Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

Planning For ISO 27001-27002 Certification

Published on: 8/17/2014
Topic: Cyber Security Compliance Standards
Collectively the ISO 27000 series consists of 9 standards (27001-27010) and each of them provided for specific focus on specific function. In addition other 6 standards are defined to focus on related domains e.g. telecom, BCP, Network & Application Security etc.

ISO 27000 Standards

ISO/IEC 27000 - Provides overview & vocabulary to reference ISO 27000 standards.

ISO/IEC 27001 - Formal specification of Information Security Management System (ISMS)

ISO/IEC 27002 - Define Guideline for InfoSec Controls

ISO/IEC 27003 - Guidance for ISMS implementation

ISO/IEC 27004 - Reference of ISMS Metrics

ISO/IEC 27005 - Risk Management Process & Methods

ISO/IEC 27006 - The guidelines for planning ISMS certification

ISO/IEC 27007 - The guidelines for ISMS auditing

ISO/IEC 27008 - Guidelines to focus on technical auditing

ISO/IEC 27010 - Guidelines to share confidential information with in organization group or out of Org.

ISO/IEC 27011 - ISMS Guidelines focused on Telecommunication domain organizations

ISO/IEC 27031 - Guidelines in context to Business continuity & Disaster Planning

ISO/IEC 27033 - Guidelines for managing Network Systems Security

ISO/IEC 27034 - Guidelines for managing Application Security

ISO/IEC 27035 - Guidelines for Incident Management

ISO 27799 - ISMS Guidelines focused on healthcare domain organizations

ISO 27000 – Scope for Assessment & Certification

Information Technology is core to ISO 27001 & 27002 but ISMS controls should be applied for all other departments across the organizations. The scope may be defined based on Organization vision & objectives behind ISO 27000 compliance. There are additional standards available for healthcare & telecom domain complementing other standards.

Restricting the scope may reduce the cost & efforts involved but uncontrolled process & practices outside the scope strongly influence the process & controls under scope. Most organizations plan phase wise implementation extending the scope by time.

ISO 27001 Certification

ISO/IEC 27002 is a code of practice for that organizations can be assessed or audited but not formally certified. ISO/IEC 27002 contains set of 39 key control objectives for information security and lists the best practices that are commonly used to satisfy those control objectives. ISO/IEC 27001 describes the formal specification for an ISMS, with the actual focus on management of system rather than just describing information security. The management system element of an ISMS can be specified more easily and in a generic but formal way than the information security controls, and therefore ISO/IEC 27001 is the standard against which organizations can be formally certified.

Maintaining compliance with ISO 27001 specifications is considered mandatory for certification but the control objectives as listed in (ISO 27001) Annexure A are optional and they are mapped with ISO/IEC 27002 sections. Organizations may choose those security control objectives as they deem necessary to fulfill and relevant to organizational objectives.

Below are the major functions coverd:

  • Organization of information security

  • Asset management

  • Human resources security

  • Physical and environmental security

  • Communications and operations management

  • Access control

  • Information systems acquisition, development and maintenance

  • Information security incident management

  • Business continuity management

  • Meeting other Compliance (technical/legal/copyright etc.)

Please note above list does not include all the sections defined in specifications but these are just the major function areas in scope. You may purchase full standard document from ANSI Store for complete reference.

Below are the key steps involved in certification process:

  • Define ISMS Scope & Objectives

  • Build Assets Inventory

  • Assessment of Security Risks

  • Prepare Statement of Applicability (SOA) and Risk Treatment Plan (RTP)

  • Define ISMS implementation project roadmap

  • Start ISMS implementation program and maintain as ongoing process

  • Collect process compliance artifacts

  • Review compliance adherence and gaps

  • Plan & execute corrective actions

  • Conduct pre-certification assessment

  • Plan Formal Certification audit from a recognized Certification Body/Auditor

ISO 27000 – Major Challenges

Every organization is unique and have it’s own set of Challenges depending on the affordability, vendor/supplier model, management support and pre-implementation of other standards. Few common Challenges are as follows:

- Deciding on control boundary especially for initial phase.

- Demand for dedicated staff for ISMS including Chief Information Security Office and other InfoSec team members with background in Information Security domain.

- Setting up Risk Assessment and Auditing process in formal manner

- Affordability of additional Hardware and Software including Digital assets as well as physical access control

- Dealing with vendors & suppliers by maintaining the compliance and replacement of vendors who cannot ensure adherence to ISMS process & controls

- Increased complexity and TAT due to new processes introduced for existing functions.

- Formal Asset tracking & control

- Dealing with non-compliance incidents without impacting the running practices & operations.

- Technical ability to train/hire staff to work with new monitoring & tracking softwares and maintain compliance across broad set of technology platforms including shared resource like cloud/web hosting and mobile usage etc.

- Improving the awareness among employees and tracking compliance especially outside organization controlled boundary e.g. sharing critical information outside trusted zone

[Show All Sections]