ISO 27001
Information Security Management System (ISMS)
ISMS Clauses
Clause 4: Context of the Organization
Understanding the organization and its context
Understanding the needs and expectations of intrested parties
Determine the scope of ISMS
ISMS
Clause 5: Context of Leadership
Leadership and Commitment
Why is top management commitment important?
Top management sets the "tone at the top" and is a key role player in bringing the whole organization on board.
Key to ensure that the objectives of the ISMS align with the overall business strategic objectives and direction.
How should top management commitment be demonstrated according to the standard?
Ensuring alignment between info security objectives and the organizations' strategic objectives
Ensuring that the required resources are made available
Ensuring the integration of ISMS requirements into prosiness processes
Communicating the importance of info security management and demonstrating conformance to the requirements of the ISMS
Ensuring that the intended outcomes of the ISMS are achieved
Providing direction and support to other management roles to demonstrate their leadership relevant to the ISMS in their areas.
Documentation to prove the involvement of top management
Budgets for ISMS activities
Meeting minutes or attendance registers for ISMS workshops
Approval of various supporting documents and policies
Evidence of participation in risk management and assessment workshops
official communication to the organization from top management
Mandatory documents required are the information security policy and the ISMS manual.
in those documents the mandatory section pertaining to talking to the management, specifically their commitment. That contains statements from top management, which formally depicts in writing the management's commitment to the achievement of the ISMS objectives as well as to continually improve the ISMS in conjunction with the overall security posture of the organization.
Demonstrating the benefits to top management through a business case
Benefits of the ISMS: can include info security risk reduction, streamlining and securing of processes to leverage cost-saving, and providing trust to clients and stakeholders thereby increasing brand value.
Cost of the ISMS: Resources costs, infrastructure or control costs, audit and certification costs, ongoing maintenance and improvement costs.
Return on investment: Putting the actual costs as well as the benefits together in a business case will help to more accurately depict what the return on investment will be and therefore garner greater top management support.
Information security Policy and the ISMS manual
Rules 5.2 specifically pertain to the information security policy.
Top management support statement
A statement by top management of their support for the ISMS.
Information security objectives
The objectives the ISMS seeks to achieve
Example: Ensuring the business resilience of XY Traders by preventing and MInimizing the impact of security incidents.
Information security policy statements:
The high-level policy statements of the overarching policy.
References to supporting documents:
this includes legislative considerations as well as other policies, procedures, etc.
ISMS Manual/ Policy
Central place to document summary information for each clause.
E.g. if you have nowhere else to document decisions made or supporting information, having one central document for that can make life easier.
Clause 4 information is really important here
Context of the organization, internal and external parties, needs of those parties, and the ISMS scope.
Statements from top management
regarding commitment to the ISMS and information security requirements
Must be communicated to all personnel falling within the ISMS scope.
Top management must be involved in the review and
Organizational Roles, responsibilities, and Authorities
The responsibility for setting roles and responsibilities
Who needs to define and assign roles and responsibilities?
Top management is responsible for ensuring that the responsibilities and roles relating to the ISMS are formally assigned and communicated
Formal roles with associated authorities should be mandated to carry out required functions
Activities should be formally assigned to individuals to ensure they are performed
What roles or responsibilities are required?
Ensuring that the information security management system conforms to the requirements of this international standard
Depending on the size and nature of the organization, specifically in terms of the risk profile, you may need a large information security team that manages everything from governance, risk management, compliance, network hardening, incident monitoring and response, and so forth.
In smaller organizations, these functions may be required for much on a much smaller scale, making it possible for a cross skilled team to manage the roles and responsibilities.
Ultimately you need to ensure that the required information security functions are being performed and the appropriate monitoring of these functions is taking place.
In many instances, existing stocks that are not directly responsible for an information security function maybe required to assisting in monitoring and reporting on information security performance within their department.
for ex. HR team may be responsible to participates in in ISMS by providing a specific metrix pertaining to the HR departent. and when new hires join does HR ensures that the correct paperwork pertaining to use access rights is kept on that uses file. SO that when user leaves the organization, the appropriate access rights are terminated. (offboarding)
Reporting on the performance of the information security management system to top management.
Example of roles
ISMS coordinator/champion (Role and Activity)
they will be spearhead of your ISMS implementation and maintenance project. That would not necessarily do all of the activities alone and shouldn't, but they would have in depth knowledge about the ISO 27001 standard, how to implement this and how to involve the race of the organization in making this a successful activity.
Information security risk assessment and treatment advising (Activity)
Information security processes and system design (Activity)
Setting standards for the configuration and operation for info security controls (Activity)
Information security incident manager/team (Role and Activity)
Information owners (Role)
Process owners (Role)
Asset Owners (Role)
Risk Owners (Role)
Line Manager (Role)
Information USers (Role)
Documentation of roles
How should these responsibilities be defined?
A RACI chart is a nice way to depict on one page, who the involved parties are, what their functionalities and responsibilities are, and to what level each party is involved in each function.
Clause 6: Context of Planning
Introduction to information security risk management
What are we protecting? information assets
What are we protecting these against? Threats
What could allow threats to get access to the assets? Vulnerabilities
When a threat and a vulnerability exist together, a risk is present. This risk is specific to the security of the information asset, i.e. information security risk.
Risk likelihood and impact need to be determined
The risk needs to be appropriately treated.
Identification of assets
Identifying assets:
ISO 27005 provides great guidance for the steps in information security risk management
An asset can be "anything of value to an organization"
Value can be monetary or important to business objectives and processes
understanding asset types
Primary Assets
Information Assets
Business Processes
Supporting Assets
Usually "Tangible" Assets
Often "Contains" or stores information assets
E.g. Servers, software, databases, monitors, network components, etc.
Asset Valuation and Impact
Valuation
Qualitative Approach: Expressed in words - high value, very important, low value, etc.
Quantitative Approach: Expressed in monetary terms.
Replacement cost + any other costs incurred as a result of loss = value
Impact
Direct Impact: Financial loss due to replacement costs or a loss of income.
Indirect Impact: Asset damage could result in reputational damage, business interruption, etc.
Documentation of assets
A list of information Assets
One of the controls in Annex A - A.8.1.1
Associated asset value
Potential impact of asset in terms of damage to CIA
Supporting assets or containers (e.g. hardware and software assets)
Identification of Threats
What are threats?
Man-Made(intentional or accidental)
Natural(Earthquakes, storms, etc)
Environmental(Fire, Electrical fault, etc)
Common threat actor groups
Criminal Syndicates
Hacktivists
Internal Employees (Accidental)
Internal Employees (Disgruntled )
Internal Employees (Privileged)
External Suppliers
Terrorists
Identification of existing control
Statement of applicability
Processes and procedures
Previous Audits
Risk Treatment plans
information security, IT, and other staff can provide control input.
Identification of vulnerabilities
Vulnerabilities from vulnerability assessments and pentests
Control Breakdowns
Audit findings
Areas where controls haven't yet been implemented
Personnel
Dependencies on sole personnel or external parties
Identification of consequences
Risk Analysis
Risk Analysis steps
Choose a methodology that works for your organization: E.g. IRAM2, NIST 800-37, ISO 27005 etc.
Qualitative versus Quantitative or Hybrid Approach
During the assessment of the consequences, one tries to better quantify or understand the consequences in terms of the asset value.
The assessmenent of likelihood is quite critical. Best way to look into likelihood is to look into the history within the orgainization, has this incident occured in the past and if so, how often?
Quantify the consequences (impact) e.g., High(3), medium(2), Low(1)
Quantify the likelihood of the incident occurring (e.g. Likely(3), unlikely(2), remote(1))
Determine the level of risk
Risk analysis methodologies
Likelihood and impact scoring example
Examples of Risk Scoring Methods
Classic: Likehood x impact
CVSS: Uses CVSS metrics to determine a score
DREAD: Determines a risk based on Damage Potential, Reproducibility, exploitability, affected users, discoverability (DREAD)
OWASP: Uses 2 categories of likelihood and 2 of imacts to determine score
Contributing Risk: Uses one chosen likelihood and has x amount of weighted factores contributing to impact. E.g Confidentiality, Integrity and Availability.
The type of risk scoring is also depend on the risk quantification methodology you have chosen.
A quantitative approach may be better supported with a more numbers based approach to better support, the objectivity and quantitative elements required, while qualitative is always a lot more subjective in nature. However it can be hybridize approaches and blend them sa having just one or the other is sometimes not as effective as a combination of both.
Using tool like SimpleRisk, you can score each risk differently, a more qualitative risk such as a disgruntled employee taking down a server can be scored using the classic method while a cross site scripting attack on a web application can be scored using IRS or OWASP risk scoring method.
OWASP risk methodology uses 4 factors for rating the likelihood.
Threat agent factors
Skills Level
Motive
Opportunity
Size
Vulnerability Factors
Ease of discovery
Ease of exploit
Awareness
Intrusion Detection
Technical Impact Factors
Loss of confidentiality
Loss of integrity
Loss of availability
Loss of accountability
Business Impact Factors
Financial Damage
Reputation Damage
Non-COmpliance
Privacy Violation
Risk Evaluation
Action to address risks and opportunity
Two types of risks to be considered as part of the risk management process:
Information security risks directly relating to the loss of CIA of info within ISMS scope
Other risks which could affect the outcomes and success of the ISMS, for example top management commitment
General
Information security risks must be handled according to your risk management process and satidfy the steps discussed in previous sections.
All other risks that could affect the ISMS must be documented.
It is also important to show how risks pertaining to the success of the ISMS are being managed.
Opportunities that are identified should also be documented. These can be ways in which the ISMS can be made better or more effective. along with this, how this risk should be managed and mitigated throughout ISMS lifecycles.
Information Security Risk Assessment
Information Security risk treatment
Information Security objectives and plans to achieve
Clause 7: Context of Support
Resources
Comptence
Awareness
Communication
Documented Information
Clause 8: Context of Operation
Operational Planning and Control
Information Security Risk Assessment
Information Security Risk Treatment
Clause 9: Context of Performance Evaluation
Monitoring, Measurement, Analysis, and Evaluation
Internal Audit
Management Review
Clause 10: Context of Continual Management
Non Conformity and Corrective Action
Continual Improvement
Information Security Risk Management
Required Document to support an ISMS
Monitor, Measure and Evaluate Performance
Non-Conformity and the continual improvement cycle
Last updated
Was this helpful?
