Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • ISO 27001 Implementation Roadmap

    Încărcat de

    Ahmad Yaseen
    2K vizualizări1 pagină

    Titlu original

    Iso-27001-Implementation-Roadmap.pdf

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    2K vizualizări1 pagină

    ISO 27001 Implementation Roadmap

    Încărcat de

    Ahmad Yaseen

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 1

    ISO 27001

    I m p l e m e n t a t i o n Ro a d m a p
    Vulnerability Assessment/Penetration Test

    F o r c o n s u l t i n g o n I S O 2 7 0 0 1 , v i s i t u s a t w w w. p i v o t p o i n t s e c u r i t y. c o m o r c a l l 1 . 8 8 8 . P I V O T P O I N T ( 8 8 8 . 7 4 8 . 6 8 7 6 )
    Address Short- of Key Applications/Systems

    Term Attestation
    Provides substantiative evidence that the net security objectives
    (e.g., ensuring the confidentiality of information) are being achieved.
    Requirements * Cost Effective * Well Regarded * Early Identification of Critical Risks <1 Month
    Secure Data Flow Diagram (SDFD)
    Proving that you are secure
    Provides evidence that key client risks are being mitigated
    while you are working towards
    to an acceptable level by reasonable and appropriate security design.
    27001 Certification is crtical to the
    * Integral to Risk Assessment and Scoping * Facilitates Risk Identification
    success of your organization.
    * Evidence of Secure Design and Substantiative Test is effective attestation
    Where stronger interim attestation
    is required see Shared Preliminary 27001 Project Plan
    Assessment Phase below. Where key clients have already requested 27001 compliance/certification,
    communicating a plan & progress towards it is critical to satisfying their requirements.

    Define ISMS Scope


    Logically/physically limit the scope of the ISMS to the maximum extent possible

    Assess consistent with initiative objectives. Optimizes likelihood of project success


    (prevents “boil the ocean” exercises).
    Gaps 27005 Risk Assessment
    Identifies major risks (& impacts) the ISMS intended to mitigate.
    Optimally scoping and * Leverages SDFD * Basis of 27001 * 1- 3
    understanding the current gap Risk Treatment Plan Months
    between the desired and current
    Establish acceptance criteria and define treatments
    state are integral to appropriately
    (avoid/control/transfer/accept) for all key risks.
    allocating the resources
    (personnel, third party support, Conduct Gap Assessment
    expenditures, and time) necessary O Via documentation review, ICQ's and/or surveys determine
    to ensure the project achieves R where risk treatment gaps exist in:
    objectives on time and on budget. * Existence * Appropriateness * Completeness of Documentation & ISMS support
    Shared Assessment (BITS)
    Same functionality as Gap Assessment except produces a Shared Assessment
    worksheet that may be accepted as interim attestation by clients (e.g. financial industry)

    Develop & Prioritized Roadmap (Remediation Plan)


    3-18
    Execute the Develop a work plan based on a number of factors:
    * Risk * Ease of Mitigation to an Acceptable Level * Client Concerns Months
    Roadmap *Reusability/Commonality * Resource and Skill Set Availability * Other Initiatives
    Prioritize and execute the work Execute the Plan
    effort necessary to address the * Correct Design Deficiencies * Close Compliance Gaps
    issues identified. * Update/Create Necessary Documentation * Implement New Controls

    Monitor the Environment


    Operate the Integral to 27001 is ongoing monitoring of the ISMS.
    1-12
    Environment Tune control design/output to facilitate monitoring.
    Respond to Incidents
    Months
    Assess efficacy of environment,
    Integral to 27001 is demonstrable Incident Response.
    monitor the ISMS, tune controls
    Tune Incident Response processes to facilitate ISMS improvements.
    accordingly, and accumulate
    audit evidence for Implement Continuous Improvement Principles
    attestation and certification. Integral to 27001 is demonstrable Continuous Improvement. Based on monitoring
    and Incident Response evolve the control environment in a demonstrable manner.

    Pre-Certification Audit
    Certify "Friendly" pre-audit structured in accordance with certification audit
    (Tabletop Review then Compliance Review).
    and
    While there are many significant Certification Audit
    Beyond
    advantages to implementing 27001 Certification Audit conducted by Certification Body resulting in
    27001, most notably demonstrably issuance of ISO 27001 Certificate
    reducing risk and simplifying Surveillance Audit (Year 2)
    Information Security,
    Mini-audit conducted by the Certification Body to validate ISMS
    for most entities certification
    efficacy. ISMS scope extension possible.
    is the most important.
    Triennial Audit (Every 3rd year)
    Re-Certification Audit conducted by Certification Body

    We make it simple to “know you’re secure and prove you’re compliant”

    S-ar putea să vă placă și