iso-27001

1、IMPLEMENTAÇÃODANORMAISO27001WorldleaderinRiskManagementandCompliancesolutions.Createvalueandminimizeyourrisksthroughouron-demandmanagementsystems.RealISOCorp.626,GlennCurtissUniondale,11556NewYork–USA–PartOneInformativeAspectsGuideObjectives:»GeneralviewofInformationSecurity»Focusonsecuritymanagement»UnderstandinganISMS»UnderstandingRiskAnalysis»StudyofInformationSecuritymanagementprocessesModusOperandiGeneralaspectsofInformationSecurityWhatdoesInformationSecuritymean?»ForeignhackerscapturingCC。

2、numbers»Largecorporationwebsitesbeingdistortedforpoliticalreasons»Virusattacksthatrenderlargecorporationsinactive»Digitalspiescapturingandsellinginformationoncompetitionandhugedatabases»YoungpeopleinvadingsystemsnotknowingthetrueinformationvalueWhatdoesInformationSecuritymean?Old-fashionedview!!!Decision-Taking»ControlInformationDecision-Making»AgooddecisiondependsonthequalityofinformationInformationSecurityFarbeyondfirewall!»SecuritydoesnotdependuponITalone»Assuringsecuritydoesnotmeansimplyensu。

3、ringinformationsecrecy»Properdecisionsdependonaccurateinformation»SecuritymaygenerateperceivablevalueWhatisinformation?»Onpaper:Memos,standards,formulas,designs,strategies.»Ondigitalmedia:Disks,tapes,CDs,transmittedfiles.»Sound:Meetingrecording,messagesleftontelephoneswitchboards,cellphonemailbox.»Image:Documentphotos,identificationphotos,facilitiesphotos,videotapes,digitalvideos.Resources»Processing:Abilitytohandleinformationandgenerateresults»Storage:Abilitytostoreinformation.Doesnotchangeinfo。

4、rmation»Communication:Abilitytotransmitinformation.ShouldnotchangetransmittedinformationLastParadigm:Responsibility»DueDiligence:showsthatthecompanyiscarryingoutsecurityactivitiesonasteadybasis.»DueCare:developmentofinformationsecuritypolicies,riskanalysis,andanISMS.ShowsthatManagementhastakentherequireddecisionsandactionstoprotectthecompany.»Warning:Notcarryingout“DueDiligence”and“DueCare”maycharacterizeadministrativenegligence.BasicPrinciples»Confidentiality:giveninformationthatmaynotbemadeava。

5、ilableordisclosedforpeople,entitiesorprocesseswithoutpermission.Aconcepttoensurethatsensitive,confidentialinformationislimitedtoanappropriategroupofindividualsororganizations.»Integrity:theconditionbywhichinformationorinformationresourcesareprotectedfromunauthorizedchanges.Informationaccuracyandcompleteness.BasicPrinciples»Availability:informationistobedeliveredtotherightpeople,whenneeded.ISO27001FrameworkandImplementationWhatisISO27001?»Astandardwiththerequirementsforacompanytoimplementaninform。

6、ationsecuritymanagementsystem»ItwasoriginatedfromBS7799,createdbyBSI–BritishStandardInstitute»Businessprocess-orientedandnottechnologyinfrastructure-oriented»BasedonPDCAmanagementcycleWhatisISO27001?»DeterminesthatacompanymusthaveanISMS–ISManagementSystem»Maybeappliedtoanycompanytype»EnablesacompanytohaveitsISMScertificated»InlinewithISO9000,ISO14000standardsWhatISO27001isNOT?»Atechnicalstandard»AstandarddevelopedforITarea»Aguideforbestpractices.ForthatISO27002isavailable»Amethodologyforinformat。

7、ionsecuritymanagementISManagementSystem-PDCA»UnderstandingsecurityrequirementsAssessbusinessrisksandrequirements»ImplementingandoperatingcontrolsTechnological,physical,andadministrative»MonitoringandreviewingSystemperformanceIndicatorsandobjectivemetrics»ImprovingonanongoingbasisCorrectiveandpreventiveactionsISO27001ApplicationWhyimplementinganISMS?»TheSystemwasdevelopedwiththeaimofsuitingandprovidingsecuritycontrolsthatproperlyprotectthecompany’sinformationassets,increasingreliabilityofcustomer。

8、sandotherconcernedpartiesISO27001ApplicationBasicRequirements»However,thefollowingitemsmaynotbedisregarded:»4–InformationSecurityManagementSystem»5–ManagementResponsibility»6–InternalISMSAudits»7–ManagementReviewoftheISMS»8–ISMSImprovementInformationSecurityManagementSystemTheSecurityManagementSystemshould:»FollowPDCAmodel»ConsiderbusinesscontextandInformationrisks»Bebusinessprocess-oriented»ComplywiththestandardrequirementsImplementingISMS-StartingPointSystemScopeWhichprocesseswillmysystemactup。

9、on?»Thescopedefineswhichinformationassetsthesystemwillactupon»Itisinterestingtodefinescopethroughbusinessprocessapproach»ScopedefinitionshouldbeclearandallowidentificationoflocationsandassetsinvolvedInformationSecurityPolicyManagementSystemguidelines»Policyshouldreflectthecompany’sphilosophywithregardtoitsinformationsecurity»Itshouldprovidedirectionstoallconcernedparties»ItshouldconsiderbusinessrequirementsandapplicableregulatoryrequirementsInformationSecurityPolicyStrategicLine-up»Whicharethema。

10、incompany’sstrategies?»Howdoesinformationsecurityrelatetothesestrategies?»Whicharethecompany’ssecurityobjectives?RiskAnalysisSecurityRequirementsforaCompany»InformationSecurityrisks»RegulatoryandContractualObligations»Setofprinciples,objectivesandbusinessrequirementsneededforinformationprocessingRiskAnalysisNationalandInternationalStandardsReferences»ISO13335-1andISO13335-2»ISOGuide73–RiskmanagementVocabulary»ASNZS4360WhatareRisks?»R。