O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
iFour ConsultancyISMS Framework: Clause 6 - Planning
Planning- ISMS requirements
It is not enough to do your best; you must know what to do and then do your
best. – W. Edward...
Planning – ISMS requirements (continued)
 ISO 27001:2013 classifies planning into:
Clause 6.1: Actions to address risks ...
Planning process
Clause 6.1 Actions to address risk and opportunities
Determine
internal issues
Determine
interested parti...
Establish an ISMS
Clause 6.1 (Continued)
Web development company Indiahttp://www.ifourtechnolab.com
Clause 6.1.2 Information security risk assessment
Risk is the probability of occurrence of an incident that causes harm t...
Clause 6.1.2 (Continued)
Defining an information security risk assessment process
 How are you going to perform risk asse...
Identify Analyze Evaluate
Clause 6.1.2 (Continued)
RISK ASSESSMENT PROCESS
Web development company Indiahttp://www.ifourte...
 Identify organization’s information security risks
Identify the risks associated with loss of CIA for information withi...
 Example of step wise risk assessment approach:
Clause 6.1.2 (Continued)
Calculate the asset value
•Cost of actual asset
...
References
http://isoconsultantpune.com/iso-90012015-clause-6-planning/
http://searchsecurity.techtarget.in/tip/A-free-r...
Próximos SlideShares
Carregando em…5
×

Iso 27001 2013 clause 6 - planning - by Software development company in india

This video focuses on the management clauses of ISO 27001:2013 standards. The management clause 6 of ISMS framework relates to 'Planning'.
The 'General' and 'Risk Assessment' sections are explained in this presentation.- by Software development company in india

Ref:
http://www.ifour-consultancy.com
http://www.ifourtechnolab.com

** Custom software development companies

  • Seja o primeiro a comentar

Iso 27001 2013 clause 6 - planning - by Software development company in india

  1. 1. iFour ConsultancyISMS Framework: Clause 6 - Planning
  2. 2. Planning- ISMS requirements It is not enough to do your best; you must know what to do and then do your best. – W. Edwards Deming An organization needs to establish its strategic objectives and should identify risks and opportunities and relate them to the scope of ISMS. Following are the pre-requisites for planning phase which focuses on establishing an effective and sustainable ISMS: Management commitment to security Security policy Security strategy and plan Security Measures Web development company Indiahttp://www.ifourtechnolab.com
  3. 3. Planning – ISMS requirements (continued)  ISO 27001:2013 classifies planning into: Clause 6.1: Actions to address risks and opportunities.  Clause 6.1.1: General  Clause 6.1.2: Information security risk assessment  Clause 6.1.3: Information security risk treatment Clause 6.2: Information security objectives and planning to achieve them.  Planning for the ISMS requirements is done keeping these factors in mind: Size of the organization Nature of its business Maturity of the processes in implementing ISO Commitment of senior management Web development company Indiahttp://www.ifourtechnolab.com
  4. 4. Planning process Clause 6.1 Actions to address risk and opportunities Determine internal issues Determine interested parties & requirements Determine external issues Methods, criteria for risks & opportunities Determine risks & opportunities Intended outcomes, Prevent or reduce undesired effects, Continual improvement Methods of prevention and reduction of undesired effects Plan actions to address risks & opportunities Acceptable level of risk proportional to potential impact Action plan & how to evaluate action & integrate into processes Implement actions Web development company Indiahttp://www.ifourtechnolab.com
  5. 5. Establish an ISMS Clause 6.1 (Continued) Web development company Indiahttp://www.ifourtechnolab.com
  6. 6. Clause 6.1.2 Information security risk assessment Risk is the probability of occurrence of an incident that causes harm to an informational asset. Purpose of risk assessment: Threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the nation. Vulnerabilities - internal and external to organizations. Adverse impact to organizations that may occur, given the potential for threats exploiting vulnerabilities. The likelihood that harm will occur.  Clause 6.1.2 focuses on: Defining and information security risk assessment process. Assessing the organization’s information security risks. Web development company Indiahttp://www.ifourtechnolab.com
  7. 7. Clause 6.1.2 (Continued) Defining an information security risk assessment process  How are you going to perform risk assessment process: The organization shall apply & define risk assessment process that:  Establishes and maintains information security risk criteria including:  Risk acceptance criteria  Criteria for performing information security risk assessments  How are you going to ensure that your repeatedly performed risk assessments produce Consistent Valid Comparable results Web development company Indiahttp://www.ifourtechnolab.com
  8. 8. Identify Analyze Evaluate Clause 6.1.2 (Continued) RISK ASSESSMENT PROCESS Web development company Indiahttp://www.ifourtechnolab.com
  9. 9.  Identify organization’s information security risks Identify the risks associated with loss of CIA for information within the scope of ISMS. Identify the risk owners  Analyze organization’s information security risks Assess the consequences that you might have to face in case the identified risks materialize Assess the realistic likelihood of occurrence of the identified risks Determine the level of risks  Evaluate organization’s information security risks Compare the risk analysis results with risk criteria established earlier Prioritize the analyzed risks for risk treatment Clause 6.1.2 (Continued) Web development company Indiahttp://www.ifourtechnolab.com
  10. 10.  Example of step wise risk assessment approach: Clause 6.1.2 (Continued) Calculate the asset value •Cost of actual asset •Cost to protect the asset Identify vulnerabilities and categorize them into •Very high, High, Medium or Low Identify threats and categorize them into •Very High, High, Medium or Low Identify probability and business impact of potential threats •Frequency of attack and Extent of loss •Impact severity = Asset value x threat severity x vulnerability severity Calculate risk score •Risk Score = Impact severity x probability •Based on risk score’s level, you need to decide the appropriate risk treatment. Ascertain and establish controls •Identify countermeasures and solutions to eliminate potential damage •Do cost/benefit analysis before implementing the control Web development company Indiahttp://www.ifourtechnolab.com
  11. 11. References http://isoconsultantpune.com/iso-90012015-clause-6-planning/ http://searchsecurity.techtarget.in/tip/A-free-risk-assessment-template-for- ISO-27001-certification http://www.praxiom.com/iso-27001.htm https://buildsecurityin.us-cert.gov/articles/best-practices/deployment-and- operations/plan-do-check-act Web development company Indiahttp://www.ifourtechnolab.com

×