ISO 27001

Information Security Management System (ISMS)

ISMS Clauses

Clause 4: Context of the Organization

Understanding the organization and its context

Understanding the needs and expectations of intrested parties

Determine the scope of ISMS

ISMS

Clause 5: Context of Leadership

Leadership and Commitment

Why is top management commitment important?

  • Top management sets the "tone at the top" and is a key role player in bringing the whole organization on board.

  • Key to ensure that the objectives of the ISMS align with the overall business strategic objectives and direction.

How should top management commitment be demonstrated according to the standard?

  • Ensuring alignment between info security objectives and the organizations' strategic objectives

  • Ensuring that the required resources are made available

  • Ensuring the integration of ISMS requirements into prosiness processes

  • Communicating the importance of info security management and demonstrating conformance to the requirements of the ISMS

  • Ensuring that the intended outcomes of the ISMS are achieved

  • Providing direction and support to other management roles to demonstrate their leadership relevant to the ISMS in their areas.

  • Documentation to prove the involvement of top management

    • Budgets for ISMS activities

    • Meeting minutes or attendance registers for ISMS workshops

    • Approval of various supporting documents and policies

    • Evidence of participation in risk management and assessment workshops

    • official communication to the organization from top management

  • Mandatory documents required are the information security policy and the ISMS manual.

  • in those documents the mandatory section pertaining to talking to the management, specifically their commitment. That contains statements from top management, which formally depicts in writing the management's commitment to the achievement of the ISMS objectives as well as to continually improve the ISMS in conjunction with the overall security posture of the organization.

Demonstrating the benefits to top management through a business case

  • Benefits of the ISMS: can include info security risk reduction, streamlining and securing of processes to leverage cost-saving, and providing trust to clients and stakeholders thereby increasing brand value.

  • Cost of the ISMS: Resources costs, infrastructure or control costs, audit and certification costs, ongoing maintenance and improvement costs.

  • Return on investment: Putting the actual costs as well as the benefits together in a business case will help to more accurately depict what the return on investment will be and therefore garner greater top management support.

Information security Policy and the ISMS manual

Rules 5.2 specifically pertain to the information security policy.

  • Top management support statement

    • A statement by top management of their support for the ISMS.

  • Information security objectives

    • The objectives the ISMS seeks to achieve

    • Example: Ensuring the business resilience of XY Traders by preventing and MInimizing the impact of security incidents.

  • Information security policy statements:

    • The high-level policy statements of the overarching policy.

  • References to supporting documents:

    • this includes legislative considerations as well as other policies, procedures, etc.

ISMS Manual/ Policy

  • Central place to document summary information for each clause.

    • E.g. if you have nowhere else to document decisions made or supporting information, having one central document for that can make life easier.

  • Clause 4 information is really important here

    • Context of the organization, internal and external parties, needs of those parties, and the ISMS scope.

  • Statements from top management

    • regarding commitment to the ISMS and information security requirements

  • Must be communicated to all personnel falling within the ISMS scope.

Top management must be involved in the review and

Organizational Roles, responsibilities, and Authorities

The responsibility for setting roles and responsibilities

Who needs to define and assign roles and responsibilities?

  • Top management is responsible for ensuring that the responsibilities and roles relating to the ISMS are formally assigned and communicated

  • Formal roles with associated authorities should be mandated to carry out required functions

  • Activities should be formally assigned to individuals to ensure they are performed

What roles or responsibilities are required?

  • Ensuring that the information security management system conforms to the requirements of this international standard

    • Depending on the size and nature of the organization, specifically in terms of the risk profile, you may need a large information security team that manages everything from governance, risk management, compliance, network hardening, incident monitoring and response, and so forth.

    • In smaller organizations, these functions may be required for much on a much smaller scale, making it possible for a cross skilled team to manage the roles and responsibilities.

    • Ultimately you need to ensure that the required information security functions are being performed and the appropriate monitoring of these functions is taking place.

    • In many instances, existing stocks that are not directly responsible for an information security function maybe required to assisting in monitoring and reporting on information security performance within their department.

      • for ex. HR team may be responsible to participates in in ISMS by providing a specific metrix pertaining to the HR departent. and when new hires join does HR ensures that the correct paperwork pertaining to use access rights is kept on that uses file. SO that when user leaves the organization, the appropriate access rights are terminated. (offboarding)

  • Reporting on the performance of the information security management system to top management.

Example of roles

  1. ISMS coordinator/champion (Role and Activity)

    • they will be spearhead of your ISMS implementation and maintenance project. That would not necessarily do all of the activities alone and shouldn't, but they would have in depth knowledge about the ISO 27001 standard, how to implement this and how to involve the race of the organization in making this a successful activity.

  2. Information security risk assessment and treatment advising (Activity)

  3. Information security processes and system design (Activity)

  4. Setting standards for the configuration and operation for info security controls (Activity)

  5. Information security incident manager/team (Role and Activity)

  6. Information owners (Role)

  7. Process owners (Role)

  8. Asset Owners (Role)

  9. Risk Owners (Role)

  10. Line Manager (Role)

  11. Information USers (Role)

Documentation of roles

How should these responsibilities be defined?

A RACI chart is a nice way to depict on one page, who the involved parties are, what their functionalities and responsibilities are, and to what level each party is involved in each function.

Clause 6: Context of Planning

Introduction to information security risk management

  • What are we protecting? information assets

  • What are we protecting these against? Threats

  • What could allow threats to get access to the assets? Vulnerabilities

  • When a threat and a vulnerability exist together, a risk is present. This risk is specific to the security of the information asset, i.e. information security risk.

  • Risk likelihood and impact need to be determined

  • The risk needs to be appropriately treated.

Identification of assets

Identifying assets:

  • ISO 27005 provides great guidance for the steps in information security risk management

  • An asset can be "anything of value to an organization"

  • Value can be monetary or important to business objectives and processes

understanding asset types

  • Primary Assets

    • Information Assets

    • Business Processes

  • Supporting Assets

    • Usually "Tangible" Assets

    • Often "Contains" or stores information assets

    • E.g. Servers, software, databases, monitors, network components, etc.

Asset Valuation and Impact

  • Valuation

    • Qualitative Approach: Expressed in words - high value, very important, low value, etc.

    • Quantitative Approach: Expressed in monetary terms.

      • Replacement cost + any other costs incurred as a result of loss = value

  • Impact

    • Direct Impact: Financial loss due to replacement costs or a loss of income.

    • Indirect Impact: Asset damage could result in reputational damage, business interruption, etc.

Documentation of assets

  • A list of information Assets

  • One of the controls in Annex A - A.8.1.1

  • Associated asset value

  • Potential impact of asset in terms of damage to CIA

  • Supporting assets or containers (e.g. hardware and software assets)

Identification of Threats

  • What are threats?

    • Man-Made(intentional or accidental)

    • Natural(Earthquakes, storms, etc)

    • Environmental(Fire, Electrical fault, etc)

  • Common threat actor groups

    • Criminal Syndicates

    • Hacktivists

    • Internal Employees (Accidental)

    • Internal Employees (Disgruntled )

    • Internal Employees (Privileged)

    • External Suppliers

    • Terrorists

Identification of existing control

  • Statement of applicability

  • Processes and procedures

  • Previous Audits

  • Risk Treatment plans

  • information security, IT, and other staff can provide control input.

Identification of vulnerabilities

  • Vulnerabilities from vulnerability assessments and pentests

  • Control Breakdowns

  • Audit findings

  • Areas where controls haven't yet been implemented

  • Personnel

  • Dependencies on sole personnel or external parties

Identification of consequences

Risk Analysis

Risk Analysis steps

  • Choose a methodology that works for your organization: E.g. IRAM2, NIST 800-37, ISO 27005 etc.

    • Qualitative versus Quantitative or Hybrid Approach

    • During the assessment of the consequences, one tries to better quantify or understand the consequences in terms of the asset value.

    • The assessmenent of likelihood is quite critical. Best way to look into likelihood is to look into the history within the orgainization, has this incident occured in the past and if so, how often?

  • Quantify the consequences (impact) e.g., High(3), medium(2), Low(1)

  • Quantify the likelihood of the incident occurring (e.g. Likely(3), unlikely(2), remote(1))

  • Determine the level of risk

Risk analysis methodologies

Likelihood and impact scoring example

Examples of Risk Scoring Methods

  • Classic: Likehood x impact

  • CVSS: Uses CVSS metrics to determine a score

  • DREAD: Determines a risk based on Damage Potential, Reproducibility, exploitability, affected users, discoverability (DREAD)

  • OWASP: Uses 2 categories of likelihood and 2 of imacts to determine score

  • Contributing Risk: Uses one chosen likelihood and has x amount of weighted factores contributing to impact. E.g Confidentiality, Integrity and Availability.

LogoSimpleRisk GRC SoftwareSimpleRisk GRC Software

The type of risk scoring is also depend on the risk quantification methodology you have chosen.

A quantitative approach may be better supported with a more numbers based approach to better support, the objectivity and quantitative elements required, while qualitative is always a lot more subjective in nature. However it can be hybridize approaches and blend them sa having just one or the other is sometimes not as effective as a combination of both.

Using tool like SimpleRisk, you can score each risk differently, a more qualitative risk such as a disgruntled employee taking down a server can be scored using the classic method while a cross site scripting attack on a web application can be scored using IRS or OWASP risk scoring method.

LogoOWASP Risk Rating Methodology | OWASP Foundation

OWASP risk methodology uses 4 factors for rating the likelihood.

  • Threat agent factors

    • Skills Level

    • Motive

    • Opportunity

    • Size

  • Vulnerability Factors

    • Ease of discovery

    • Ease of exploit

    • Awareness

    • Intrusion Detection

  • Technical Impact Factors

    • Loss of confidentiality

    • Loss of integrity

    • Loss of availability

    • Loss of accountability

  • Business Impact Factors

    • Financial Damage

    • Reputation Damage

    • Non-COmpliance

    • Privacy Violation

Risk Evaluation

Action to address risks and opportunity

  • Two types of risks to be considered as part of the risk management process:

    • Information security risks directly relating to the loss of CIA of info within ISMS scope

    • Other risks which could affect the outcomes and success of the ISMS, for example top management commitment

General

  • Information security risks must be handled according to your risk management process and satidfy the steps discussed in previous sections.

  • All other risks that could affect the ISMS must be documented.

  • It is also important to show how risks pertaining to the success of the ISMS are being managed.

  • Opportunities that are identified should also be documented. These can be ways in which the ISMS can be made better or more effective. along with this, how this risk should be managed and mitigated throughout ISMS lifecycles.

Information Security Risk Assessment

Information Security risk treatment

Information Security objectives and plans to achieve

Clause 7: Context of Support

Resources

Comptence

Awareness

Communication

Documented Information

Clause 8: Context of Operation

Operational Planning and Control

Information Security Risk Assessment

Information Security Risk Treatment

Clause 9: Context of Performance Evaluation

Monitoring, Measurement, Analysis, and Evaluation

Internal Audit

Management Review

Clause 10: Context of Continual Management

Non Conformity and Corrective Action

Continual Improvement

Information Security Risk Management

Required Document to support an ISMS

Monitor, Measure and Evaluate Performance

Non-Conformity and the continual improvement cycle

PreviousHarden Windows HostsNextNIST

Last updated