SlideShare a Scribd company logo

27001 awareness Training

Dr Madhu Aman Sharma
Dr Madhu Aman Sharma

This document provides information about an ISO 27001 awareness training course held by K2A Training Academy. The one-day course aims to help participants understand how to safeguard organizational data and information from both external and internal threats. It covers topics such as information security background, risks and controls, and the ISO 27001 certification process. Breaks are scheduled during the day for tea and lunch. Attendees are not permitted to smoke or use their mobile devices during the sessions.

Related slideshows

NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
1 of 28
K2A Training Academy Division of K2A Management www.iso-certifications.com | www.k2amanagement.com "Information technology— Security techniques — Information security management systems — Requirements". An Awareness Training ISO/IEC 27001:2013 ISMS
Copy Right-K2A Rules NO Smoking NO Use of Mobile Tea Break Lunch break
Copy Right-K2A Course Objectives On completion of the course, the participant will: • Understand the significance of safeguarding organisational data and information in the light of possible threats – external and internal • Learn about the objectives and scope of ISO 27001 Standard in respect of Information Security Management System (ISMS) Acquire greater awareness of the underlying risks and receive exposure to typical measures to mitigate the risks within one’s own organisation
Copy Right-K2A Key Topics • Information Security Background, • Information Assets • ISMS Benefits • Likelihoods of failures and attacks • Risks & Annex – A Controls • Cost effective and consistent reliability and security of the system • Certification Process
Copy Right-K2A What is Information Security ? The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional Organization must determine which assets can materially affect the delivery of product/service by their absence or degradation Information Security Management relates to all types of information, be it paper-based, electronic or other. It determines how information is processed, stored, transferred, archived and destroyed. A secure information is one which ensures Confidentiality, Integrity, and Availability. It is all about protecting information assets from potential security breaches.
Copy Right-K2A Information Assets Information assets of an organization can be: • Business data • E-mail data • Employee information • Research records • Price lists • Tender documents • Spoken in conversations over the telephone • Data stored on computers • Transmitted across networks • Printed out • Written on a paper, sent by fax • Stored on disks • Held on microfilm Asset is something that has “value to the organization”
Copy Right-K2A Core Values Confidentiality IntegrityAvailability • Is my communication private? • Ensuring that the data is read only by the intended person • Protection of data against unauthorized access or disclosure • Possible through access control and encryption • Has my communication been altered? • Protection of data against unauthorized modification or substitution • If integrity is compromised, no point in protecting data • A transparent envelope that is tamper evident • Are the systems responsible for delivering, storing and processing information accessible when needed? • Are the above systems accessible to only those who need them?
Copy Right-K2A Need of ISMS Management Concerns • Market reputation • Business continuity • Disaster recovery • Business loss • Loss of confidential data • Loss of customer confidence • Legal liability • Cost of security Security Measures/Controls • Technical • Procedural • Physical • Logical • Personnel • Management All these can be addressed effectively and efficiently only by establishing a proper Information Security Management System (ISMS)
Copy Right-K2A Activity
Copy Right-K2A History 1960s: Organizations start to protect their computers 1970s: The first hacker attacks begin 1980s: Governments become proactive in the fight against cybercrime 1990s: Organized crime gets involved in hacking 2000s: Cybercrime becomes treated like a crime 2010s: Information security becomes serious
Copy Right-K2A History of ISO/IEC 17021 Overview The origin of the ISO/IEC 27000 series of standards goes back to the days of the UK Department of Trade and Industry's (DTI) Commercial Computer Security Centre (CCSC) Founded in May 1987, the CCSC had two major tasks: • The first was to help vendors of IT security products by establishing a set of internationally recognised security evaluation criteria • And an associated evaluation and certification scheme. This ultimately gave rise to the ITSEC and the establishment of the UK ITSEC Scheme. The second task was to help users by producing a code of good security practice and resulted in a “Users Code of Practice” that was published in 1989. This was further developed by the National Computing Centre (NCC) BS 7799-2:2002 was officially launched on 5th September 2002.
Copy Right-K2A History of ISO/IEC 17021 Overview ISO/IEC 27001 is derived from BS 7799 Part 2, first published as such by the British Standards Institute in 1999. BS 7799 Part 2 was revised in 2002, explicitly incorporating the Deming-style Plan-Do- Check-Act cycle. BS 7799 part 2 was adopted as ISO/IEC 27001 in 2005 with various changes to reflect its new custodians. The 2005 first edition was extensively revised and published in 2013, bringing it into line with the other ISO management systems standards and dropping explicit reference to PDCA.
Copy Right-K2A ISO/IEC 17021 Overview ISO/IEC 27001:2013 is the best-known standard in the family providing requirements for an information security management system (ISMS). There are more than a dozen standards in the 27000 family ISO/IEC 27000:2018 INFORMATION TECHNOLOGY — SECURITY TECHNIQUES — INFORMATION SECURITY MANAGEMENT SYSTEMS — OVERVIEW AND VOCABULARY ISO/IEC 27010:2015 INFORMATION TECHNOLOGY — SECURITY TECHNIQUES — INFORMATION SECURITY MANAGEMENT FOR INTER-SECTOR AND INTER-ORGANIZATIONAL COMMUNICATIONS
Copy Right-K2A Benefits Protecting your data and reputation Stay one step ahead Competitive advantage In this technology-driven world, it is critical to protect your organization's data and that of your customers. Implementing an information security management system (ISMS) and gaining ISO 27001 certification will ensure you have in place the processes and controls to protect your information assets and manage the threats posed to your organization from cyber attacks .
Copy Right-K2A Supporting Standards By using a risk management approach, ISO 27001 certification helps organizations manage their people, processes and systems and is the best- known standard in the ISO 27000 family of standards. ISO 27032 - Guidelines for cybersecurity ISO 27018 - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors ISO 27017 - Code of practice for information security controls for cloud services
Copy Right-K2A Break
Copy Right-K2A CLAUSE STARUCTURE ISO/IEC 17021:2013 MANDATORYPROCESS 4. Context of Org 5. Leadership 6. Planning 7. Support 8. Operation 9.Performance Evaluation 10. Improvement AnnexureA:Control Objectives 14 Domains 35 Control Objectives 114 Controls
Copy Right-K2A Risk Assessment Risk Approach Residual Risk Contractual Regulatory Business Risk assessments The definition of risk is the “effect of uncertainty on objectives”, which may be positive or negative. Baseline controls based on regulatory, business and contractual obligations may be identified and implemented before the risk assessment is conducted. The organization identifies risks to the organization's information the assessment does not have to be asset-based. The risk owner determines how to treat the risk, accepting residual risk. Controls are drawn from any source or control Set Selected controls are compared to those in Annex A. The Statement of Applicability records whether a control from Annex A is selected and why
Copy Right-K2A Activity
Copy Right-K2A 14 Domains The 14 control sets of Annex A
Copy Right-K2A Number of Domains and Controls The 114 control sets of Annex A Domains Control Obj. Controls A5. Information Security policies 1 2 A6. Organization of information security 2 7 A7. Human resources security 3 6 A8. Asset management 3 10 A.9 Access control 4 14 A.10 Cryptography 1 2 A.11 Physical and environmental security 2 15 A.12. Operations Security 7 14 A.13 Communications Security 2 7 A.14 Systems acquisition, development & Maint. 3 13 A.15 Supplier Relationship 2 5 A.16 Information security incident management 1 7 A.17 Information Security aspect of Business continuity management 2 4 A.18 Compliance 2 8 Total - 14 35 114
Copy Right-K2A Controls The 114 control sets of Annex A A.5 Information security policies (2 controls): how policies are written and reviewed. A.6 Organisation of information security (7 controls): the assignment of responsibilities for specific tasks. A.7 Human resource security (6 controls): ensuring that employees understand their responsibilities prior to employment and once they’ve left or changed roles. A.8 Asset management (10 controls): identifying information assets and defining appropriate protection responsibilities. A.9 Access control (14 controls): ensuring that employees can only view information that’s relevant to their job role. A.10 Cryptography (2 controls): the encryption and key management of sensitive information. A.11 Physical and environmental security (15 controls): securing the organisation’s premises and equipment. A.12 Operations security (14 controls): ensuring that information processing facilities are secure.
Copy Right-K2A Controls The 114 control sets of Annex A A.13 Communications security (7 controls): how to protect information in networks. A.14 System acquisition, development and maintenance (13 controls): ensuring that information security is a central part of the organisation’s systems. A.15 Supplier relationships (5 controls): the agreements to include in contracts with third parties, and how to measure whether those agreements are being kept. A.16 Information security incident management (7 controls): how to report disruptions and breaches, and who is responsible for certain activities. A.17 Information security aspects of business continuity management (4 controls): how to address business disruptions. A.18 Compliance (8 controls): how to identify the laws and regulations that apply to your organisation.
Copy Right-K2A Documentation Documentation Structure Policy Scope, Risk Assessment, Procedures Work Instruction Records Level-1 Level-2 Level-3 Level-4
Copy Right-K2A Process Approach PDCA Approach Plan Do Check Act
Copy Right-K2A Risk Management PDCA Approach Identify Risks Risk Treatment Risk Management • Identify all Stakeholders • Identify Business Process • Identify Operation Process • Identify Assets • Identify Risk on the basis of all Stakeholders • Identify Threats and Vulnerabilities • Evaluate Probability and Impact • Calculate Risk Value • Mitigate/Reduce risk • Avoid risk • Transfer risk • Accept risk • Mitigate the risk by appropriate controls • Evaluate controls periodically
Copy Right-K2A Questions
Copy Right-K2A Thank You

More Related Content

27001 awareness Training

  • 1. K2A Training Academy Division of K2A Management www.iso-certifications.com | www.k2amanagement.com "Information technology— Security techniques — Information security management systems — Requirements". An Awareness Training ISO/IEC 27001:2013 ISMS
  • 2. Copy Right-K2A Rules NO Smoking NO Use of Mobile Tea Break Lunch break
  • 3. Copy Right-K2A Course Objectives On completion of the course, the participant will: • Understand the significance of safeguarding organisational data and information in the light of possible threats – external and internal • Learn about the objectives and scope of ISO 27001 Standard in respect of Information Security Management System (ISMS) Acquire greater awareness of the underlying risks and receive exposure to typical measures to mitigate the risks within one’s own organisation
  • 4. Copy Right-K2A Key Topics • Information Security Background, • Information Assets • ISMS Benefits • Likelihoods of failures and attacks • Risks & Annex – A Controls • Cost effective and consistent reliability and security of the system • Certification Process
  • 5. Copy Right-K2A What is Information Security ? The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional Organization must determine which assets can materially affect the delivery of product/service by their absence or degradation Information Security Management relates to all types of information, be it paper-based, electronic or other. It determines how information is processed, stored, transferred, archived and destroyed. A secure information is one which ensures Confidentiality, Integrity, and Availability. It is all about protecting information assets from potential security breaches.
  • 6. Copy Right-K2A Information Assets Information assets of an organization can be: • Business data • E-mail data • Employee information • Research records • Price lists • Tender documents • Spoken in conversations over the telephone • Data stored on computers • Transmitted across networks • Printed out • Written on a paper, sent by fax • Stored on disks • Held on microfilm Asset is something that has “value to the organization”
  • 7. Copy Right-K2A Core Values Confidentiality IntegrityAvailability • Is my communication private? • Ensuring that the data is read only by the intended person • Protection of data against unauthorized access or disclosure • Possible through access control and encryption • Has my communication been altered? • Protection of data against unauthorized modification or substitution • If integrity is compromised, no point in protecting data • A transparent envelope that is tamper evident • Are the systems responsible for delivering, storing and processing information accessible when needed? • Are the above systems accessible to only those who need them?
  • 8. Copy Right-K2A Need of ISMS Management Concerns • Market reputation • Business continuity • Disaster recovery • Business loss • Loss of confidential data • Loss of customer confidence • Legal liability • Cost of security Security Measures/Controls • Technical • Procedural • Physical • Logical • Personnel • Management All these can be addressed effectively and efficiently only by establishing a proper Information Security Management System (ISMS)
  • 10. Copy Right-K2A History 1960s: Organizations start to protect their computers 1970s: The first hacker attacks begin 1980s: Governments become proactive in the fight against cybercrime 1990s: Organized crime gets involved in hacking 2000s: Cybercrime becomes treated like a crime 2010s: Information security becomes serious
  • 11. Copy Right-K2A History of ISO/IEC 17021 Overview The origin of the ISO/IEC 27000 series of standards goes back to the days of the UK Department of Trade and Industry's (DTI) Commercial Computer Security Centre (CCSC) Founded in May 1987, the CCSC had two major tasks: • The first was to help vendors of IT security products by establishing a set of internationally recognised security evaluation criteria • And an associated evaluation and certification scheme. This ultimately gave rise to the ITSEC and the establishment of the UK ITSEC Scheme. The second task was to help users by producing a code of good security practice and resulted in a “Users Code of Practice” that was published in 1989. This was further developed by the National Computing Centre (NCC) BS 7799-2:2002 was officially launched on 5th September 2002.
  • 12. Copy Right-K2A History of ISO/IEC 17021 Overview ISO/IEC 27001 is derived from BS 7799 Part 2, first published as such by the British Standards Institute in 1999. BS 7799 Part 2 was revised in 2002, explicitly incorporating the Deming-style Plan-Do- Check-Act cycle. BS 7799 part 2 was adopted as ISO/IEC 27001 in 2005 with various changes to reflect its new custodians. The 2005 first edition was extensively revised and published in 2013, bringing it into line with the other ISO management systems standards and dropping explicit reference to PDCA.
  • 13. Copy Right-K2A ISO/IEC 17021 Overview ISO/IEC 27001:2013 is the best-known standard in the family providing requirements for an information security management system (ISMS). There are more than a dozen standards in the 27000 family ISO/IEC 27000:2018 INFORMATION TECHNOLOGY — SECURITY TECHNIQUES — INFORMATION SECURITY MANAGEMENT SYSTEMS — OVERVIEW AND VOCABULARY ISO/IEC 27010:2015 INFORMATION TECHNOLOGY — SECURITY TECHNIQUES — INFORMATION SECURITY MANAGEMENT FOR INTER-SECTOR AND INTER-ORGANIZATIONAL COMMUNICATIONS
  • 14. Copy Right-K2A Benefits Protecting your data and reputation Stay one step ahead Competitive advantage In this technology-driven world, it is critical to protect your organization's data and that of your customers. Implementing an information security management system (ISMS) and gaining ISO 27001 certification will ensure you have in place the processes and controls to protect your information assets and manage the threats posed to your organization from cyber attacks .
  • 15. Copy Right-K2A Supporting Standards By using a risk management approach, ISO 27001 certification helps organizations manage their people, processes and systems and is the best- known standard in the ISO 27000 family of standards. ISO 27032 - Guidelines for cybersecurity ISO 27018 - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors ISO 27017 - Code of practice for information security controls for cloud services
  • 17. Copy Right-K2A CLAUSE STARUCTURE ISO/IEC 17021:2013 MANDATORYPROCESS 4. Context of Org 5. Leadership 6. Planning 7. Support 8. Operation 9.Performance Evaluation 10. Improvement AnnexureA:Control Objectives 14 Domains 35 Control Objectives 114 Controls
  • 18. Copy Right-K2A Risk Assessment Risk Approach Residual Risk Contractual Regulatory Business Risk assessments The definition of risk is the “effect of uncertainty on objectives”, which may be positive or negative. Baseline controls based on regulatory, business and contractual obligations may be identified and implemented before the risk assessment is conducted. The organization identifies risks to the organization's information the assessment does not have to be asset-based. The risk owner determines how to treat the risk, accepting residual risk. Controls are drawn from any source or control Set Selected controls are compared to those in Annex A. The Statement of Applicability records whether a control from Annex A is selected and why
  • 20. Copy Right-K2A 14 Domains The 14 control sets of Annex A
  • 21. Copy Right-K2A Number of Domains and Controls The 114 control sets of Annex A Domains Control Obj. Controls A5. Information Security policies 1 2 A6. Organization of information security 2 7 A7. Human resources security 3 6 A8. Asset management 3 10 A.9 Access control 4 14 A.10 Cryptography 1 2 A.11 Physical and environmental security 2 15 A.12. Operations Security 7 14 A.13 Communications Security 2 7 A.14 Systems acquisition, development & Maint. 3 13 A.15 Supplier Relationship 2 5 A.16 Information security incident management 1 7 A.17 Information Security aspect of Business continuity management 2 4 A.18 Compliance 2 8 Total - 14 35 114
  • 22. Copy Right-K2A Controls The 114 control sets of Annex A A.5 Information security policies (2 controls): how policies are written and reviewed. A.6 Organisation of information security (7 controls): the assignment of responsibilities for specific tasks. A.7 Human resource security (6 controls): ensuring that employees understand their responsibilities prior to employment and once they’ve left or changed roles. A.8 Asset management (10 controls): identifying information assets and defining appropriate protection responsibilities. A.9 Access control (14 controls): ensuring that employees can only view information that’s relevant to their job role. A.10 Cryptography (2 controls): the encryption and key management of sensitive information. A.11 Physical and environmental security (15 controls): securing the organisation’s premises and equipment. A.12 Operations security (14 controls): ensuring that information processing facilities are secure.
  • 23. Copy Right-K2A Controls The 114 control sets of Annex A A.13 Communications security (7 controls): how to protect information in networks. A.14 System acquisition, development and maintenance (13 controls): ensuring that information security is a central part of the organisation’s systems. A.15 Supplier relationships (5 controls): the agreements to include in contracts with third parties, and how to measure whether those agreements are being kept. A.16 Information security incident management (7 controls): how to report disruptions and breaches, and who is responsible for certain activities. A.17 Information security aspects of business continuity management (4 controls): how to address business disruptions. A.18 Compliance (8 controls): how to identify the laws and regulations that apply to your organisation.
  • 24. Copy Right-K2A Documentation Documentation Structure Policy Scope, Risk Assessment, Procedures Work Instruction Records Level-1 Level-2 Level-3 Level-4
  • 25. Copy Right-K2A Process Approach PDCA Approach Plan Do Check Act
  • 26. Copy Right-K2A Risk Management PDCA Approach Identify Risks Risk Treatment Risk Management • Identify all Stakeholders • Identify Business Process • Identify Operation Process • Identify Assets • Identify Risk on the basis of all Stakeholders • Identify Threats and Vulnerabilities • Evaluate Probability and Impact • Calculate Risk Value • Mitigate/Reduce risk • Avoid risk • Transfer risk • Accept risk • Mitigate the risk by appropriate controls • Evaluate controls periodically