Sunteți pe pagina 1din 22
ISO-27001 ISO-27001 ISMS ISMS Lessons Lessons learned learned and and useful useful tips tips for

ISO-27001ISO-27001 ISMSISMS

LessonsLessons learnedlearned andand usefuluseful tipstips forfor CISOsCISOs toto turnturn theirtheir dayday toto dayday workwork intointo aa managementmanagement systemsystem

JulienJulien LevrardLevrard <<Julien.levrard@hsc.frJulien.levrard@hsc.fr>>

Hervé Schauer Consultants

IT security company founded in 1989Hervé Schauer Consultants Fully independent intellectual expertise services Free of any distribution, integration,

Fully independent intellectual expertise servicesSchauer Consultants IT security company founded in 1989 Free of any distribution, integration, outsourcing, staff

Free of any distribution, integration, outsourcing, staff delegation or outside investors pressurein 1989 Fully independent intellectual expertise services Services: Consulting, coaching, audits, pentests, training

Services: Consulting, coaching, audits, pentests, trainingoutsourcing, staff delegation or outside investors pressure Fields of expertise Technical security OS, Network,

Fields of expertiseServices: Consulting, coaching, audits, pentests, training Technical security OS, Network, Application, industrial

Technical securitycoaching, audits, pentests, training Fields of expertise OS, Network, Application, industrial systems, infrastructure

OS, Network, Application, industrial systems, infrastructurepentests, training Fields of expertise Technical security Organizational security IS management, Risk management,

Organizational securityOS, Network, Application, industrial systems, infrastructure IS management, Risk management, ISO-27001, PCI DSS, ARJEL,

IS management, Risk management, ISO-27001, PCI DSS, ARJEL, HDSindustrial systems, infrastructure Organizational security Business Continuity Legal Certifications CISSP, ISO 27001

Business Continuitymanagement, Risk management, ISO-27001, PCI DSS, ARJEL, HDS Legal Certifications CISSP, ISO 27001 Lead Auditor, ISO

LegalISO-27001, PCI DSS, ARJEL, HDS Business Continuity Certifications CISSP, ISO 27001 Lead Auditor, ISO 27001 Lead

CertificationsISO-27001, PCI DSS, ARJEL, HDS Business Continuity Legal CISSP, ISO 27001 Lead Auditor, ISO 27001 Lead

CISSP, ISO 27001 Lead Auditor, ISO 27001 Lead Implementor, CISA, PCI-DSS QSA, ISO 27005 Risk Manager, ITIL, GIAC GCFA, GIAC GPEN, OPQCM, OPQF, etc.ISO-27001, PCI DSS, ARJEL, HDS Business Continuity Legal Certifications 2 Copyright Hervé Schauer Consultants 2003-2013

2

Copyright Hervé Schauer Consultants 2003-2013

ISO 27005 Risk Manager, ITIL, GIAC GCFA, GIAC GPEN, OPQCM, OPQF, etc. 2 Copyright Hervé Schauer

The need for an HSC ISMS framework

Objective:The need for an HSC ISMS framework – Unify our way of implementing ISMS – Capitalize

Unify our way of implementing ISMS

Capitalize the lessons learnt within our engagements

Generic framework that should be simple enough to be understood by a business manager in 5 min

Logical segregation of ISO-27001 requirements

How to do it:in 5 min – Logical segregation of ISO-27001 requirements – Think as “the management” 3 Copyright

Think as “the management”

3

Copyright Hervé Schauer Consultants 2003-2013

ISO-27001 requirements How to do it: – Think as “the management” 3 Copyright Hervé Schauer Consultants

4

Security controls

4 Security controls Premise n° 1: No organization has been waiting any ISO standard to implement
4 Security controls Premise n° 1: No organization has been waiting any ISO standard to implement
4 Security controls Premise n° 1: No organization has been waiting any ISO standard to implement

Premise n° 1:4 Security controls No organization has been waiting any ISO standard to implement security controls Copyright

No organization has been waiting any ISO standard to implement security controls4 Security controls Premise n° 1: Copyright Hervé Schauer Consultants 2003-2013

Copyright Hervé Schauer Consultants 2003-2013

has been waiting any ISO standard to implement security controls Copyright Hervé Schauer Consultants 2003-2013

Security controls management

5

Do we knowSecurity controls management 5 – What security controls are in place or planned – What activities

What security controls are in place or planned

What activities are associated to these controls and who is in charge of them?

Security Security controls controls mngt mngt
Security
Security
controls
controls
mngt
mngt

Premise n°2:of them? Security Security controls controls mngt mngt We expect the CISO to be able to

We expect the CISO to be able to answer those questions

mngt Premise n°2: We expect the CISO to be able to answer those questions Copyright Hervé

Copyright Hervé Schauer Consultants 2003-2013

Mandatory compliance management

6

Did the CISO identifyMandatory compliance management 6 Legal and Legal and contractual contractual compliance compliance Security

Legal and Legal and contractual contractual compliance compliance Security Security controls controls mngt mngt
Legal and
Legal and
contractual
contractual
compliance
compliance
Security
Security
controls
controls
mngt
mngt

Legal and contractual requirements regarding Information Security?

What security controls should be implemented in order to cover them?

Premise n°3:controls should be implemented in order to cover them? The CISO knows what are the mandatory

The CISO knows what are the mandatory security requirements the organization is subject to and what to do to keep people out of jail

the organization is subject to and what to do to keep people out of jail Copyright

Copyright Hervé Schauer Consultants 2003-2013

7

IS risks management

IS risks IS risks Security Security controls controls mngt mngt
IS risks
IS risks
Security
Security
controls
controls
mngt
mngt

Did the CISO identify/understandIS risks Security Security controls controls mngt mngt – What the interested parties expectations are? –

What the interested parties expectations are?

The important processes and information that should be protected?

Are information security expenses efficient?processes and information that should be protected? Does the CISO have a good understanding of the

Does the CISO have a good understanding of the information system?be protected? Are information security expenses efficient? Premise n°4: The CISO understand the business risks and

Premise n°4:CISO have a good understanding of the information system? The CISO understand the business risks and

The CISO understand the business risks and is capable of interpreting them as information system risks and pilot the security expenses according to those risks

system risks and pilot the security expenses according to those risks Copyright Hervé Schauer Consultants 2003-2013

Copyright Hervé Schauer Consultants 2003-2013

8

IS incident management

Premise n°5:

If a severe incident is badly managed, the CISO loses his job

Security Security controls controls mngt mngt Incidents Incidents
Security
Security
controls
controls
mngt
mngt
Incidents
Incidents
Security Security controls controls mngt mngt Incidents Incidents Copyright Hervé Schauer Consultants 2003-2013

Copyright Hervé Schauer Consultants 2003-2013

Summary of the 5 premises

9

Legal and Legal and contractual contractual IS risks IS risks compliance compliance Security Security controls
Legal and
Legal and
contractual
contractual
IS risks
IS risks
compliance
compliance
Security
Security
controls
controls
mngt
mngt
Incidents
Incidents

No organization has been waiting any ISO standard to implement security controls security controls

We expect the CISO to know what security controls are in place and who is in charge of them security controls are in place and who is in charge of them

The CISO knows what are the mandatory security requirements the organization is subject to and what to do to stay out mandatory security requirements the organization is subject to and what to do to stay out of jail

The CISO understands the business risks and is capable of interpreting them as information system risks and pilot the business risks and is capable of interpreting them as information system risks and pilot the security expenses according to them

If a severe incident is badly managed, the CISO loses his job incident is badly managed, the CISO loses his job

These 5 premises are applicable to any organization that pretends managing information security

applicable to any organization that pretends managing information security Copyright Hervé Schauer Consultants 2003-2013

Copyright Hervé Schauer Consultants 2003-2013

Information Security management system (ISMS)

Legal and Legal and contractual contractual IS risks IS risks compliance compliance Security Security controls
Legal and
Legal and
contractual
contractual
IS risks
IS risks
compliance
compliance
Security
Security
controls
controls
mngt
mngt
Continual
Continual
Doc.
Doc.
improvement
improvement
Resources
Resources
Monitoring
Monitoring
and skills
and skills
and review
Incidents
and review
Incidents

10

Implementation of P-D-C-A way of working for all security management activities

Documentation management

Records management

Resources management

Training and awareness management

Monitoring and review

Continual improvement

awareness management – Monitoring and review – Continual improvement Copyright Hervé Schauer Consultants 2003-2013

Copyright Hervé Schauer Consultants 2003-2013

How to comply with ISO-27001

Management Management ISMSISMSSteeringSteering Legal and Legal and contractual contractual IS risks IS risks
Management
Management
ISMSISMSSteeringSteering
Legal and
Legal and
contractual
contractual
IS risks
IS risks
compliance
compliance
Security
Security
controls
controls
mngt
mngt
Continual
Continual
Doc.
Doc.
improvement
improvement
Resources
Resources
Monitoring
Monitoring
and skills
and skills
and review
Incidents
and review
Incidents

11

skills and review Incidents and review Incidents 1 1 Formally involve the management Formalize information
skills and review Incidents and review Incidents 1 1 Formally involve the management Formalize information
skills and review Incidents and review Incidents 1 1 Formally involve the management Formalize information
skills and review Incidents and review Incidents 1 1 Formally involve the management Formalize information

Formally involve the managementskills and review Incidents and review Incidents 1 1 Formalize information security management processes

Formalize information security management processesand review Incidents 1 1 Formally involve the management Formalize mandatory documents and records: – Statement

Formalize mandatory documents and records:Formalize information security management processes – Statement of Applicability – ISMS policy and

Statement of Applicability

ISMS policy and perimeter

Risk assessment methodology

Etc.

– ISMS policy and perimeter – Risk assessment methodology – Etc. Copyright Hervé Schauer Consultants 2003-2013

Copyright Hervé Schauer Consultants 2003-2013

HSC ISMS model

Management Management ISMSISMSSteeringSteering Legal and Legal and contractual contractual IS risks IS risks
Management
Management
ISMSISMSSteeringSteering
Legal and
Legal and
contractual
contractual
IS risks
IS risks
compliance
compliance
Security
Security
controls
controls
mngt
mngt
Continual
Continual
Doc.
Doc.
improvement
improvement
Resources
Resources
Monitoring
Monitoring
and skills
and skills
and review
Incidents
and review
Incidents

12

skills and review Incidents and review Incidents 1 2 Represents best practices in information security management
skills and review Incidents and review Incidents 1 2 Represents best practices in information security management
skills and review Incidents and review Incidents 1 2 Represents best practices in information security management
skills and review Incidents and review Incidents 1 2 Represents best practices in information security management

Represents best practices in information security managementskills and review Incidents and review Incidents 1 2 Relevant for any type of organization (just

Relevant for any type of organization (just like the standard)Represents best practices in information security management Easy to understand and accessible to management and business

Easy to understand and accessible to management and business ownersfor any type of organization (just like the standard) Segregates the ISMS in logical activities –

Segregates the ISMS in logical activitiesunderstand and accessible to management and business owners – Eases maturity assessment – Structures the ISMS

Eases maturity assessment

Structures the ISMS project plans

Directly usable as a frameworkmaturity assessment – Structures the ISMS project plans – For initial assessment – For implementation project

For initial assessment

For implementation project

For internal audit

initial assessment – For implementation project – For internal audit Copyright Hervé Schauer Consultants 2003-2013

Copyright Hervé Schauer Consultants 2003-2013

Implementation feedback and advice for the clueless CISO 1 3 Copyright Hervé Schauer Consultants 2003-2013

Implementation feedback and advice for the clueless CISO

13

Copyright Hervé Schauer Consultants 2003-2013

Implementation feedback and advice for the clueless CISO 1 3 Copyright Hervé Schauer Consultants 2003-2013

An ISMS is not a compliance project

Do notAn ISMS is not a compliance project Drive your implementation project following the standard sequentially –

Drive your implementation project following the standard sequentially

With the ISMS seen as a compliance project

Using a GRC tool to drive your implementation

But do:project – Using a GRC tool to drive your implementation Use a solid information security management

Use a solid information security management framework

Customized to fit your actual information security organization

14

Copyright Hervé Schauer Consultants 2003-2013

– Customized to fit your actual information security organization 1 4 Copyright Hervé Schauer Consultants 2003-2013

Think “Run” as soon as possible

Do not:Think “Run” as soon as possible – Implement an ISMS without anticipating the ISMS after its

Implement an ISMS without anticipating the ISMS after its certification

The standard is strongly mixing:

The target: A state of the art IS management

The project steps to reach the target

Appoint only a project manager

And forget to appoint a CISO

But do:only a project manager ● And forget to appoint a CISO – Anticipate the “run” phase

Anticipate the “run” phase during the “build” one

Project activities → Continual improvement

Risk assessment interviews → Internal audit interviews

Project manager → CISO

15

Copyright Hervé Schauer Consultants 2003-2013

interviews → Internal audit interviews – Project manager → CISO 1 5 Copyright Hervé Schauer Consultants

Segregate management controls from risk reduction controls

Do not:Segregate management controls from risk reduction controls – Consider all 133 annex A security controls to

Consider all 133 annex A security controls to mitigate technical risks

Some controls reduce all risks:

A.5.1.1, A.6.1.1, A.8.2.2, A.15.1.1 …

So we have to select them anyway

It's difficult to measure how risks are reduced by these controls

But do:difficult to measure how risks are reduced by these controls – Consider these security controls as

Consider these security controls as management process activities

Focus risk assessment on technical risks and associated security controls (A.9, A.10, A.11 and A.12)

Turn your “compliance oriented” risk assessment into an operational document that you can share with technical staff

16

Copyright Hervé Schauer Consultants 2003-2013

into an operational document that you can share with technical staff 1 6 Copyright Hervé Schauer

Be a guide, not a pen-pusher

Do not:Be a guide, not a pen-pusher – Try to implement an ISMS without the operational staff's

Try to implement an ISMS without the operational staff's involvement regarding security controls

Documentation, monitoring

Weak link between CISO and staff

It's often easier to document and manage documentation of security controls on your own or with consultants but:

The ISMS will not be working and it will lead to a double security controls documentation with inconsistency issues

But do:security controls documentation with inconsistency issues – Help, explain, guide, support, check, monitor, train

Help, explain, guide, support, check, monitor, train (but do not do their job)

Find support within middle management to enforce your requests

17

Copyright Hervé Schauer Consultants 2003-2013

– Find support within middle management to enforce your requests 1 7 Copyright Hervé Schauer Consultants

Create your own security controls management tools

Do not :Create your own security controls management tools – Use SOA as a tool for managing security

Use SOA as a tool for managing security controls, or worst, as a risk treatment plan

Except if you like the way it's organized ;-)

It will lead to a painful and laborious way to manage your security controls

But do:a painful and laborious way to manage your security controls – Arrange you security controls list

Arrange you security controls list the way they are actually operated and managed

Use the SOA to check completeness and to communicate with the auditor

Consider formalizing a high level global RTP and specific operational RTPs (HR, IS, Business, etc.)

18

Copyright Hervé Schauer Consultants 2003-2013

global RTP and specific operational RTPs (HR, IS, Business, etc.) 1 8 Copyright Hervé Schauer Consultants

Check, check, check and check again

Do not:Check, check, check and check again – Neglect monitoring and review activities ● It's the CISO's

Neglect monitoring and review activities

It's the CISO's strongest tool to validate the work

With no M&R, the CISO stays on a theoretical level and do not identify operational issues

The ISMS is one-way (IS policy style)

Underestimate the internal audit costs

Underestimate the cost of adequate records and indicators

But do:Underestimate the cost of adequate records and indicators – Formally monitor the project progress and RTP

Formally monitor the project progress and RTP implementation

Invest strongly from the beginning of the project in monitoring of security controls efficiency

Link all audit activities to the ISMS (Pentest, SOX, ISAE 3402, etc.)

19

Copyright Hervé Schauer Consultants 2003-2013

Link all audit activities to the ISMS (Pentest, SOX, ISAE 3402, etc.) 1 9 Copyright Hervé
What are we working on? 2 0 Copyright Hervé Schauer Consultants 2003-2013

What are we working on?

20

Copyright Hervé Schauer Consultants 2003-2013

What are we working on? 2 0 Copyright Hervé Schauer Consultants 2003-2013

Work in progress

Management Management ISMSISMSSteeringSteering Legal and Legal and contractual contractual IS risks IS risks
Management
Management
ISMSISMSSteeringSteering
Legal and
Legal and
contractual
contractual
IS risks
IS risks
compliance
compliance
Security
Security
controls
controls
mngt
mngt
Continual
Continual
Doc.Doc.
improvement
improvement
Resourc
Resourc
Monitoring
Monitoring
es and
es and
Incidents
and review
Incidents
and review
skills
skills

21

and review Incidents and review skills skills 2 1 Continual improvement with consultants field feedback
and review Incidents and review skills skills 2 1 Continual improvement with consultants field feedback
and review Incidents and review skills skills 2 1 Continual improvement with consultants field feedback
and review Incidents and review skills skills 2 1 Continual improvement with consultants field feedback

Continual improvement with consultants field feedbackImprovement of best-practices for each process Optimization of our engagement and improvement of quality Integration

Improvement of best-practices for each processContinual improvement with consultants field feedback Optimization of our engagement and improvement of quality

Optimization of our engagement and improvement of qualityfield feedback Improvement of best-practices for each process Integration of other security frameworks within the ISMS:

Integration of other security frameworks within the ISMS:field feedback Improvement of best-practices for each process Optimization of our engagement and improvement of quality

Health Care data

PCI DSS

Online gaming

SOX/ISAE-3402

Automation of indicators management to monitor the ISMS– Health Care data – PCI DSS – Online gaming – SOX/ISAE-3402 Copyright Hervé Schauer Consultants

– SOX/ISAE-3402 Automation of indicators management to monitor the ISMS Copyright Hervé Schauer Consultants 2003-2013

Copyright Hervé Schauer Consultants 2003-2013

22

Questions ?

?

Copyright Hervé Schauer Consultants 2003-2013

2 2 Questions ? ? Copyright Hervé Schauer Consultants 2003-2013