Practical Approach to Implementing ISO 27001 — summary

What is ISO 27001?

• It is one of the standards introduced by the International Organization of Standardization (ISO) to assist in managing the security of assets such as intellectual property, financial information, employee details or information entrusted to you by third parties.
• Basically, it provides the requirements for an Information Security Management System (ISMS).

https://www.iso27001security.com/html/toolkit.html

Why do we need it?

• For software development companies, it proves that the company has a baseline security perimeter implemented and also, that the company takes the security aspect seriously, ensuring the client’s trust.
• Other companies prefer working with a company that has an independent assessment of security, which adds extra weight for your credibility.
• Management support is required from end to end
• To get that build a proper case study
• management should be aware of the cost and be on-board.

Process Overview

Step 1:

• The primary goal before implementing ISO standards should be to get the Management on board with the costs associated with it. In order to accomplish that, a proper case study must be presented.

Step 2:

• Initially, define the scope of the implementation, whether it be for a single location, or for multiple server farms, etc. The scope can be expanded later as the requirements precede.

Step 3:

• Identify the assets that are within the scope and have information value.
• Figure out the high-value assets and calculate the risk value.

Step 4:

• Give solutions to reduce the risks.
• Select controls to mitigate risks.
• Create the Statement of Applicability (SOA).

Step 5:

• Implement the controls as defined in the SOA

Step 6:

• Once implementation is done, an audit will be performed and the certification will be given.

Business Plan

• The business case document will be created defining the costs and benefits of implementing ISO 27000. It’ll provide a structured approach to a comprehensive description of the risks associated with the assets and the benefits of securing them.
• Each of the controls that are to be implemented for the purpose of securing the asset will be associated with cost. Some may cost you a lot secure, even more than the value of the asset itself. In such cases, you must evaluate the impact and determine what approach to be taken.
• Ultimately, layout an explicit and comprehensive understanding of the ISMS for the management.

https://www.iso27001security.com/ISO27k_Generic_business_case_for_ISO_IEC_27001_ISMS_v2.docx

Asset Inventory

• Asset Register — is a list of the assets owned by a business. It contains pertinent details about each fixed asset to track their value and physical location. The register shows the quantity and value of things like office equipment, motor vehicles, furniture, computers, communications systems, and equipment. People or the human capital of a company is also considered as assets. Although, only the assets with an information value will be considered in this particular situation.

1. Asset ID — Every asset should have an identification code for accountability
2. Owner — The entity which owns the asset, should be accountable for the asset
3. Custodian — The entity which looks after the asset
4. User — The entity which actively uses the asset
5. Location — Where is the file located?
6. Storage — What type of encryption is used?
7. Confidentiality requirement? — High, Medium, Low (A numeric value will be allocated based on the input you give)
8. Integrity requirement? — High, Medium, Low (A numeric value will be allocated based on the input you give)
9. Availability requirement? — High, Medium, Low (A numeric value will be allocated based on the input you give)
10. Classification level — confidential or not? internal/public? can even be a custom classification.
11. Disposal method — What to do when the life cycle expires? how to dispose of the asset?

Asset Register (Inventory) example — isms.online

Risk Assesment

• Assume that your asset is a desktop PC, and it may have a couple of vulnerabilities (virus guard, not up-date, Operating System not patched with the latest security patches, etc). The threat in this situation is that the PC in context might get affected with a virus.
• Risk is the probability of a given vulnerability of an asset is exposed to a threat.
• Identify the assets with high-value and more risk and apply more controls to ensure it’s security.
• In order to come up with a quantitative value for the risk, we use the following equation based on three factors.

Risk Value = Probability * Impact * Undetectability

1. Probability (0–5) — the chance of a vulnerability being exploited
2. Impact(0–5) — the impact it’ll have on the system
3. Undetectability(0–5) — Whether this particular vulnerability is detectable or not?

Risk Treatment

• In this section, we discuss the treatments that we can apply for the risks we identified and calculated in the previous sections. The key idea is that there’s no single solution for every asset or scenario. Each situation requires a different tactic.

Risk Management

1. Risk Avoidance — If the risk can be avoided completely, no controls are required.
2. Risk Reduction — Fewer controls should be placed.
3. Risk transfer — We can insure the asset and transfer the risk.
4. Risk Accept — In some scenarios, we have no choice but to accept the risk.

• Documenting the treatments and the planning for the risk management process, we generate one of the important documents of the ISO 27000 standard — Statement of Applicability (SOA). We use this as a blueprint to implement the controls.
• In this document, we define why it’s needed to apply the controls and what requirements demand it.
• LR — Legal Requirements, CO — Customer Obligations, BR — Business Requirements, RRA — Risk Assessment
• Then create a risk treatment plan based on the controls you selected.
• You can read about best practices for implementing ISO 27001 standard from the official ISO documentation — Although, it is required to be bought for any commercial use.
• One the implementation process is completed, we collect three months of data to provide as evidence for the auditing process, which evaluated the efficiency of our ISMS. Longer you’ve been practicing ISO 27000, the more secure you are.

Resource : https://www.udemy.com/course/implementing-iso27001/