This document provides information about an ISO 27001 awareness training course held by K2A Training Academy. The one-day course aims to help participants understand how to safeguard organizational data and information from both external and internal threats. It covers topics such as information security background, risks and controls, and the ISO 27001 certification process. Breaks are scheduled during the day for tea and lunch. Attendees are not permitted to smoke or use their mobile devices during the sessions.
1. K2A Training Academy
Division of K2A Management
www.iso-certifications.com | www.k2amanagement.com
"Information technology— Security techniques —
Information security management systems —
Requirements".
An Awareness Training ISO/IEC 27001:2013 ISMS
3. Copy Right-K2A
Course Objectives
On completion of the course, the participant will:
• Understand the significance of safeguarding organisational data and
information in the light of possible threats – external and internal
• Learn about the objectives and scope of ISO 27001 Standard in respect
of Information Security Management System (ISMS) Acquire greater
awareness of the underlying risks and receive exposure to typical
measures to mitigate the risks within one’s own organisation
4. Copy Right-K2A
Key Topics
• Information Security Background,
• Information Assets
• ISMS Benefits
• Likelihoods of failures and attacks
• Risks & Annex – A Controls
• Cost effective and consistent reliability and
security of the system
• Certification Process
5. Copy Right-K2A
What is Information
Security ?
The protection of information against unauthorized
disclosure, transfer, modification, or destruction, whether
accidental or intentional
Organization must determine which assets can materially affect the delivery of product/service by
their absence or degradation
Information Security Management relates to all types of information, be it paper-based,
electronic or other.
It determines how information is processed, stored, transferred, archived and destroyed.
A secure information is one which ensures Confidentiality, Integrity, and Availability.
It is all about protecting information assets from potential security breaches.
6. Copy Right-K2A
Information
Assets
Information assets of an organization can be:
• Business data
• E-mail data
• Employee information
• Research records
• Price lists
• Tender documents
• Spoken in conversations over the
telephone
• Data stored on computers
• Transmitted across
networks
• Printed out
• Written on a paper, sent
by fax
• Stored on disks
• Held on microfilm
Asset is something that has “value to the organization”
7. Copy Right-K2A
Core Values
Confidentiality
IntegrityAvailability
• Is my communication private?
• Ensuring that the data is read only by the intended person
• Protection of data against unauthorized access or disclosure
• Possible through access control and encryption
• Has my communication been altered?
• Protection of data against
unauthorized modification or
substitution
• If integrity is compromised, no point
in protecting data
• A transparent envelope that is tamper
evident
• Are the systems responsible
for delivering, storing and
processing information
accessible when needed?
• Are the above systems
accessible to only those
who need them?
8. Copy Right-K2A
Need of ISMS
Management Concerns
• Market reputation
• Business continuity
• Disaster recovery
• Business loss
• Loss of confidential
data
• Loss of customer
confidence
• Legal liability
• Cost of security
Security
Measures/Controls
• Technical
• Procedural
• Physical
• Logical
• Personnel
• Management
All these can be addressed effectively and efficiently
only by establishing a proper Information Security
Management System (ISMS)
10. Copy Right-K2A
History
1960s:
Organizations
start to
protect their
computers
1970s: The
first hacker
attacks begin
1980s:
Governments
become
proactive in
the fight
against
cybercrime
1990s:
Organized
crime gets
involved in
hacking
2000s:
Cybercrime
becomes
treated like a
crime
2010s:
Information
security
becomes
serious
11. Copy Right-K2A
History of ISO/IEC
17021
Overview
The origin of the ISO/IEC 27000 series of standards goes back to the days of the UK
Department of Trade and Industry's (DTI) Commercial Computer Security Centre
(CCSC)
Founded in May 1987, the CCSC had two major tasks:
• The first was to help vendors of IT security products by establishing a set of internationally
recognised security evaluation criteria
• And an associated evaluation and certification scheme.
This ultimately gave rise to the ITSEC and the establishment of the UK ITSEC
Scheme.
The second task was to help users by producing a code of good security practice and
resulted in a “Users Code of Practice” that was published in 1989. This was further
developed by the National Computing Centre (NCC)
BS 7799-2:2002 was officially launched on 5th September 2002.
12. Copy Right-K2A
History of ISO/IEC
17021
Overview
ISO/IEC 27001 is derived from BS 7799 Part 2, first published as such by the British
Standards Institute in 1999.
BS 7799 Part 2 was revised in 2002, explicitly incorporating the Deming-style Plan-Do-
Check-Act cycle.
BS 7799 part 2 was adopted as ISO/IEC 27001 in 2005 with various changes to reflect its
new custodians.
The 2005 first edition was extensively revised and published in 2013, bringing it into line
with the other ISO management systems standards and dropping explicit reference to
PDCA.
13. Copy Right-K2A
ISO/IEC 17021
Overview
ISO/IEC 27001:2013 is the best-known standard in the family providing requirements
for an information security management system (ISMS).
There are more than a dozen standards in the 27000 family
ISO/IEC 27000:2018 INFORMATION TECHNOLOGY — SECURITY TECHNIQUES
— INFORMATION SECURITY MANAGEMENT SYSTEMS — OVERVIEW AND
VOCABULARY
ISO/IEC 27010:2015 INFORMATION TECHNOLOGY — SECURITY TECHNIQUES
— INFORMATION SECURITY MANAGEMENT FOR INTER-SECTOR AND
INTER-ORGANIZATIONAL COMMUNICATIONS
14. Copy Right-K2A
Benefits
Protecting your
data and
reputation
Stay one step
ahead
Competitive
advantage
In this technology-driven world, it is critical to protect your organization's data
and that of your customers. Implementing an information security management
system (ISMS) and gaining ISO 27001 certification will ensure you have in place
the processes and controls to protect your information assets and manage the
threats posed to your organization from cyber attacks .
15. Copy Right-K2A
Supporting Standards
By using a risk management approach, ISO 27001 certification helps
organizations manage their people, processes and systems and is the best-
known standard in the ISO 27000 family of standards.
ISO 27032 -
Guidelines for
cybersecurity
ISO 27018 - Code of
practice for protection
of personally
identifiable information
(PII) in public clouds
acting as PII processors
ISO 27017 - Code
of practice for
information
security controls
for cloud services
18. Copy Right-K2A
Risk Assessment
Risk Approach
Residual Risk
Contractual
Regulatory
Business
Risk assessments
The definition of risk is the “effect of uncertainty
on objectives”, which may be positive or negative.
Baseline controls based on regulatory, business
and contractual obligations may be identified and
implemented before the risk assessment is
conducted.
The organization identifies risks to the
organization's information the assessment does
not have to be asset-based.
The risk owner determines how to treat the risk,
accepting residual risk.
Controls are drawn from any source or control Set
Selected controls are compared to those in Annex
A.
The Statement of Applicability records whether a
control from Annex A is selected and why
21. Copy Right-K2A
Number of Domains and
Controls
The 114 control sets of Annex A
Domains Control Obj. Controls
A5. Information Security policies 1 2
A6. Organization of information security 2 7
A7. Human resources security 3 6
A8. Asset management 3 10
A.9 Access control 4 14
A.10 Cryptography 1 2
A.11 Physical and environmental security 2 15
A.12. Operations Security 7 14
A.13 Communications Security 2 7
A.14 Systems acquisition, development & Maint. 3 13
A.15 Supplier Relationship 2 5
A.16 Information security incident management 1 7
A.17 Information Security aspect of Business continuity management 2 4
A.18 Compliance 2 8
Total - 14 35 114
22. Copy Right-K2A
Controls
The 114 control sets of Annex A
A.5 Information security policies (2 controls): how policies are written and
reviewed.
A.6 Organisation of information security (7 controls): the assignment of
responsibilities for specific tasks.
A.7 Human resource security (6 controls): ensuring that employees
understand their responsibilities prior to employment and once they’ve left or
changed roles.
A.8 Asset management (10 controls): identifying information assets and
defining appropriate protection responsibilities.
A.9 Access control (14 controls): ensuring that employees can only view
information that’s relevant to their job role.
A.10 Cryptography (2 controls): the encryption and key management of
sensitive information.
A.11 Physical and environmental security (15 controls): securing the
organisation’s premises and equipment.
A.12 Operations security (14 controls): ensuring that information processing
facilities are secure.
23. Copy Right-K2A
Controls
The 114 control sets of Annex A
A.13 Communications security (7 controls): how to protect information in
networks.
A.14 System acquisition, development and maintenance (13 controls): ensuring
that information security is a central part of the organisation’s systems.
A.15 Supplier relationships (5 controls): the agreements to include in contracts
with third parties, and how to measure whether those agreements are being
kept.
A.16 Information security incident management (7 controls): how to report
disruptions and breaches, and who is responsible for certain activities.
A.17 Information security aspects of business continuity management (4
controls): how to address business disruptions.
A.18 Compliance (8 controls): how to identify the laws and regulations that
apply to your organisation.
26. Copy Right-K2A
Risk Management
PDCA Approach
Identify
Risks
Risk
Treatment
Risk
Management
• Identify all Stakeholders
• Identify Business Process
• Identify Operation Process
• Identify Assets
• Identify Risk on the basis of all Stakeholders
• Identify Threats and Vulnerabilities
• Evaluate Probability and Impact
• Calculate Risk Value
• Mitigate/Reduce risk
• Avoid risk
• Transfer risk
• Accept risk
• Mitigate the risk by
appropriate controls
• Evaluate controls
periodically