQC Directorate,
Department of Information Technology,
Min. of Comm. and IT
India
Contents
ISMS Overview
ISMS Standards (ISO 27001 and other standards)
Implementing ISMS
Defining Security Policies
ISMS Certification
ISMS Awareness
Dependence on Information Systems
Present day Organizations are highly dependent on information systems to
manage business and deliver products/services
VSAT
Leased
Dial In INET
Virus
Fire
Natural calamities
P y
t
i
O
r
g
a
ni
s
at
i
on
a
la
n
dP
e
c
o
ru
dS
l
a
rc
ei
r
u
h
y
s
i
c
aS
lc
er
u
y
t
Integrity :
Safeguarding the accuracy and completeness of information &
processing methods.
Availability :
Ensuring that information and vital services are available to
authorised users when required.
Both ISO 27001 and ISO 27002 security control clauses are fully
harmonized
4/19/2019 ISMS Implementation and Certification
ISO/IEC 27000 family review including
future development
Information security management systems –
Overview and vocabulary
ISO/IEC 27000:2009
ISMS Requirements
Risk management ISO/IEC 27001:2005 ISMS Measurement
ISO/IEC 27005:2008 ISO/IEC 27004:2009?
Annex A (FCD)
ISMS Implementation
guidelines ISMS Code of practice Guidelines on ISMS auditing
ISO/IEC 27003:2009 ISO/IEC 27002 ISO/IEC 27007?
(ISO/IEC17799 : 2005)
(FCD)(Sept,09?)
Plan
Establish
ISMS
Act
Do
Interested
Interested Development,
Implement & Maintain & Parties
Parties Maintenance and
Operate ISMS Improvement Cycle Improve ISMS
IEEE/EIA Standard
IEEE/EIA 12207.0-1996
(A Joint Standard Developed by IEEE and EIA)
ISO 27001:2005 structure
Industry Implementation of
International Standard
ISO/IEC 12207 : 1995
March 1998
A.8 Human A.9 Physical & A.10 Communications A.12 Info. Systems
Resource environmental & operations Acquisition
Security security management development &
maintenance
A.11 Access control
A.15 Compliance
39 Control
objectives
Specifies Satisfies
requirements objectives
133 Controls
Third Party
Agreements
A.10.10 Monitoring
Selection of controls
(ISO 27001)
Information
Legal Requirements Security
Management
Business Requirements System
Security Requirements
Risk Assessment
Policy,
Threats & Assets Procedures
Vulnerabilities identification & Controls
Assessment & valuation
Policies
– are not specific and detailed descriptions of a problem,
– do not provide steps that are needed to implement the
policy
Manual
Automatic
should be supported by
Process People
People
Process
Technology
Technology
90
Are you aware of your own Policies ?
Repercussions for Violations/ Disciplinary process for violation
94
Users Responsibility
Adhering to policies, guidelines and procedures pertaining to the
protection of Institutional Data.
Reporting actual or suspected vulnerabilities in the confidentiality,
integrity or availability of Institutional Data to a manager or the
Information Security Office.
Reporting actual or suspected breaches in the confidentiality,
integrity or availability of Institutional Data to the Information
Security Office.
You are individually responsible for protecting the data and
information in your hands. Security is everyone's responsibility.
Recognise which data is sensitive. If you do not know or are not
sure, ask.
Even though you cannot touch it, information is an asset,
sometimes a priceless asset.
Use the resources at your disposal only for the benefit of the
Organisation.
Understand that you are accountable for what you do on the
system.
95
Data Custodian
Understanding and reporting on how Data is stored,
processed and transmitted by the organization and by
third-party Agents.
Implementing appropriate physical and technical
safeguards to protect the confidentiality, integrity and
availability of organization’s Data.
Documenting and disseminating administrative and
operational procedures to ensure consistent storage,
processing and transmission of organization’s Data.
Provisioning and de-provisioning access to
organization’s Data as authorized by the Data Owner.
Understanding and reporting on security risks and how
they impact the confidentiality, integrity and availability
of organization’s Data.
96
How to select a good password
97
Things to Avoid in Password
98
Changing you password
99
Protecting password
100
Password Good Sense
101
Route to ISMS certification
Step 1 - Preliminary information
Step 2 - Application
Step 3 - Pre-assessment(Optional)
Step 4 – Assessment
– Assessment stage 1
• (gaining understanding of the ISMS)
– Assessment stage 2
• (verifying conformity))
Step 5 - Post assessment
– Decision on Certification,
– Issue of Certificate
– Certfificate Validity,
Step 6 - Surveillance
Step 7 - Reassessment