SF ISACA March16 ISO 27001 Implementation

Jim Macellaro
ISO 27001 IMPLEMENTATION

Presented to:
ISACA
March 24, 2016
Presenters:
Russ Walsh GRC21 - Managing Partner
Jim Macellaro Jim Macellaro Consulting - Founder
Jim Macellaro
Agenda
ISO 27000 Overview
The ISMS
Planning the Implementation
Deploying the ISMS
Measurement and Continual Improvement
Copyright GRC21 and Jim Macellaro 3/24/2016 2

Jim Macellaro
ISO 27000 OVERVIEW

Jim Macellaro
Audience
Certifications:
CISA
CISSP
ISO 27001
Which version 2005 or 2013
Reason for attending

Industry
Planning for ISO 27001
Expanding ISO 27001
General knowledge
Consulting
Building or expanding ISO 27001
Certification firms

Jim Macellaro
ISO Management Principles
Customer Involvement Process

Leadership
Focus of People Approach
System Factual Mutually

Approach to Continual Approach to Beneficial
Management Improvement Decision Supplier
Making Relationships

Jim Macellaro
The Standards
ISO
19,000 standards since 1947
ISO 27000
ISO 27001
ISO 27002
ISO 27003
ISO 27004
ISO 27005
ISO 31000
14 clauses, 35 control objectives, 114 controls

Jim Macellaro
Terminology (lingo)
SOX
Interim testing, roll forward testing, significant deficiencies, material
weaknesses
Final report issued by external auditors (typically the Big 4)
SOC 1/2
Gaps, observations, recommendations
SOC report generally issued by a CPA firm
ITGC / Domains
PCI
Final report is called a ROC (report of compliance) generally
issued by an InfoSec Compliance firm
ISO 27001
Stage 1, Stage 2, Surveillance Audits
Certification only a few firms do this
Jim Macellaro
THE ISMS

Jim Macellaro
Definition of ISMS
An Information Security Management System consists of
the policies, procedures, guidelines, and associated
resources and activities, collectively managed by an
organization, in the pursuit of protecting its information
assets.
An ISMS is a systematic approach for establishing,
implementing, operating, monitoring, reviewing,
maintaining and improving an organizations information
security to achieve business objectives.
It is based upon a risk assessment and the organizations
risk acceptance levels designed to effectively treat and
manage risks.

Jim Macellaro
Clause 4
The Clauses Context of the

Organization
Clause 6
Planning
Plan
Clause 10 Clause 8
Improvement Act Do Operation
Check
Clause 9
Performance
Evaluation
Clause 7 Clause 5
Support Leadership
Annex A
Control Objectives and Controls

Jim Macellaro
ISO 27002 Clauses Nbr of

Controls
5 Information Security Policies 2
6 Organization of Information Security 7
7 Human Resources 6
8 Asset Management 10
9 Access Control 14
10 Cryptography 2
11 Physical And Environmental Security 15
12 Operations Security 14
13 Communications Security 7
14 System Acquisition, Development And Maintenance 13
15 Supplier Relationships 5
16 Information Security Incident Management 7
17 Information Security Aspects Of Business Continuity Management 4
18 Compliance 8
Jim Macellaro
Framework
1. Plan 2. Do 3. Check 4. Act
Organizational Monitoring, Treatment of Non-
Initiating the ISMS Measurement,
Structure conformities
Analysis and
Understanding the Document Evaluation Continual
organization Management Improvement
Analyze the Design of Controls

Internal Audit
existing System & Procedures
Leadership and Management

Communication
project approval Review
Awareness &
Scope
Training
Implementation of
Security Policy
Controls
Incident
Risk Assessment
Management
Statement of Operations
Applicability Management

Jim Macellaro
ISO 27001 Advantages

Improvement of security
Good governance
Conformity
Cost reduction
Marketing

Jim Macellaro
Certification Timeline
Internal Audit
Oct 5
Management Review Stage 2 Audit

Oct 10 Dec 8
Select certification body (registrar) ISMS Complete Stage 1 Audit Certificate Granted
Apr 5 Aug 31 Nov 3 Jan 13
2016 Mar Apr May Jun Jul Aug Sep Oct Nov Dec 2017 2017
Today
Interview Registars Mar 23 - Apr 5

at least 3
Build ISMS Mar 23 - Aug 31 months
Operationalize ISMS Sep 1 - Nov 30
Internal Audit Oct 1 - Oct 5
External Stage 1 Audit Nov 1 - Nov 3
External Stage 2 Audit Dec 1 - Dec 8
Continual
Sep 1 - Jan 31
Improvement
Surveillance Audits annually

Recertification Audit every 3 years

Jim Macellaro
PLANNING THE
IMPLEMENTATION

Jim Macellaro
Understanding
Mission, objectives, values and
the strategies
Organization
External environment
1. Plan Internal environment
Initiating the
ISMS
Key processes
Understanding
the organization Infrastructure
Analyze the
existing System Interested parties
Leadership and
project approval
Business Requirements
Scope
Security Policy
ISMS Objectives
Risk Assessment
Legal, regulatory and
Statement of contractual obligations
Applicability

Jim Macellaro
Analyze the
Identify security processes,
Existing
procedures, plans and
System
measures
1. Plan Identify actual level of
Initiating the
ISMS compliance
Understanding
the organization Evaluate effectiveness and
Analyze the
existing System
Leadership and
maturity level of processes
Gap analysis (not required by
project approval
Scope
Security Policy
the ISO standard)
Risk Assessment
Statement of
Applicability

Jim Macellaro
Leadership
Business case
and Project
Approval Project team
Steering Committee
1. Plan
Initiating the
Project plan
ISMS
Understanding Management approval
the organization
Analyze the
existing System
Leadership and
project approval
Scope
Security Policy
Risk Assessment
Statement of
Applicability

Jim Macellaro
Scope
Defines the boundaries
(organizational, information
system, physical) and
1. Plan applicability of the ISMS
Initiating the
ISMS Helps determine the amount of
Understanding
the organization effort
Analyze the
existing System
Scope can be limited
Leadership and
project approval
Organizational unit(s)
Scope
Geographic area
Security Policy
Risk Assessment
Product or Service
Statement of
Applicability

Jim Macellaro
Scope
Scope
Key characteristics of the organization
Organizational processes
1. Plan Descriptions of roles and responsibilities

Initiating the
for the ISMS
ISMS
Understanding
List of information assets
the organization
List of information systems
Analyze the
existing System
Details and reasons for exclusions
Leadership and
project approval
Scope
Scope Statement
Security Policy
Summary
Risk Assessment
Written on the certificate
Statement of
Applicability

Jim Macellaro
Security Policy
Appropriate to the purpose of the
Requirements organization
Commitment to meeting ISO objectives
Available to the organization as documents
1. Plan Communicated within the organization
Initiating the Available to interested parties, as
ISMS
Understanding
appropriate
the organization ISMS Policy should cover all clauses of
Analyze the
existing System
ISO 27001
Leadership and
project approval
Security policy can be a single document
or separate policy for each ISO 27002
Scope
clause
Security Policy Can be high level statement of policies
Risk Assessment with more detail given in subordinate
Statement of
policies
Applicability

Jim Macellaro
Document Types
Policy high-level business rules, or requirements,
defining what the organization will do to protect
information
Standard collections of system-specific or procedural-

specific requirements that must be met by
everyone
Guideline collections of system specific or procedural

specific "suggestions" for best practice
Process high-level, end-to-end view of related activities that

produce a specific service or product
Narrative indicate where there is a separation of
responsibilities and control points.
Procedure specific operational steps or manual methods that

workers must follow to implement the goal of the
written policies and standards
Note: Standards, guidelines and procedures can be included in
process narratives or in policies (rare)
Jim Macellaro
Policy Document Structure

Summary
Overview
Scope
Objectives
Principles
Responsibilities
Enforcement
Related policies
Definitions
Review and approval information
Version history

Jim Macellaro
Documentation Standard
Outlines content of each type of document
Describes the look and identification of the document
Describes how to review documents
Defines numbering scheme:
Organizational Unit:
Company CP Corporate
Identifier IT Information Technology
OP Operations
XX 000 CP PL 001
Domain: Document Type: Sequential

000 ISMS PL - Policy Number
005 Information Security PN Process Narrative
Policy PR Procedure
006 Organization of ST Standard
Information Security XG Guideline
007 Human Resource XX Other Supporting
Security Document
etc.

Jim Macellaro
Risk
Select risk assessment methodology that
Assessment will provide comparable and reproducible
results
Determine risks and opportunities that
need to be addressed
1. Plan
Initiating the
Establish and maintain risk criteria
ISMS Select risk treatment options
Understanding
the organization Assess control changes, as appropriate
Analyze the
existing System
Formulate risk treatment plan
Leadership and
project approval
Scope - ISO 31000 is a generic framework

Security Policy - ISO 27005 adapts ISO 31000 to
Risk Assessment
information security and is aligned with
Statement of
ISO 27001
Applicability

Jim Macellaro
Statement of
A Statement of Applicability shall be
Applicability produced that includes the following:
1. The necessary control objectives and controls
and
2. Justification for inclusions, whether they are
1. Plan
implemented or not, and
Initiating the
ISMS 3. The justification for exclusions of controls from
Understanding ISO 27001, Annex A
the organization
Analyze the
existing System
Leadership and
project approval - Must be validated and approved
Scope
- One of the first documents that will be
Security Policy analyzed by the certification auditor
Risk Assessment
Statement of
Applicability

Jim Macellaro
DEPLOYING THE ISMS

Jim Macellaro
Organizational
Governance structure
Structure
Information Security
Committee
2. Do
Normally chaired by CISO
Organizational
Operational committees, as
Structure
Document
Management
Design of Controls
& Procedures
appropriate
Communication
- The Information Security Committee should be
Awareness & described in the ISMS Policy
Training
- Membership
Implementation of
Controls - Responsibilities
Incident - Agenda items for meetings
Management
Operations
Management

Jim Macellaro
Document Documented information required by the

Management standard
Documented information determined by
the organization as being necessary for
the effectiveness of the ISMS
2. Do
Organizational
Structure
Document
Management
Design of Controls
- The extent of ISMS documented
& Procedures information can differ by organization
Communication - Size of the organization
Awareness & - Types of activities, processes, products and
Training
services
Implementation of
Controls - Complexity of processes and their interactions,
Incident
Management - Competence of personnel
Operations
Management

Jim Macellaro
Document Documents Explicitly Required Clause

ISMS scope
Management Information security policy 5.2
Information security risk assessment process 6.1.2 &
and results 8.2
Information security risk treatment process and 6.1.3 &
2. Do results 8.3
Organizational Statement of Applicability 6.1.3d
Structure
Information security objectives 6.2
Document
Management Evidence of competence 7.2d
Design of Controls
& Procedures Control of documented information 7.5
Communication
Operational planning and control 8.1
Awareness &
Training ISMS monitoring and measurement results 9.1
Implementation of
Controls Internal audit programs and audit results 9.2
Incident
Management Management review 9.3
Operations
Management Non-conformities, corrective actions and results 10.1

Jim Macellaro
Design of Controls should be specific and concise

Controls & Should address:
Procedures Who What When
Where Why How
2. Do Example:
Organizational
The network administrator (Who) makes sure that
Structure backups are completed (What) by reviewing
Document backup logs (How) each morning (When).
Management
Following the review, the network administrator
Design of Controls
& Procedures completes and signs a checklist (Where) that is
Communication
retained for future reference (Why).
Awareness &
Training
Implementation of
Controls
Note: No requirement to describe in detail each
Incident security control, but highly recommended
Management
Operations
Management

Jim Macellaro
Communication The organization shall determine the need

for internal and external communications
relevant to the ISMS
What to communicate;
When to communicate;
2. Do With whom to communicate;
Organizational
Structure
Who shall communicate; and
Document The processes by which communication shall be
Management
effected
Design of Controls
& Procedures Interested parties to consider:
Communication Employees
Awareness & Investors
Training
Implementation of Suppliers
Controls
Customers / Clients
Incident
Management Media
Operations Communities
Management

Jim Macellaro
Awareness & Ensure the competence of those involved

Training in the operations of the ISMS on the basis
of education, training or experience
Identify required skills
Evaluate education / training needs
2. Do Implement a training program
Organizational
Structure A user who has not been properly
Document
Management
informed, trained and made aware of the
Design of Controls importance of information security is a
& Procedures
potential risk to the security of the
Communication
organization
Awareness &
Training An awareness program is focused on
Implementation of
Controls
encouraging better security behavior
Incident Policy dissemination
Management
Information about threats
Operations
Management Individual responsibility for security

Jim Macellaro
Implementation Operation Planning and Control

of Controls The organization shall plan, implement and
control the processes needed to meet
information security requirements, and to
implement the actions determined to address
identified risks. The organization shall also
2. Do implement plans to achieve information security
Organizational objectives.
Structure
Document The organization shall keep documented
Management information to the extent necessary to have
Design of Controls
& Procedures
confidence that the processes have been
carried out as planned.
Communication
The organization shall control planned changes
Awareness &
Training
and review the consequences of unintended
Implementation of
changes, taking action to mitigate any adverse
Controls effects.
Incident
Management
The organization shall ensure that outsourced
Operations processes are determined and controlled.
Management

Jim Macellaro
Incident Ensure that security events are detected and

Management identified
Educate users about the risk factors that could
cause security incidents
Treat security incidents in the most appropriate
2. Do and effective way
Organizational
Structure
Reduce the possible impact of incidents on the
Document operations of the organization
Management
Design of Controls
Prevent future security incidents and reduce
& Procedures their change of occurrence
Communication Improve security controls of the organization by
Awareness & correcting any deficiencies identified following
Training
Implementation of
the analysis of security incidents
Controls
Incident Note: ISO 27035 is a code of practice for
Management
Operations managing information security incidents
Management

Jim Macellaro
Operations Once the ISMS project is complete, the ISMS is

Management transferred to the operations of the organization
Top management shall demonstrate leadership
and commitment with respect to the ISMS by
ensuring that the needed resources are
2. Do available
Organizational The organization shall determine and provide
Structure
Document
the resources needed for the establishment,
Management implementation, maintenance and continual
Design of Controls
& Procedures
improvement of the ISMS
Communication
Budget
Awareness &
Training
Implementation of
Tools
Controls
Incident Qualified
Management Personnel
Operations
Management

Jim Macellaro
MEASUREMENT AND
CONTINUAL IMPROVEMENT

Jim Macellaro
Monitoring and Identifying the measurement objectives

Measuring Selecting attribute objects that can be
measured
Create performance indicators
Evaluate if objectives are achieved and
improve the management system

Jim Macellaro
Internal Audit Types of Audits:

First Party Audits (Internal Audit)
Second Party Audits (Customer Audit)
Third Party Audits (External Independent Audit)
Audit Charter
Access and Independence
Audit Procedures
Audit Activities
External / Certification
Stage 1
Stage 2
Surveillance in years 2 and 3
Non-conformity
Major
Minor

Jim Macellaro
Management Performed by top management

Review
At least annually
Agenda
Status of previous review
Changes
Non-conformities
Monitoring and measuring results
Audit results
Fulfillment of information security objectives
Feedback of interested parties
Results of risk assessment / risk treatment
Continual improvement opportunities

Jim Macellaro
NEXT STEPS

Jim Macellaro
Assistance / Guidance / Training

GRC21
Russ Walsh russell.walsh@grc21.com 408-582-3645
Jim Macellaro Consulting
Jim Macellaro - Jim@jimmacellaro.com 650-269-5141
Jim Macellaro is an IT consultant providing pragmatic technology solutions for business. His
primary focus includes: Process Improvement, Information Security Programs, Compliance
Assessment (ISO 27701, SOC 2, HIPAA, SOX), Governance and Project Management. Jim
has been working with ISO 17799/27001 since 2003. Prior to starting his own firm, Jim held
senior leadership positions with Accretive Solutions, GRIC, Ensim, Siemens and IBM. Jim
also has numerous certifications, including ISO 27001 Lead Implementer.
Russ Walsh is CEO and Managing Partner of Global Resource Connections (GRC21). The
primary focus of GRC21 includes: Information Security (ISO 27001, SOC 1/2/3, HIPAA, SOX,
GRC, PCI), CIO Advisory, Internal Audit (Vendor and Supplier Audits, SOX, and
Risk/Gap/Vulnerability Assessments. GRC21s team has provided advisory services to many
large global companies, including Facebook, Hitachi, Cisco, IBM, EY, Yahoo, Apple, Google,
SAP, and Salesforce along with countless startups including, Kaiam, Chirpify, Opsware, and
Inflexxion. Prior to starting GRC21, Russ held senior leadership positions with SOAProjects,
Opsware, Ernst & Young and Sierra Computing. Russ is also certified in ISO 27001 and
instructs students going through the Lead Implementer and Lead Auditor certification
process.

SF ISACA March16 ISO 27001 Implementation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SF ISACA March16 ISO 27001 Implementation

Uploaded by

Copyright:

Available Formats

Jim Macellaro

ISO 27001 IMPLEMENTATION

March 24, 2016

Copyright GRC21 and Jim Macellaro 3/24/2016 2

ISO 27000 OVERVIEW

Copyright GRC21 and Jim Macellaro 3/24/2016 3

Reason for attending

Copyright GRC21 and Jim Macellaro 3/24/2016 4

ISO Management Principles

Customer Involvement Process

System Factual Mutually

Copyright GRC21 and Jim Macellaro 3/24/2016 5

14 clauses, 35 control objectives, 114 controls

Copyright GRC21 and Jim Macellaro 3/24/2016 6

Copyright GRC21 and Jim Macellaro 3/24/2016 8

Copyright GRC21 and Jim Macellaro 3/24/2016 9

The Clauses Context of the

Copyright GRC21 and Jim Macellaro 3/24/2016 10

ISO 27002 Clauses Nbr of

Analyze the Design of Controls

Leadership and Management

Copyright GRC21 and Jim Macellaro 3/24/2016 12

ISO 27001 Advantages

Copyright GRC21 and Jim Macellaro 3/24/2016 13

Management Review Stage 2 Audit

Interview Registars Mar 23 - Apr 5

Surveillance Audits annually

Copyright GRC21 and Jim Macellaro 3/24/2016 14

Copyright GRC21 and Jim Macellaro 3/24/2016 15

Copyright GRC21 and Jim Macellaro 3/24/2016 16

Copyright GRC21 and Jim Macellaro 3/24/2016 17

Copyright GRC21 and Jim Macellaro 3/24/2016 18

Copyright GRC21 and Jim Macellaro 3/24/2016 19

1. Plan Descriptions of roles and responsibilities

Copyright GRC21 and Jim Macellaro 3/24/2016 20

Copyright GRC21 and Jim Macellaro 3/24/2016 21

Standard collections of system-specific or procedural-

Guideline collections of system specific or procedural

Process high-level, end-to-end view of related activities that

Procedure specific operational steps or manual methods that

Policy Document Structure

Copyright GRC21 and Jim Macellaro 3/24/2016 23

Domain: Document Type: Sequential

Copyright GRC21 and Jim Macellaro 3/24/2016 24

Scope - ISO 31000 is a generic framework

Copyright GRC21 and Jim Macellaro 3/24/2016 25

Copyright GRC21 and Jim Macellaro 3/24/2016 26

DEPLOYING THE ISMS

Copyright GRC21 and Jim Macellaro 3/24/2016 27

Copyright GRC21 and Jim Macellaro 3/24/2016 28

Document Documented information required by the

Copyright GRC21 and Jim Macellaro 3/24/2016 29

Document Documents Explicitly Required Clause

Copyright GRC21 and Jim Macellaro 3/24/2016 30

Design of Controls should be specific and concise

Copyright GRC21 and Jim Macellaro 3/24/2016 31

Communication The organization shall determine the need

Copyright GRC21 and Jim Macellaro 3/24/2016 32

Awareness & Ensure the competence of those involved

Copyright GRC21 and Jim Macellaro 3/24/2016 33

Implementation Operation Planning and Control

Copyright GRC21 and Jim Macellaro 3/24/2016 34

Incident Ensure that security events are detected and

Copyright GRC21 and Jim Macellaro 3/24/2016 35