ISO27001/2 & Cyber Essentials

ISMS Frameworks

DISCLAIMER:

  • This document contains unedited notes and has not been formally proofread.
  • The information provided in this document is intended to provide a basic understanding of certain technologies.
  • Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
  • Some websites and software may be flagged as malware by antivirus programs.
  • The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
  • The document is not a substitute for professional advice or expert analysis and should not be used as such.
  • The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
  • The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
  • The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein. The author reserve the right to update or change the information contained in this document at any time without prior notice.

  • Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
  • It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
  • Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
  • It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
  • It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
  • It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

REFERENCES:

  • ISO/IEC 27001: 2013 & 27002: 2013
  • ISO/IEC 27001: 2022 & 27002: 2022
  • Lead implementer Professional ISO /IEC 27001:2013
  • BSI training materials 
  • Cyber Essentials 
    • https://ce-knowledge-hub.iasme.co.uk/
******************************************************************************************

ISO 27001 & 27002 Notes

What key insights can be gained from learning about ISO 27001:

  • How to create and implement the Information System Management within the organization.
  • Discuss on the Framework based on the ISO 27001
  • Three pillars: Confidentiality, Integrity and Availability


Two words on Knowledge and Skill.
Learning Objectives
Knowledge
  • ISM
  • Benefits of ISM
  • Requirements of 27001
Skill
  • Conduct baseline review: we will get the skills to conduct GAP analysis
  • Will have Implementation skills
  • Explain the concepts of Project management

Information Security management 

What is Information Security management?

Three pillars: [CIA]

  • Confidentiality,
  • Integrity and
  • Availability

Non- Repudiation: 
  • Means cannot be challenged by anybody.
Integrity: of information
  • Means unaltered information. Information cannot be changed in-between end to end.
Information processing facility: 
  • Also need to secure the in-between facility which is processing the information. 
Business Continuity:
  • Business Continuity to some extent will be part of the Information Security Management system. And there will be separate Business continuity and Disaster management.
Life cycle of information:
  • How the information should be discarded. 
Other Benefits Information Security Management [ISM] 
  • Reduce Security incidents, increase staff retention, Protection of brand and reputation, reduce costs of correction, customer retention, etc
Background of ISO 27001 / ISO 27002
  • Framework: Sets of Principle, policy’s, rules, guidelines make a whole framework.
Background of ISO 27001 / ISO 27002
  • Framework: Sets of Principle, policy’s, rules, guidelines make a whole framework.
History of ISO 27001 and ISO 27002

  • BSI started in 1901, wanted to start Tube railways and floated in tender. The big problem was getting 5 different plans which had different dimensions. This created the problem that they are not compatible within each other. 
  • BS7799 :1995: - British standards published in 1995 
  • 2005: ISO re- nomenclature and published the 27001 by getting from BS.

Difference b/w to 27001 and 27002:

  • 27001: What has to be done.
  • 27002: How it has to be done: - Implementation guideline:

ISO 27001

Clause 4: Context of the organization

  • What are: - Internal Issue, External issue and Interested parties?
  • Interested parties: Promoters or Shareholders, Employees, Government, neighbours, customers, vendors, etc.
  • Internal issue: When there are internal strikes.
  • External issue: Government regulatory compliance
  • Here boundaries are set for the rules and boundaries.
  • e.g.: in Some countries security guards will be present to collect the ID proof and registry entry is made. The same company operating in JAPAN has no security guard. Since there is no practice of security guards in JAPAN.

PDCA and ISMS:

  • Plan
    • requirements: - 
    • Clause 4 Context of the org. / 
    • 5 leadership / 
    • 6 Planning / 
    • 7 Support
  • DO: 
    • implement: - 
    • Clause 8 Operation
  • Check: 
    • Audits/ gaps/ managements review: - 
    • Clause 9 Performance evaluation
  • Act
    • Results/ improvement: - 
    • Clause 10 Improvement

Legal, regulatory and contractual:

  • Regulatory Body: - RBI is the regulatory Body, SEBI regulatory for Stock exchanges Legal:
  • Requirements from the government Contract: requirements which are passed on by working with clients which are laid upon by the regulatory body. 
  • Statutory and regulatory requirements: As an ISMS manager: just telling them to follow. 
  • Do not be a SME in Statutory field to implement ISMS. 
  • Show what are the list of Statutory and regulatory requirements you are adhered to.

Captive environment: 

working under other organization: - Policies, regulation, contractual terms will be passed on to the vendor organization also. 
  • Shall means mandatory
  • May means optional

Clause 4 Context of the organization

4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the information security management system
4.4 Information security management system

Clause 5 Leadership

5.1 Leadership and commitment
5.2 Policy
5.3 Organizational roles, responsibilities and authorities

  • Top management should create and provide resources,
  • Create security Policy, security objectives

Clause 6 Planning

6.1 Actions to address risks and opportunities
6.1.1 General
6.1.2 Information security risk assessment
6.1.3 Information security risk treatment
  • NOTE 1 Organizations can design controls as required, or identify them from any source.
  • NOTE 2 Annex A contains a list of possible information security controls. Users of this document are
  • directed to Annex A to ensure that no necessary information security controls are overlooked.
  • NOTE 3 The information security controls listed in Annex A are not exhaustive and additional information
  • security controls can be included if needed.
6.2 Information security objectives and planning to achieve them

Objective should be Measurable or quantitative and Monitored year on year basis
E.g., Objective
  • Zero security data breach
  • 100 % compliance to infosec audit
  • As per policy all the employees will change the password every 90 days
  • 100% of pen-testing to happen for all the projects in every quarter.
  • 98% of awareness of Infosec training has to be completed by the vendors

6.3 Planning of changes

Clause 7 Support

  • 7.1 Resources
  • 7.2 Competence
    • By three ways: Education arranging training and Experience
  • 7.3 Awareness
    • Senior management has to create awareness about Information security among the employees.
  • 7.4 Communication
  • 7.5 Documented information

Clause 8 Operation 

Clause 8 is also the DO part from PDCA
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment

Clause 9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
  • Here Monitoring and measurement is done.
  • The Objectives which are identified earlier will be monitored and measured.
  • These audits internal and external are conducted
  • Documentation must be maintained
Internal Audit
  • Conformance and non – conformance 
  • As an external auditor will look into the internal NC’s are reported and closed. 

Clause 10 Improvement 

10.1 Nonconformity and corrective action
10.2 Continual improvement
****************************

PDCA: Matrix

PLAN:
4 Context of the organization
  • Understanding of context.
  • Expectations of interested parties.
  • Scope and ISMS.
5 Leadership
  • Management commitment.
  • IS policy.
  • Roles, responsibilities and authorities.
6 Planning
  • Actions to address risk and opportunity.
  • Infosec objectives.
7 Support
  • Resources.
  • Competence.
  • Awareness.
  • Communication.
  • Documented Information.

DO:
8 Operation
  • Operational planning and control.
  • Risk assessment.
  • Risk treatment.
CHECK:
9 Performance and Evaluation
  • Monitoring, measurement, analysis and evaluation.
  • Internal audit.
  • Management review.
ACT:
10 Improvement
  • Nonconformity and corrective action.
  • Continual improvement.
****************************************************

ISO 27002 : 2022

Controls are Grouped Under:

  • Organizational controls
  • People controls
  • Physical controls
  • Technological controls

5. Organizational controls 

5.1. Policies for information security
5.2. Information security roles and responsibilities
5.3. Segregation of duties
5.4. Management responsibilities
5.5. Contact with authorities
5.6. Contact with special interest groups
5.7. Threat intelligence
5.8. Information security in project management
5.9. Inventory of information and other associated assets
5.10. Acceptable use of information and other associated assets
5.11. Return of assets
5.12. Classification of information
5.13. Labelling of information
5.14. Information transfer
5.15. Access control
5.16. Identity management
5.17. Authentication information
5.18. Access rights
5.19. Information security in supplier relationships
5.20. Addressing information security within supplier agreements
5.21. Managing information security in the ICT supply chain
5.22. Monitoring, review and change management of supplier services 
5.23. Information security for use of cloud services
5.24. Information security incident management planning and preparation
5.25. Assessment and decision on information security events
5.26. Response to information security incidents
5.27. Learning from information security incidents
5.28. Collection of evidence
5.29. Information security during disruption
5.30.  Information and communication technology (ICT) readiness for business continuity
5.31. Legal, statutory, regulatory and contractual requirements
5.32. Intellectual property rights
5.33. Protection of records
5.34. Privacy and protection of personally identifiable information (PII)
5.35. Independent review of information security
5.36. Compliance with policies, rules and standards for information security
5.37. Documented operating procedures

6. People controls 

6.1. Screening
6.2. Terms and conditions of employment
6.3. Information security awareness, education and
training
6.4. Disciplinary process
6.5. Responsibilities after termination or change of
employment
6.6. Confidentiality or non-disclosure agreements
6.7. Remote working
6.8. Information security event reporting

7. Physical controls 

7.1. Physical security perimeter
7.2. Physical entry
7.3. Securing offices, rooms and facilities
7.4. Physical security monitoring
7.5. Protecting against physical and environmental
threats
7.6. Working in secure areas
7.7. Clear desk and clear screen
7.8. Equipment siting and protection
7.9. Security of assets off-premises 
7.10. Storage media
7.11. Supporting utilities
7.12. Cabling security
7.13. Equipment maintenance
7.14. Secure disposal or re-use of equipment 

8. Technological controls 

8.1. User endpoint devices
8.2. Privileged access rights
8.3. Information access restriction
8.4. Access to source code
8.5. Secure authentication
8.6. Capacity management
8.7. Protection against malware
8.8. Management of technical vulnerabilities
8.9. Configuration management
8.10. Information deletion
8.11. Data masking
8.12. Data leakage prevention
8.13. Information backup
8.14. Redundancy of information processing facilities
8.15. Logging
8.16. Monitoring activities
8.17. Clock synchronization
8.18. Use of privileged utility programs
8.19. Installation of software on operational systems
8.20. Network security
8.21. Security of network services
8.22. Segregation of networks 
8.23. Web filtering
8.24. Use of cryptography
8.25. Secure development life cycle
8.26. Application security requirements
8.27. Secure system architecture and engineering
principles
8.28. Secure coding
8.29. Security testing in development and acceptance
8.30. Outsourced development
8.31. Separation of development, test and production
environments
8.32. Change management
8.33. Test information
8.34. Protection of information systems during audit
testing 

Annexes Contains as below:

  • The matrix control of attributes is available in Annex Table "A.1", which can be filtered based on specific requirements. For instance, Table A.2 demonstrates an example of creating a view by filtering with a particular attribute value, such as #Corrective.
    • Control types (#Preventive, #Detective, #Corrective)
    • Information security properties (#Confidentiality, #Integrity, #Availability)
    • Cybersecurity concepts (#Identify, #Protect, #Detect, #Respond, #Recover)
    • Operational capabilities (#Governance, #Asset_management, #Information_protection, #Human_resource_security,   #Physical_security,   #System_and_network_security, #Application_security, #Secure_configuration, #Identity_and_access_management,           #Threat_and_vulnerability_management, #Continuity, #Supplier_relationships_security, #Legal_and_compliance, #Information_security_event_management, #Information_security_assurance)
    • Security domains (#Governance_and_Ecosystem, #Protection, #Defence, #Resilience)

  • Mapping of 2022 controls are mapped with 2013 under Annex B of the document Table B.1.
  • mapping of 2013 controls are mapped with 2022 under Annex B of the document Table B.2
***********************************************************************************************

Matrix Control Type :- Preventive, Detective; Corrective:



ISO/IEC 27002 control identifier

Control name

Control type

Information security properties

Cybersecurity concepts

Operational capabilities

Security domains

5.1

Policies for information security

#Preventive

#Confidentiality #Integrity #Availability

#Identify

#Governance

#Governance_ and_Ecosys- tem #Resil- ience

5.2

Information security roles and responsi- bilities

#Preventive

#Confidentiality #Integrity #Availability

#Identify

#Governance

#Govern- ance_and_ Ecosystem#Protection#Resilience

5.3

Segregation of duties

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Governance #Identity_and_access_man-agement

#Governance_ and_Ecosys- tem

5.4

Management responsibili- ties

#Preventive

#Confidentiality #Integrity #Availability

#Identify

#Governance

#Governance_ and_Ecosys- tem

5.5

Contact with authorities

#Preventive #Corrective

#Confidentiality #Integrity #Availability

#Identify #Protect #Respond #Recover

#Governance

#Defence #Re- silience

5.6

Contact with special inter- est groups

#Preventive #Corrective

#Confidentiality #Integrity #Availability

#Protect#Respond #Recover

#Governance

#Defence

5.7

Threat intelli- gence

#Preventive #Detective #Corrective

#Confidentiality #Integrity #Availability

#Identify #Detect #Respond

#Threat_and_ vulnerability_ management

#Defence #Re- silience

5.8

Information security in project man- agement

#Preventive

#Confidentiality #Integrity #Availability

#Identify #Protect

#Governance

#Governance_ and_Ecosys- tem #Protec- tion

5.9

Inventory of information and other associated assets

#Preventive

#Confidentiality #Integrity #Availability

#Identify

#Asset_man-agement

#Governance_ and_Ecosys- tem #Protec- tion

5.10

Acceptable use of information and other associated assets

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Asset_man-agement#Information_protection

#Governance_ and_Ecosys- tem #Protec- tion

5.11

Return ofassets

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Asset_man-agement

#Protection

5.12

Classification of information

#Preventive

#Confidentiality #Integrity #Availability

#Identify

#Information_protection

#Protection#Defence

5.13

Labelling of information

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Information_protection

#Defence#Protection

5.14

Information transfer

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Asset_man-agement#Information_protection

#Protection

5.15

Access control

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Identity_and_ access_man- agement

#Protection

5.16

Identity man-agement

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Identity_and_ access_man- agement

#Protection

5.17

Authentication information

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Identity_and_ access_man- agement

#Protection

5.18

Access rights

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Identity_and_ access_man- agement

#Protection

5.19

Information security in supplier rela- tionships

#Preventive

#Confidentiality #Integrity #Availability

#Identify

#Supplier_re- lationships_se- curity

#Governance_ and_Ecosys- tem #Protec- tion

5.20

Addressing information security with- in supplier agreements

#Preventive

#Confidentiality #Integrity #Availability

#Identify

#Supplier_re- lationships_se- curity

#Governance_ and_Ecosys- tem #Protec- tion

5.21

Managing information security in the ICT supply chain

#Preventive

#Confidentiality #Integrity #Availability

#Identify

#Supplier_re- lationships_se- curity

#Governance_ and_Ecosys- tem #Protec- tion

5.22

Monitor- ing, review and change management of supplier services

#Preventive

#Confidentiality #Integrity #Availability

#Identify

#Supplier_re- lationships_se- curity

#Governance_ and_Ecosys- tem #Protec- tion #Defence#Information_ security_as- surance

5.23

Information security for use of cloud services

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Supplier_re- lationships_se- curity

#Governance_ and_Ecosys- tem #Protec- tion

5.24

Information security inci- dent manage- ment planning and prepara- tion

#Corrective

#Confidentiality #Integrity #Availability

#Respond #Recover

#Governance#Informa-tion_securi-ty_event_man-agement

#Defence

5.25

Assessment and decision on informa- tion security events

#Detective

#Confidentiality #Integrity #Availability

#Detect #Respond

#Informa- tion_securi- ty_event_man- agement

#Defence

5.26

Response to information security inci- dents

#Corrective

#Confidentiality #Integrity #Availability

#Respond #Recover

#Informa- tion_securi- ty_event_man- agement

#Defence

5.27

Learning from information security inci- dents

#Preventive

#Confidentiality #Integrity #Availability

#Identify #Protect

#Informa- tion_securi- ty_event_man- agement

#Defence

5.28

Collection of evidence

#Corrective

#Confidentiality #Integrity #Availability

#Detect #Respond

#Informa- tion_securi- ty_event_man- agement

#Defence

5.29

Information security dur- ing disruption

#Preventive #Corrective

#Confidentiality #Integrity #Availability

#Protect #Respond

#Continuity

#Protection#Resilience

5.30

ICT readiness for business continuity

#Corrective

#Availability

#Respond

#Continuity

#Resilience

5.31

Legal, statuto- ry, regulatory and contrac- tual require- ments

#Preventive

#Confidentiality #Integrity #Availability

#Identify

#Legal_and_compliance

#Governance_ and_Ecosys- tem #Protec- tion

5.32

Intellectual property rights

#Preventive

#Confidentiality #Integrity #Availability

#Identify

#Legal_and_compliance

#Governance_ and_Ecosys- tem

5.33

Protection of records

#Preventive

#Confidentiality #Integrity #Availability

#Identify #Protect

#Legal_and_compliance#Asset_man-agement#Information_protection

#Defence

5.34

Privacy and protection of PII

#Preventive

#Confidentiality #Integrity #Availability

#Identify #Protect

#Information_protection#Legal_and_compliance

#Protection

5.35

Independent review of information security

#Preventive #Corrective

#Confidentiality #Integrity #Availability

#Identify #Protect

#Information_ security_as- surance

#Governance_ and_Ecosys- tem

5.36

Compliance with policies, rules and standards for information security

#Preventive

#Confidentiality #Integrity #Availability

#Identify #Protect

#Legal_and_compliance#Information_security_as-surance

#Governance_ and_Ecosys- tem

5.37

Documented operating procedures

#Preventive #Corrective

#Confidentiality #Integrity #Availability

#Protect #Recover

#Asset_man-agement#Physi-cal_security#System_and_network_secu-rity #Applica-tion_security#Secure_con-figuration#Identity_and_access_management#Threat_and_vulnerability_management#Continuity#Informa-tion_securi-ty_event_man-agement

#Governance_ and_Ecosys- tem #Protec- tion #Defence

6.1

Screening

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Human_re- source_secu- rity

#Governance_ and_Ecosys- tem

6.2

Terms and conditions of employment

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Human_re- source_secu- rity

#Governance_ and_Ecosys- tem

6.3

Information security awareness, education and training

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Human_re- source_secu- rity

#Governance_ and_Ecosys- tem

6.4

Disciplinary process

#Preventive #Corrective

#Confidentiality #Integrity #Availability

#Protect #Respond

#Human_re- source_secu- rity

#Governance_ and_Ecosys- tem

6.5

Responsi- bilities after termination or change of employment

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Human_re- source_secu- rity #Asset_ management

#Governance_ and_Ecosys- tem

6.6

Confidentiality or non-disclosure agreements

#Preventive

#Confidenti-ality

#Protect

#Human_re- source_secu- rity #Infor- mation_pro- tection#Supplier_re-lationships

#Governance_ and_Ecosys- tem

6.7

Remote working

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Asset_man-agement#Information_protection#Physical_se-curity #Sys-tem_and_net-work_security

#Protection

6.8

Information security event reporting

#Detective

#Confidentiality #Integrity #Availability

#Detect

#Informa- tion_securi- ty_event_man- agement

#Defence

7.1

Physical security perimeters

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Physical_se-curity

#Protection

7.2

Physical entry

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Physical_se- curity #Iden- tity_and_Ac- cess_Manage- ment

#Protection

7.3

Securing offices, rooms and facilities

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Physical_se- curity #Asset_ management

#Protection

7.4

Physical security monitoring

#Preventive #Detective

#Confidentiality #Integrity #Availability

#Protect #Detect

#Physical_se-curity

#Protection#Defence

7.5

Protect-ing againstphysical andenvironmentalthreats

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Physical_se-curity

#Protection

7.6

Working insecure areas

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Physical_se-curity

#Protection

7.7

Clear desk and clear screen

#Preventive

#Confidenti-ality

#Protect

#Physical_se-curity

#Protection

7.8

Equipment siting and protection

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Physical_se- curity #Asset_ management

#Protection

7.9

Security of as- sets off-prem- ises

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Physical_se- curity #Asset_ management

#Protection

7.10

Storage media

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Physical_se- curity #Asset_ management

#Protection

7.11

Supporting utilities

#Preventive #Detective

#Integrity #Availability

#Protect #Detect

#Physical_se-curity

#Protection

7.12

Cabling secu-rity

#Preventive

#Confidentiality #Availability

#Protect

#Physical_se-curity

#Protection

7.13

Equipment maintenance

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Physical_se- curity #Asset_ management

#Protection#Resilience

7.14

Secure dispos- al or re-use of equipment

#Preventive

#Confidenti-ality

#Protect

#Physical_se- curity #Asset_ management

#Protection

8.1

User endpoint devices

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Asset_man-agement#Information_protection

#Protection

8.2

Privileged access rights

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Identity_and_ access_man- agement

#Protection

8.3

Information access restric- tion

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Identity_and_ access_man- agement

#Protection

8.4

Access to source code

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Identity_ and_access_ management#Applica-tion_security#Secure_con-figuration

#Protection

8.5

Secure authen-tication

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Identity_and_ access_man- agement

#Protection

8.6

Capacity man-agement

#Preventive #Detective

#Integrity #Availability

#Identify #Protect #Detect

#Continuity

#Governance_ and_Ecosys- tem #Protec- tion

8.7

Protection against mal- ware

#Preventive #Detective #Corrective

#Confidentiality #Integrity #Availability

#Protect #Detect

#System_and_ network_secu- rity #Informa- tion_protec- tion

#Protection#Defence

8.8

Management of technical vulnerabilities

#Preventive

#Confidentiality #Integrity #Availability

#Identify #Protect

#Threat_and_ vulnerability_ management

#Governance_ and_Ecosys- tem #Protec- tion #Defence

8.9

Configuration management

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Secure_con-figuration

#Protection

8.10

Informationdeletion

#Preventive

#Confidenti-ality

#Protect

#Information_protection#Legal_and_compliance

#Protection

8.11

Data masking

#Preventive

#Confidenti-ality

#Protect

#Information_protection

#Protection

8.12

Data leakageprevention

#Preventive #Detective

#Confidenti-ality

#Protect #Detect

#Information_protection

#Protection#Defence

8.13

Information backup

#Corrective

#Integrity #Availability

#Recover

#Continuity

#Protection

8.14

Redundancyof informationprocessingfacilities

#Preventive

#Availability

#Protect

#Continuity#Asset_man-agement

#Protection#Resilience

8.15

Logging

#Detective

#Confidentiality #Integrity #Availability

#Detect

#Informa- tion_securi- ty_event_man- agement

#Protection#Defence

8.16

Monitoring activities

#Detective #Corrective

#Confidentiality #Integrity #Availability

#Detect #Respond

#Informa- tion_securi- ty_event_man- agement

#Defence

8.17

Clock synchro-nization

#Detective

#Integrity

#Protect #Detect

#Informa- tion_securi- ty_event_man- agement

#Protection#Defence

8.18

Use of privi- leged utility programs

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#System_and_ network_secu- rity #Secure_ configuration#Application_security

#Protection

8.19

Installation of software on operational systems

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Secure_con-figuration#Application_security

#Protection

8.20

Networkssecurity

#Preventive #Detective

#Confidentiality #Integrity #Availability

#Protect #Detect

#System_and_ network_secu- rity

#Protection

8.21

Security of network ser- vices

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#System_and_ network_secu- rity

#Protection

8.22

Segregation ofnetworks

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#System_and_ network_secu- rity

#Protection

8.23

Web filtering

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#System_and_ network_secu- rity

#Protection

8.24

Use of cryp-tography

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Secure_con-figuration

#Protection

8.25

Secure devel- opment life cycle

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Applica-tion_security#System_and_network_secu-rity

#Protection

8.26

Application security re- quirements

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Applica-tion_security#System_and_network_secu-rity

#Protection#Defence

8.27

Secure system architecture and engineer- ing principles

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Applica-tion_security#System_and_network_secu-rity

#Protection

8.28

Secure coding

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Applica-tion_security#System_and_network_secu-rity

#Protection

8.29

Security testing in de- velopment and acceptance

#Preventive

#Confidentiality #Integrity #Availability

#Identify

#Applica-tion_security#Informa-tion_securi-ty_assurance#System_and_network_secu-rity

#Protection

8.30

Outsourced development

#Preventive #Detective

#Confidentiality #Integrity #Availability

#Identify #Protect #Detect

#System_and_ network_secu- rity #Applica- tion_security#Supplier_re- lationships_se- curity

#Governance_ and_Ecosys- tem #Protec- tion

8.31

Separation of develop- ment, test and production environments

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Applica-tion_security#System_and_network_secu-rity

#Protection

8.32

Change man-agement

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#Applica-tion_security#System_and_network_secu-rity

#Protection

8.33

Test informa- tion

#Preventive

#Confidentiality #Integrity

#Protect

#Information_protection

#Protection

8.34

Protection of informa- tion systems during audit testing

#Preventive

#Confidentiality #Integrity #Availability

#Protect

#System_and_ network_secu- rity #Informa- tion_protec- tion

#Governance_ and_Ecosys- tem #Protec- tion

Matrix Group under Common Terminologies:


Category

Related Controls

Description

1. Information Security Governance and Policies

5.01, 5.02, 5.03, 5.04, 5.35, 5.36

Policies, roles, and responsibilities for maintaining information security. Governance and compliance reviews.

2. Information Asset Management

5.09, 5.10, 5.11, 5.12, 5.13, 8.10, 8.11, 5.33

Managing information assets, asset inventory, classification, and labelling. Asset disposal and protection of records.

3. Access Control and Identity Management

5.15, 5.16, 5.17, 5.18, 8.02, 8.03, 8.05

Managing access rights, identity verification, and secure authentication. Controlling access to sensitive information.

4. Supplier and External Party Management

5.19, 5.20, 5.21, 5.22, 8.30

Ensuring information security in relationships with suppliers and service providers. Managing risks in the supply chain.

5. Incident Management and Response

5.24, 5.25, 5.26, 5.27, 5.28, 6.08

Incident response planning, handling security incidents, learning from them, and managing evidence collection.

6. Business Continuity and Resilience

5.29, 5.30, 8.13, 8.14

Ensuring business continuity during disruptions. Backup and redundancy of information processing.

7. Compliance and Legal Obligations

5.31, 5.32, 5.34

Compliance with legal, regulatory, and contractual requirements. Protection of personal and intellectual property information.

8. Physical and Environmental Security

7.01, 7.02, 7.03, 7.04, 7.05, 7.06, 7.07, 7.08, 7.09, 7.10, 7.11, 7.12, 7.13, 7.14

Securing the physical environment, facilities, equipment, and utility support. Protection from physical and environmental threats.

9. User and Employment Security

6.01, 6.02, 6.03, 6.04, 6.05, 6.06, 6.07

Ensuring employee-related information security, including screening, training, and responsibilities during and after employment.

10. System and Network Security

8.07, 8.08, 8.09, 8.06, 8.18, 8.19, 8.20, 8.21, 8.22, 8.23

Securing systems, networks, and applications from malware, vulnerabilities, and other threats. Network segregation, configuration, and software installation controls.

11. Logging and Monitoring

8.15, 8.16, 8.17

Monitoring and logging activities, including clock synchronization to ensure accurate logs.

12. Cryptography and Data Protection

8.24, 8.12

Encryption and cryptography use, as well as protection against data leakage.

13. Secure Development and Testing

8.04, 8.25, 8.26, 8.27, 8.28, 8.29, 8.31, 8.33

Security in development, testing, and coding. Separation of environments and secure application lifecycle management.

14. Change and Audit Management

8.32, 8.34

Change management and protecting systems during audits. Ensuring smooth transitions and minimal risk during audits.

15. Threat Intelligence and External Relations

5.07, 5.05, 5.06

Monitoring and addressing external threats, including contacts with authorities and interest groups.

16. Cloud Security

5.23

Managing security related to the use of cloud services.



************************************************************************************************

Cyber Essentials

The Five Controls

  • Firewalls
  • Secure Configuration
  • Security Update Management
  • User Access Control
  • Malware Protection

Firewalls

  • using strong passwords
  • enabling your firewall
  • securing your router

Secure Configuration

  • Remove or disable unused software
  • Device locking
  • Disable auto-play and autorun
  • Correctly configure open ports
  • Remote Desktop Protocol-port 3389

Security Update Management

  • All software must be supported with regular security updates
    • Operating System (OS)
    • Firmware (in firewalls and routers)
    • Web browser and extensions
    • All applications
    • Antivirus
    • Hypervisors
  • Unsupported / legacy/ end of life software 
  • Vulnerability fixes
    • Described  as 'critical' or 'high risk'
    • All critical and high risk updates or updates with no details provided must be installed within 14 days of release by the vendor

User Access Control

  • Separate accounts for each user with no shared accounts 
  • An administrator
  • A regular user
  • Delete accounts that are not used
  • Account creation and tracking processes 
  • Strong unique passwords 
  • One password for one account
  • Password policy
  • Turn on multi-factor authentication

Malware Protection

  • Malware is continually evolving so make sure your malware protection software is set up and configured in line with the vendors best practice.
  • Malware signature detection 
  • Heuristic detection
  • Protect mobile devices 




************************************************************************************************

Lead Implementer Training ISO 27001

DAY 01:


Training will be 4 days and what will take away from this Training. 

  1. How to create and implement the Information System Management within the organization.
  2. Discuss on the Framework based on the ISO 27001
  3. Three pillars: Confidentiality, Integrity and Availability

Two words on Knowledge and Skill. 

Learning Objectives 



Information Security management 


What is Information Security management?


  • Three pillars: Confidentiality, Integrity and Availability [CIA]

Non- Repudiation: 

  • Means cannot be challenged by anybody.

Integrity: of information: 

Means unaltered information. Information cannot be changed in-between end to end.

Information processing facility: 

  • Also need to secure the in-between facility which is processing the information. 

Business Continuity:

  • Business Continuity to some extent will be part of the,
    • Information Security Management system And there will be separate Business continuity and Disaster management.

Life cycle of information:

  • How the information should be discarded. 

Other Benefits Information Security Management [ISM] 

  • Reduce Security incidents, increase staff retention, Protection of brand and reputation, reduce costs of correction, customer retention, etc

Activity 2

Why is Information security management important within the organization?

  • To protect user’s data
  • To comply with Government Norms
  • To have control over the data management  

Some information Security facts 

  • Stats:
  • 83% of org see damages to the org reputation as the biggest concern
  • 93% - had staff related breaches.
  • 51.6% - reduced security incidents from certified org
  • 49% - lack of budget to improve Info security
  • 15% - of small business detected breach

    Activity 3

    • What Needs to be managed in a Information Security Management system?
    • Data, Physical assets, People Assets, etc

    Background of ISO 27001 / ISO 27002

    • Framework: Sets of Principle, policy’s, rules, guidelines make a whole framework.

    Who was Involved in its development?

    • ISO International Organization for Standardization
    • IEC International Electrotechnical Commission

    History of ISO 27001 and ISO 27002

    • BSI started in 1901, wanted to start Tube railways and floated in tender. The big problem was getting 5 different plans which had different dimensions. This created the problem that they are not compatible within each other.
    • BS7799 :1995: - British standards published in 1995
    • 2005: ISO re- nomenclature and published the 27001 by getting from BS.

    Difference b/w to 27001 and 27002:

    • 27001: What has to be done.
    • 27002: How it has to be done: - Implementation guideline:
    ***************************************************************

    ISO 27001: 2013


    4: Context of the organization

    • What are: - Internal Issue, External issue and Interested parties?
    • Interested parties: Promoters or Shareholders, Employees, Government, neighbours, customers, vendors, etc.
    • Internal issue: When there are internal strikes.
    • External issue: Government regulatory compliance
    • Here boundaries are set for the rules and boundaries.
    • e.g.: in India security guards will be present to collect the ID proof and registry entry is made. The same company operating in JAPAN has no security guard. Since there is no practice of security guards in JAPAN.

    PDCA and ISMS:

    • Plan : requirements: - Clause 4 Context of the org. / 5 leadership / 6 Planning / 7 Support
    • DO : implement: - Clause 8 Operation
    • Check : Audits/ gaps/ managements review: - Clause 9 Performance evaluation
    • Act : Results/ improvement: - Clause 10 Improvement

    Requirements for Implementation of ISMS: 

    • comes from the interested parties, this will like defining the Scope and limits & boundaries. 

    Activity 5

    Terms and Definitions




    Legal, regulatory and contractual:

    • Regulatory Body: - RBI is the regulatory Body, SEBI regulatory for Stock exchanges
    • Legal: Requirements from the government
    • Contract: requirements which are passed on by working with clients which are laid upon by the regulatory body.

    Statutory and regulatory requirements:

    • As an ISMS manager: just telling them to follow. Do not be a SME in Statutory field to implement ISMS. Show what are the list of Statutory and regulatory requirements you are adhered to.
    • Captive environment:
    • working under other organization: - Policies, regulation, contractual terms will be passed on to the vendor organization also.

    4 Context of the organization

    • 4.1 Understanding the organization and its context
    • 4.2 Understanding the needs and expectations of interested parties
    • 4.3 Determining the scope of the information security management system
    • 4.4 Information security management system

    Shall means mandatory

    May means optional


    5 Leadership

    • Leadership and commitment 
    • Policy
    • Organizational roles, responsibilities and authorities

    Top management should create and provide resources,

    Create security Policy, security objectives 

    Activity 7

    Directions:

    As directed by your tutor, consider clause 5 and in particular sub-clause 5.1 and identify

    which leadership/commitment behaviours and competencies, with respect to information

    security management, you would expect from the organization provided

    ****************************************************************

    DAY 02:

    6 Planning

    • 6.1 Actions to address risks and opportunities
    • 6.1.1 General
    • 6.1.2 Information security risk assessment
    • 6.1.3 Information security risk treatment
    • 6.2 Information security objectives and planning to achieve them


    Notes: 

    Step 1: Try to identify Information asset

    1. Terms: 
      1. Vulnerability, probability, Risk Assessment, Risk Treatment Plan, Risk Rating, Security Control, Statement of applicability.
    2. Information assert: Try to identify Information assert
    3. Try to quantify the asset, which are high value and low value.
    4. Quantify based on CIA
    5. E.g., Rate the asset based on the scale 1, 2 & 3 to create asset value. 
    6. E.g., Formula for asset value; like: C + I + A = asset value
    7. E.g., Confidentiality: when assert is public scale is 1



    Step 2: Risk identification/ analysis

    1. Risk rating associated with the assert value
    2. Probability with risk rating
    3. How the Vulnerability is the probability increases.
    4. For every risk there can be any opportunity.

    Step 3: Risk Treatment Plan [RTP]

    1. Risk Avoid or termination, Risk Accept, Risk Share or transfer
    2. Risk Transfer: 
      1. E.g., Cell phone tower: where there will be backup generators -the diesel will be stolen or wastage. They transferred to vendors to look into the DC backups.
    3. Risk Treatment:
      1. Lowering the risk / means reducing the Vulnerability
    4. Threat and Vulnerability
      1. Threat: earthquakes are threat; hackers are threat
    5. Vulnerability are gaps in the system, through which problem can arise. 
    6. Residual risk:
      1. Left over risk and risk owner must be identified for residual risk
    7. ISMS Manager: Risk treatment
      1. When Mitigation plan is implemented and lowering the risk probability 
    8. Risk owner is equal to asset owner
      1. RTP: have to lower the risk from higher risk
    *******

    How Risk Treatment Plan is done using the Controls found in the Annexe A

    A.5 Information security policies
    A.6 Organization of information security
    A.7 Human resource security
    A.8 Asset management
    A.9 Access control
    A.10 Cryptography
    A.11 Physical and environmental security
    A.12 Operations security
    A.13 Communications security
    A.14 System acquisition, development and maintenance
    A.15 Supplier relationships
    A.16 Information security incident management
    A.17 Information security aspects of business continuity management
    A.18 Compliance

    Annex A 2013 has: -


    14 Security clause headings
    35 security categories 
    114 controls

    The statement of applicability is these are the control which will be used and not used. The justification has to be given why it is used and why not used, for treating the RISK in the organization.

    6.2 Information security objectives and planning to achieve
    them
    Objective means: to achieve the target or
    goals 
     Objective should be Measurable or quantitative and
     Monitored year on year basis 
    E.g., Objective 
    • Zero security data breach
    • 100 % compliance to infosec audit
    • As per policy all the employees will change the
    • password every 90 days
    • 100% of pen-testing to happen for all the projects in
    • every quarter.
    • 98% of awareness of Infosec training has to be completed by the vendors

    Clause 7 Support


    Top management will provide the support.


    7.2 Competence By three ways: Education arranging training and Experience
    7.3 Awareness
    Senior management has to create awareness about Information security among the employees.
    7.4 Communication
    7.5 Documented information

    Clause 8 Operation


    Clause 8 is also the DO part from PDCA

    8.1 Operational planning and control

    8.2 Information security risk assessment

    8.3 Information security risk treatment


    Activity 6

    Problem Statement:

    Organization A: An IT Support and Services Provider. The organization’s purpose is to provide IT support and hosting services to both public and private sector organizations.

    Internal Issues: 

    Directions, Part 1:

    As directed by your tutor, consider your assigned organization
    and identify some probable internal issues and external issues that are relevant to its purpose as well as interested parties relevant to the ISMS. Individually write down that needs to be shared as required.

    Points Discussed: 



    Interested parties:
    Customer
    Top management
    Employees

    Internal Issues: -
    Down time of the service should not exceed less than 1HR.

    RISK:
    Customer satisfaction going down
    Financial loss
    Appropriate access control to be provided for intended parties

    RISK:
    Confidentiality of the data not maintained.
    Awareness of ISMS policy should not reduce less 95%.

    RISK:
    Not meeting the STD requirement of ISO 27001
    Reducing in Bandwidth of internet will impact services.

    RISK:
    Availability of hosted services is impacted

    External Issues: -
    Zero security breaches in the Cloud Framework.
    Adherence to Government norms for protecting data.


    Clause 9 Performance evaluation

    9.1 Monitoring, measurement, analysis and evaluation

    9.2 Internal audit

    9.3 Management review


    Here Monitoring and measurement is done.
    The Objectives which are identified earlier will be monitored and measured.
    These audits internal and external are conducted
    Documentation must be maintained

    Internal Audit
    Conformance and non – conformance

    As an external auditor will look into the internal NC’s are reported and closed.

    Activity 11

    Clause 10 Improvement 

    10.1 Nonconformity and corrective action

    10.2 Continual improvement


    Read the standards 27001 and 27002

    Remaining activities to be completed 

    Annexure A has to be read. 


    A.5 Information security policies

    A.5.1 Management direction for information security

    A.5.1.1 Policies for information security

    A.5.1.2 Review of the policies for information security

    A.6 Organization of information security

    A.6.1 Internal organization

    A.6.1.1 Information security roles and responsibilities

    A.6.1.2 Segregation of duties

    A.6.1.3 Contact with authorities

    A.6.1.4 Contact with special interest groups

    A.6.1.5 Information security in project management

    A.6.2 Mobile devices and teleworking

    A.6.2.1 Mobile device policy

    A.6.2.2 Teleworking

    A.7 Human resource security

    A.7.1 Prior to employment

    A.7.1.1 Screening

    A.7.1.2 Terms and conditions of employment

    A.7.2 During employment

    A.7.2.1 Management responsibilities

    A.7.2.2 Information security awareness, education and training

    A.7.2.3 Disciplinary process

    A.7.3 Termination and change of employment

    A.7.3.1 Termination or change of employment responsibilities

    A.8 Asset management

    A.8.1 Responsibility for assets

    A.8.1.1 Inventory of assets

    A.8.1.2 Ownership of assets

    A.8.1.3 Acceptable use of assets

    A.8.1.4 Return of assets

    A.8.2 Information classification

    A.8.2.1 Classification of information

    *******************************************************************************

    Day 03:


    Activity 14:




    Implementing a Management System:


    Stage 1: Where we are


    Gap analysis:
    Top management interest
    Understanding requirements. Legal and guidance.
    Baseline review, Gantt chart & resource requirements
    Approve & communicate implement plan

    Baseline: is a reference point.

    Baseline for awareness:
    information related to Information Security management has to be made aware by making them take exams.


    Baseline for competence:
    Baseline is 30% must be implementer and rest 70% should be aware of ISMS

    Gantt Chart:
    It is a Microsoft Project Plan and WBS.

    Resources Requirements:
    E.g., for a bank one ISMS Manager would be recruited.
    Stage 2: Implement & Operate


    Fill in the gaps:
    Implement and operate the plan

    Stage 3: Manage & improve
    Any Improvement from filling the gap
    Refer to the page 73 from the file [02 slide*.PDF]

    Baseline creation / Review:
    Identify the minimum document requirements

    Baseline Gap analysis


    Process: is the key for the organization to last for centuries


    Activity 16: Holistic Implementation process

    Plan : requirements: - Clause 4 Context of the org. / 5 leadership / 6 Planning / 7 Support

    DO : implement: - Clause 8 Operation

    Check : Audits/ gaps/ managements review: - Clause 9 Performance evaluation

    Act : Results/ improvement: - Clause 10 Improvement





    Documented Information

    Required documented information

    Control of documentation information 


    Activity 17:




    Baseline Gap Analysis

    Exercises Activity 18: home work


    Activity 19: Create Gantt Chart

    Create a Excel and do the Gantt chart


    Context Of the Organization:

    Scope:
    Exercise: 22 & 23

    Define the scope: Decide of the organization

    Call Centre: 50 to 100 people will be working, for Airtel, dealing with customers of the Airtel 

    Telecom Company:  SIM CARD

    Department: 

    It Network Department, HR Department, Telecom regulatory, Physical Scope, Centre situated, Staff, 

    Core Business activities: 

    In bound: answering the question from the custom

    Call centre 24/7 


    Scope: 

     Type of activities: Inbound
    Locations: Pune, Chennai

    Departments: It Network Department, HR Department, Telecom regulatory, Physical Scope, Centre situated, Staff,

    Services: voice calls, SIM card delivery
    Requirement from Leadership and Commitment

    Infosec Policy and objectives

    Integration of Infosec

    Resources needed

    Direction and supporting

    Continual improvements.

    Investment
    Resources
    Infrastructure

    Defining and roles the responsibilities

    Policy:

    Will show the intention of the organization and will be the driving force.

    Leadership

    Roles, Responsibility and authorities: for an ISMS Manager

    Matrix


    Information Security – Risk Assessment Process 


    CIA on information assets 


    Risk criteria 🡪 Risk acceptance Criteria/ Criteria for performing


    Risk Identification 

    Asset Register

    Cause

    Sources

    Risk Assessment Tools


    Controls:

    Statement of applicability

    Activity 26 / 27 / 28 / 29: home work 

    ****************************************************************

    Day 04:

    Clause 07: Support


    Awareness
    Communications: Posters, Emails
    Documented information

    Documentation must be revisited every year, why?


    The Organisation is called as Living or dynamic organization, hence there will be changes and documentation should reflect
    those changes.

    Activity 30: Communication Process

    What is the process? Certain input, to get desired output based on the certain steps


    Who to communicate, when to, who shall, on what to…?
    Process should have:
    Input:
    Steps:
    Output:

    Clause 08: Operation

    Risk treatment Plan:



    Clause 09: Performance Evaluation 


    Security Incidents
    Internal Audits
    Consistency results
    Monitoring
    Measuring
    Effectiveness of ISMS
    Evaluation
    Internal Audit
    External Audit

    Activity 31: Monitoring and measurement


    Weekly check on Latest Windows Security patches whether installed in all the machines?

    DRBC Plan is conducted every 6 months

    Performance Evaluation

     Internal Audit
    Management Review

    Audit Process:



    Gap Analysis is also a type of Audit

    Inputs 🡪 Audit activity 🡪Outputs

    Three Things about Audit

    Intent: means expectation

    Implementation

    Effectiveness

    Positive Findings means Conformance.

    Negative Findings means Non-Conformance.

    As an Auditor you are not there to give any suggestions or do consulting

    Activity 33: Creating checklist 


    Also called as Aide Memory


    Has Security been employed?


    Scope: Physical Security




    Activity 34: Conducting an audit

    Improvements
    Management Reviews
    Leadership and Management

    Leadership = guidance’s [leadership are Born]

    Management = controls [Mangers are created]


    Change management

    Kotter’s 8 Steps to successful change. 

    1) Increase urgency - inspire people to move, make objectives real and relevant.

    2) Build the guiding team - get the right people in place with the right emotional

    commitment, and the right mix of skills and levels.

    3) Get the vision right - get the team to establish a simple vision and strategy, focus on

    emotional and creative aspects necessary to drive service and efficiency.

    4) Communicate for buy-in - Involve as many people as possible, communicate the

    essentials, simply, and to appeal and respond to people's needs. De-clutter

    communications - make technology work for you rather than against.

    5) Empower action - Remove obstacles, enable constructive feedback and lots of support

    from leaders - reward and recognise progress and achievements.

    6) Create short-term wins - Set aims that are easy to achieve - in bite-size chunks.

    Manageable numbers of initiatives. Finish current stages before starting new ones.

    7) Don't let up - Foster and encourage determination and persistence – on-going change -

    encourage on-going progress reporting - highlight achieved and future milestones.

    8) Make change stick - Reinforce the value of successful change via recruitment,

    promotion, new change leaders. Weave change into culture.


    Example:

     Confidentiality and Integrity: the balance sheet will be confidence till published to public. Once published Integrity becomes High and confidentiality becomes zero.

    Controls are required to reduce the RISK.

    ****************************************************************

    Day 05:

    Revision

    Why ISMS? 

     Improved security for the organization and its clients

    Increase in the quality of information security processes and procedures

    PDCA: Matrix



    Clause 4: Context of Org

    Clause 6: Planning

    A risk assessment process should then be defined that identifies risks associated with the

    loss of confidentiality, integrity and availability for information within the scope of the ISMS,

    analyses the risks and then evaluates them

    Clause 7: Support

    Leadership will provide the support

    Clause 8: Operation

    Info sec Risk Assessment

    Info sec Risk Treatment 

    Statement of Applicability: 114 Controls are present. When the controls are not applied, then the reason will be provided. 

    Clause 9: Performance evaluation  

    Internal Audits

    Management Review

    Clause 10: Improvement

    Non-Conformity and corrective action 

    Continual Improvement

    Implementation: of ISMS -

    Determine the Need for Documentation

    Baseline Gap Analysis

    Project Plan: Gannt Chart

    Scope of ISMS

    Leadership Commitments and Roles, responsibility & Authorities.

    PDCA Diagram


    Risk Identification: 

    Reduce/ Treat

    Avoid/ Terminate

    Accept/ Tolerate

    Transfer/ share

    Audit:

    Intent

    implement 

    Effectiveness 


    Non conformity reports

    Management Review

    Change Management


    ***********************

    Comments

    Post a Comment

    Popular Posts

    Change your Google Account email

    Image
      You can manage your email address directly here: Google Account email. https://myaccount.google.com/google-account-email If you prefer to navigate to this setting manually, here are the steps: On your computer, visit myaccount.google.com. https://myaccount.google.com/ At the top left, click Personal info. Click Email and then Google Account email. If you don't see the option to Change Google Account email, it may not be possible to change it at this time. Gmail Account Rename :- Where it is available Gmail Account Rename :- Where it is not rolled out Source: https://support.google.com/accounts/answer/19870?visit_id=639105734524882167-3711238423 Change your Google Account email Your Google Account email is the address you use to sign into Google services and to  identify your account to you and others. If you choose, you can change your Google Account email that ends in gmail.com to a new address that ends in gmail.com. Important; The ability to change your Google Account ema...
    Read more

    STEM career fair

      STEM career fair  Nov 2023 at NTU Campus https://nucleargraduates.com/event-registration/ https://www.sertec.co.uk/apprenticeships-overview/apprentice-vacancies/ https://qrco.de/bdm9MJ https://www.experian.com/careers/locations-teams/uk---ireland/uk-i-early-careers https://earlycareers.jcb.com/ https://ovarro.com/en/global/about-us/careers/opportunities/student-placement-programme---software-engineer/ https://www.jaguarlandrovercareers.com/content/Early-Careers/?locale=en_GB&utm_source=CampusCareerFair&utm_campaign=Graduate/Undergraduate%20Leaflets%202023 https://careers.fdmgroup.com/careersfair.aspx?source=UKNTU091123 https://careers.unilever.com/uk-placements https://jobs.bakkavor.com/content/Early-Careers/?locale=en_GB https://www.exclusive-networks.com/uk/about-exclusive-networks/careers/ https://forms.office.com/Pages/ResponsePage.aspx?id=joNvnQF5LkeO1dD4cGG2Vm9np5nkIdlNpZlTrtyDtMxUQlk1UDNKVVNPQ0JEU0xBNDgxUVM3T0I0Ni4u https://www.supplychain.nhs.uk/about-us/vaca...
    Read more

    HOME LAB : HANDS-ON

    Image
    HOME LAB : HANDS-ON Disclaimer Home LAB Home Assistant on OMV Container in Raspberry Pi https://www.gouti1454.com/p/homeassistant.html Installing Home Assistant on Docker using OMV Compose, along with Portainer, Jellyfin, and MQTT. Here’s the breakdown: Home Assistant on OMV Compose Setting up MQTT and connected it to Home Assistant HomePage with Docker Compose https://www.gouti1454.com/p/homepage-docker.html Setting Up HomePage with Docker Compose Key things to get right, While installing  HomePage Docker:  Best Practices for Docker Compose: Widgets Configuration: Common Errors & Fixes: Lamma AI https://www.gouti1454.com/p/llama-ai.html This post covers some useful tips and tricks for extracting YouTube transcripts and using the Fabric framework. The topics include: ...
    Read more