ISO 27001:2013

Information Security Management System (ISMS) Certification Overview

www.kayzedconsultants.com

Index

About us
Information
What is Information Security ?
Why Information Security?
ISO 27001:2013
Penetration Test
Benefits

About Us

www.kayzedconsultants.com

About Us
Kayzed Management Consultant Pvt. Ltd. is one of the largest and leading
business management consulting organizations offering business
management consulting services to organizations of all nature and size.
KAYZED Management Consultant specializes in the entire
range of ISO management system certification standards.
Our consultants provide world class consulting services and
training for achieving;
ISO 9001 Quality Management System ,
ISO 14001 Environment Management System
HACCP / ISO 22000 Food Safety Management System,
OHSAS 18001 Occuptaional Health & Safety Management System,
SA 8000 Social Accountability,
ISO 27001 Information Security Management System / ISO 20000 ITSM ,
ISO 50001 Energeny Management System,
ISO 20001 IT Service Management
ISO 17025 Laboratory Accreditation.
And all other ISO seriers management system standards.

We provide one of the most comprehensive suites of consulting services,products &

training in the fields of Quality Management, Marketing Management, Human Resources
Management, and Finance Management & Strategic Managementto the organizations
across all the industry verticals for building aprogressiveand profitable organization by
creating a sustainable competitive advantage in the market.
Our other service ;
Franchise Consultancy
Event management

We Operates in;
UAE and Middles East Region, India, Africa,
Uk, US, and European Countries.

Information and
Why Information Security
www.kayzedconsultants.com

Information Assets
What is Information?
Current Business Plans
Future Plans
Intellectual Property (Patents, etc)
Employee Records
Customer Details
Business Partners Records
Financial Records
Information is an asset
like other important business assets, has value to an organisation and consequently n
eeds to be suitably protected.

What is Information Security?

Information Security addresses

Confidentiality ( C )
Integrity
( I )
Availability
(A)

Also involves

Authenticity
Accountability
Non-repudiation
Reliability

Enterprise/Corporate
IT Hardware Resources

Information Security Risks

The range of risks exists
System failures
Denial of service (DOS) attacks
Misuse of resources
Internet/email /telephone
Damage of reputation
Espionage
Fraud
Viruses/spy-ware etc
Use of unlicensed software

Hacking & Leaking &

Stealing Risks

Software & Network Risks

ISO 27001:2013

www.kayzedconsultants.com

What is ISO 27001?

ISO 27001 Part I

Code of practice for Information Security Man
agement (ISM)
Best practices, guidance, recommendations fo
r
Confidentiality
(C)
Integrity
(I)
Availability
(A)

ISO 27001 Part II

Specification for ISM

ISO 27001:2013 Overview

Annex (Control Objectives and Controls )

13 Security Domains (A5 A 18)
Layers of security
39 Control Objectives
Statement of desired results or purpose
113 Controls
Policies, procedures, practices, software controls and organizationa
l structure
To provide reasonable assurance that business objectives will be ac
hieved and that undesired events will be prevented or detected an
d corrected
Exclusions in some controls are possible, if they can be justified???

Plan-Do-Check-Act (PDCA)
The ISO 27001 adopts the Plan-Do-Che
ck-Act (PDCA)
Applied to structure all ISMS processes
Plan

Act

Do

Check

PDCA Model
PDCA Model
Plan

Establish ISMS

Do

Implement and
operate ISMS

Establish ISMS policy, objectives, processes and procedures relevant to

managing risk and improving IS to deliver results in accordance with an
organizations overall policies and objectives
Implement and operate ISMS policy, controls, processes and procedures

Check

Monitor and review

ISMS

Asses, and where applicable, measure process performance against ISMS

policy, objectives and practical experience and report the results to
management for review

Act

Maintain and
improve ISMS

Take corrective actions, based on the results of the internal audit and
management review or other relevant information, to achieve continual
improvement of ISMS

ISO 27001 PDCA Approach

Plan:

Do:

Check:

Act:

Study requirements
Draft an IS Policy
Discuss in IS Forum (committee)
Finalize and approve the policy
Establish implementation procedure
Staff awareness/training
Implement the policy
Monitor, measure, & audit the process
Improve the process

ISMS Scope

Business security policy and plans

Current business operations requirements
Future business plans and requirements
Legislative requirements
Obligations and responsibilities with regard to security
contained in SLAs
The business and IT risks and their management

ISO 27001 Implementation

Steps
Decide on the ISMS scope
Approach to risk assessment
Perform GAP Analysis
Selection of controls
Statement of Applicability
Reviewing and Managing the Risks
Ensure management commitment
ISMS internal audits
Measure effectiveness and performance
Update risk treatment plans, procedures and controls

Penetration Test

www.kayzedconsultants.com

Penetration Tests Stages

(When Needed)

Layered Security

Layered Security

Benefits

www.kayzedconsultants.com

Benefits of pursuing certification

Allows organizations to mitigate the risk of IS breaches

Allows organizations to mitigate the impact of IS breaches when they occur
In the event of a security breach, certification should reduce the penalty imp
osed by regulators
Allows organizations to demonstrate due diligence and due care
to shareholders, customers and business partners

Allows organizations to demonstrate proactive compliance to legal, regulat

ory and contractual requirements
as opposed to taking a reactive approach

Provides independent third-party validation of an organizations ISMS