Iso 27001 2013

OVERVIEW
1. ISO Project Description
2. ISO Project Execution
1. Stage 1: Assessment and Prioritization
2. Stage 2: Development
3. Stage 3: Communication
4. Stage 4: Review
3. Conclusion
2

3
ISO PROJECT DESCRIPTION

Building policies is crucial for an
organization.
However, building policies by themselves will
not be enough to maintain or build cyber
resilience.
It needs to be followed by process,
technology, and awareness.
4
Policy
People
TechnologyProcess

5
Targeted attacks cost $92,000 for
small/medium businesses and $2.4
million for large businesses.
Serious security incidents cost
$50,000 for small/medium
businesses and $649,000 for large
businesses.
2013: 91% of the companies had
at least one external IT security
incident and 85% had internal
incidents.
Security policies
enable security through
process and people
following the right
actions, in alignment
with the according
technology in place.
Source 2013

6
Communication, enforcement, and maintenance of the policies are the real
challenges.
▪ Do you know what policies has your company ?
▪ Did you read them all ?
▪ How to make sure that they are update ?

7
The answer is:

8
Only 40% of non-IT employees are aware of these
policies.
46% of companies reported insufficient time and
resources to update or implement policies.
77% of IT professionals believe their policies need
improvement and updating.
But…
86% of companies have security policies
Kaspersky, Global Corporate IT Security Risks, 2013

9
What is a policy ?
‘’A policy is a deliberate system of principles to guide decisions and achieve rational
outcomes. A policy is a statement of intent, and is implemented as a procedure or
protocol.’’
What is a standard ?
‘’Technical standard, an established norm or requirement about technical systems
International standard, standards suitable for worldwide use
Open standard, a standard that is publicly available

10
‘’Standards organization, an entity primarily concerned with maintaining standards
Standardization, the process of establishing technical standards
Standard operating procedure, a step-by-step instruction to achieve a desired result’’
What is a guideline ?
‘’A guideline is a statement by which to determine a course of action. A guideline aims to
streamline particular processes according to a set routine or sound practice. By definition,
following a guideline is never mandatory.’’
Source: Wikipedia

11
‘’A policy is a guiding principle used to
set direction in an organization.
A procedure is a series of steps to be
followed as a consistent and repetitive
approach to accomplish an end result.’’

12
What is ISO 27001:2013 ?
ISO 27001, the international standard for information security management
‘’ "ISO 27001" (or ISO/IEC 27001:2013, "Information Security Management Systems") is a standard that
provides a good practical framework for establishing, implementing, operating, monitoring, reviewing,
maintaining and improving an ISMS. The key purpose of the ISMS is to bring information risk and
security under management control.’’
Why do you need ISO 27001:2013 ?
At a high level, the ISMS will help minimize the costs of security incidents and enhance the company’s
reputation and general security posture.

13
The ISO 27001:2013 will be used to:
• Thoroughly assess the organization's information risks with a methodical approach, and through a
clear framework
• Design and implement the adequate and efficient security controls, both technical and non-
technical, to address risks
• Comply with applicable laws, regulations and contacts, providing a subsequent commercial
advantage, when related to RFP responses
• Operate, manage and maintain security controls
• Monitor and continuously improve information security, and build a cyber resilient culture

14
ISO PROJECT EXECUTION

15
Stage 1: Assessment and Prioritization
Does your company require an ISO standard and security policies ?
No matter what industry you are in, security policies are a MUST.
• Finance
• Insurance
• Health care
• Public administration
• Education services
• Professional services
• Scientific and technical services

16
1. Build and ensure your stakeholder support and help.
2. Identify the required security policies for YOUR business.
3. Align with the business requirements.
4. Interview the different actors and understand the current
landscape.
5. Proceed with a gap analysis.
6. Define the priorities.

17
▪ Kick-off and stakeholder support.
▪ Define and understand business requirements and run a gap analysis.
▪ Prioritize the controls vs policies.

18
Stage 2: Development
1. Understand the important of the policies.
2. Develop the Security Charter.
3. Prepare all the security policies.
4. Make sure you take in consideration the feedback.

19
Stage 2: Development
▪ Develop the Policy Charter.
▪ Develop the relevant security policies and gather feedback.

20
Stage 3: Communication
1. A good communication program is a must for all project success.
2. Use and consider best practices.
3. Run awareness and training of new policies to employees.
4. Enforcement is a MUST.
5. Define the goals and the metrics.

21
Stage 3: Communication
▪ Communicate awareness and
training of new policies.
▪ Metrics.

22
Stage 4: Review
1. Policies need to be reviewed, at a minimum yearly.
2. The effectiveness of security policies needs to be monitored.
3. Build up the implementation process.

23
CONCLUSION

24
Development Communication
Stage 2 Stage 3
Assessment
Stage 1
Review
Stage 4

25
Security Policy Assessment Tool
Security Charter
Policy Awareness and Training Deck
Policies Subjects:
A.5 – Information security policies
A.6 – Organization of information security
A.7 – Human resource security
A.8 – Asset management
A.9 – Access control
A.10 – Cryptography
A.11 – Physical and environmental security
A.12 – Operations security
A.13 – Communications security
A.14 – System acquisition, development,
and maintenance
A.15 – Supplier relationships
A.16 – Information security incident
management
A.17 –Information security aspects of
BCP
A.18 – Compliance

26
Don’t forget about:
▪ Awareness
▪ Understanding
▪ Compliance
▪ Business alignment

27
The effectiveness of security policies can be assessed based on the
metrics of user awareness, understanding, compliance, and business
alignment.
Awareness Understanding Compliance Business Alignment

THANK YOU !
PLEASE FEEL FREE TO ASK QUESTIONS
OR SHARE YOUR TIPS
28

Iso 27001 2013

More Related Content

What's hot (20)

Similar to Iso 27001 2013 (20)

Recently uploaded (20)

Iso 27001 2013