Information Security Framework Landscape

ISO 27001
PCI DSS
Payment Card Industry

01
ISF Standard for Good Practice
Data Security Standard

05 02
SANS Critical security
controls
COBIT 5 For information Security

04 03
5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
2
 Benefits Of ISO 27001 Certification

Value Proposition Of ISO 27001 Certification

Information Security Building and

Compliance maintaining trusted Risk Mitigation
Effectiveness
relationship
• Executive Management • Compliance with • Market differentiation • Risk insight
visibility and support for applicable regulations • Confidence to • Risk prioritization
security and legislation stakeholder • Risk avoidance
• increase security • Compliance with • Reputation protection • Risk mitigation
accountability government rules and • Brand enhancement • Cost avoidance
• Adequate and effective • Compliance with • Increase in trusted in • Faster , easier recovery
protection of key Asset organizational relationship with third from attack.
• improved awareness directives parties.
and security minded • Reduction on audit • Expected financial
cutler costs and efforts return
• Improved resilience • Ability to respond
and agility efficiently to change on
compliance land scape

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
9
5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
10
 What is Information

ISO 27001 is about Information Security

• Information is an organizational asset, which has a
value and needs to be appropriately protected
• Without protections information can:
 Lose confidentiality
 Be modified, with or without our knowledge
 Be deleted or lost irreparably
 Be made unavailable

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
13
 Why is information important?
How would you deliver your business services if you lost
information?
– Customer information
– Systems documentation and configuration
– Business and marketing plans
– Procedures for key processes
– Financial information

ISO 27001 is about protection of information

in support of the business

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
14
 Information covered by ISO27001

 Internal
Information that you would not want your competitors to know
 Customer/client/supplier
Information that they would not wish you to disclose
 Shared
Information that needs to be shared with other trading partners Company strategy

Client NID

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
15
 Information security

ISO27001 is concerned with the preservation of Examples of information

 Confidentiality
 Integrity Paper
 Availability  Documents
 Ordinary mail
However an organization may also consider Electronic media
 Authorization  Database records
 Non-repudiation  E-mails
 Accountability  CDROMs DVDs, tapes etc.

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
16
 What is an ISMS?

• ISMS (Information Security Management System)

• Coordinated set of activities, processes, people and

controls aimed at the protection and management of
information
• An ISMS is not about technical security alone
• It is a management system!

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
19
 Managed Information Security

Having a firewall does not mean managing information security

• Having a firewall administrator who is responsible for its

maintenance.
• Having a process for carefully identifying firewall rules
and configuration.
• Having a controlled process for approving changes to the
ISO 27001 firewall.
• Regularly reviewing firewall logs and configuration.
• Taking appropriate corrective and preventive actions.
• Having process for configuration audit.
• Allocating resources for making sure all the above can be
sustained over time.

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
20
 Clause 4 Context of the Organization

4.1 Understanding the organization and its context

4.2 Understanding the needs and expectations of
interested parties
4.3 Determining the scope of the information
security management system
4.4 Information Security Management System

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
24
 Clause 4 Context of the Organization

• Make sure all aspects of the ISMS scope are addressed

– Business, information security, legal and regulatory

requirements
– Must protect information for the purposes of meeting business,
legal, regulatory and contractual requirements
• Identification of information security requirements of:
– Applicable legislation
– Contractual obligations
– Regulatory compliance

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
25
 Organizational principles, objectives
and business requirements

• Identify organizational principles, objectives and

business requirements to ensure
– Competitive edge
– Cash flow/profitability
• Security requirements be documented as part of the
risk assessment

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
26
 Legal, regulatory and contractual requirements

Should not breach any statutory, criminal or civil

obligations, or commercial contracts
• Must be identified not just for the organization but
also for
– Trading partners, contractors, service providers
• Example of important requirements to be met:
– Control of proprietary software copying
– Safeguarding organization records
– Data protection
• Reflected in the ISMS Policy

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
27
 5.1 Leadership and Commitment

a)Establishing the Information security policy and the Information Security

Objectives
b) Ensuring the integration of the information security management
system requirements into the organization’s processes
c) Ensuring availability of resources for the ISMS
d) Communicating the importance of effective information security
management and of conforming to the information security management
system requirements
e) Ensuring that the ISMS achieves its intended outcomes
f) Directing and supporting persons to contribute to the effectiveness of
the ISMS
g) Promoting continual improvement
h) Supporting other relevant management roles to demonstrate their
leadership as it applies to their areas of responsibility

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
29
5.3 Organizational Roles, Responsibilities and Authorities

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
30
 Policies, standards and procedures

Tier 1 Policy Information Security Policy

Tier 2 Policy Backup policy

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
31
 6.2 Information Security Objectives
The information security objectives shall:
a) be consistent with the information security policy
b) be measurable (if practicable)
c) take into account applicable information security
requirements, and results from risk assessment and
risk treatment
d) be communicated
e) be updated as appropriate.
When planning how to achieve its information security
objectives, the organization shall determine:
a) what will be done;
b) what resources will be required;
c) who will be responsible;
d) when it will be completed; and
e) how the results will be evaluated.
5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
32
 Define the ISMS scope

Most important step of the implementation process

• The scope must be clearly defined
• Identifying key departments/people involved
• Involves business aware/responsible staff
• Linked to business objectives
• Iterative process
Defined in terms of
– Characteristics of the business
– The organization
– Location
– Assets
– Technology
• Include details for any exclusions from the scope
5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
82
 Writing the Scope

• Scope format not prescribed by the standard

• ISMS scope document (clause 4.3)
• CB makes sure that the scope meets the Scope
requirements of the standard and that it is clear
and unambiguous ⦁ Scope Statement
The following statement, known as the ISMS Scope Statement,
• A scope statement will appear on the ISO27001 provides a summary description of the overall ISMS Scope and is also
reported on the xxxx ISO27001 Certificate of Compliance issued by
certificate issued by the Certification Body (CB) the Certification body.
• Also linked to the Statement of Applicability “The scope of the information security management system of xxxx
(SOA) to the delivery of the yyyy services of bill payment, money transfer,
in accordance with the statement of applicability {CLI-REC-
• Best practice Scope Document 002_v1.0}.”
• Scope statement → Appears on the ISO27001
Certificate
• Detailed description

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
83
 Scope How to

• Top down approach

– Identify key business services (senior management)
– Draw a pictorial map of the organization
– Identify departments and processes in support of
those services
• Scope Boundaries
– Identify which departments and processes we have
direct control over
– Identify dependencies
– Internal
– External

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
84
 Scope and boundaries

• Identify interfaces with:

– Supporting departments
– Third parties and external organizations
– Suppliers
• Controlling dependencies
– SLAs, OLAs, MOUs, contracts
– Outsourcing arrangements

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
85
 Example: scope of ISMS

“The provision of financial services such as loans and leases by

the head office in Asia which has branches throughout Europe. It
also includes the provision of support services like supervision,
rescheduling of the repayment and the collection of payments.
The main asset of the company is its manpower and the use of
the IT hardware and software to support the business.”

5/4/2024 ISO 27001 Lead Implementer prepared By khaled Gamo copy right@2021
86