The webinar covers:
• Using ISO 27001 and/or COBIT as a framework
• Defining the proper KPI’s
• Information security in service management
Presenter:
This session was presented by Arthur Donkers, Managing Partner of ITSX and a PECB Certified Trainer with more than 30 years of experience.
Link of the recorded session published on YouTube: https://youtu.be/epYUd3mzKzo
4. Who am I?
Interested in info sec, technology and
organisation
Trainer for PECB (ISO27001, 27005, 31000)
Convinced that Infosec is a means to an end, not
a purpose in itself
arthur@itsx.com
6. Managing expectations
This webinar contains some opinions and
personal views that are meant to trigger your
own questions and considerations.
Service management, infosec and other
domains used to be islands. If you want to serve
your customer by providing best of breed, you
need to build bridges.
7. ITIL
ITIL (Information Technology Service Library):
a set of practices for IT Service Management
aligns IT services and business needs
Focus on delivering what the business needs
the ‘what’ …
ITIL is copyright of Axelos
9. ISO20000-1
SMS (Service Management System) standard
requirements for a service provider to plan,
establish, implement, operate, monitor, review,
maintain and improve an SMS
Focus on managing service delivery
the ‘how’
11. Quality
A key factor for proper service delivery is the
quality of the service delivered.
According to ISO 8402-1986 standard, quality is
defined as:
"the totality of features and characteristics of a
product or service that bears its ability to satisfy
stated or implied needs."
12. Quality
Stated needs are clearly described, i.e. the
things the customers wants.
Implied needs are inferred, often the non-
functional requirements, or requirements that
are taken for granted.
13. Is infosec stated or implied?
This depends on the scope of the service and
customer!
A managed firewall service has stated security
requirements.
A cloud based service often has implied security
requirements.
14. Make all infosec requirements clear
First thing that needs to be done is to make all
infosec requirements clear and stated.
Business needs and drivers are leading!
• Business Impact analysis
• Data classification
• Risk assessments
16. Infosec requirements
How do you make sure your requirements are
complete?
Use an information security framework!
• COBIT
• ISO27001
• PCI/DSS
• HIPAA
19. Aligning ISO27001
ISO 27001:2013 consists of two parts:
ISMS requirements (mandatory for certification)
Chapters 4 to 10 from the standard
Control framework, Annex A ( ‘the list’)
14 domains with security controls
Annex A is also available as ISO27002 guideline
http://www.iso27001security.com/ is a good source of information
20. ISO27001, context
This requires you to understand the context,
environment, needs and expectations of
interested parties and stakeholders.
Infosec must support the business goals and
assure proper service delivery by understanding
needs and expectations.
(Chapter 4)
21. ISO27001, context
Make sure you understand the context of the
service, the related business goals and
associated security requirements!
Make sure the security requirements are
traceable in the service delivery.
22. ISO27001, leadership
Top management must demonstrate leadership
and commitment and provide resources.
Organisation must support proper service
delivery on all levels, including fulfilling the
security requirements, and make sufficient
resources available.
(Chapter 5)
23. ISO27001, leadership
Clear and visible commitment is key for succes.
Information security should be an integral part
and not an add-on or bandaid. This must be
clear throughout the organisation.
24. ISO27001, planning
Use a process based approach to managing risks
and clarify infosec objectives.
Objective of security requirements must be clear
from service management point of view and
risks must be identified, analyzed and treated in
a planned and organized way.
(Chapter 6)
25. ISO27001, planning
It is necessary to think and plan ahead. Include
information security from the start in your
service delivery.
Retrofitting security is difficult, ineffective,
costly, will delay your project and does not serve
the customer at the end of the day.
26. ISO27001, support
Adequate and competent resources must be
used, documentation must be maintained.
Use skilled professionals and tools to fulfill the
security requirements, document the way things
should work.
(Chapter 7)
27. ISO27001, support
Information security is a specialized field which
requires skills, experience and proper tools. Use
them!
If you only have a hammer, all your problems
look like a nail… (Maslov)
28. ISO27001, operation
Daily management of risk, changes and
documentation, to maintain and assure required
security levels.
Part of the service operation is assuring its
required security levels.
(Chapter 8)
29. ISO27001, operation
Security should be part of your service level and
daily operations must be geared towards
maintaining the expected security level.
Most security frameworks provide controls for
security operations (ISO27002)
30. ISO27001, performance evaluation
Monitor, measure, analyze and evaluate the
performance of the ISMS and controls.
Measure the effectiveness of security in the
service and improve where necessary. KPI and
KRI reports.
(Chapter 9)
31. ISO27001, performance evaluation
You need to make sure you can ‘measure’ the
security levels in your service. Define KPI’s and
KRI’s (Key Risk Indicators) that can be used in
reports. Define desired security levels in SLA’s.
This gives you a means to improve on security
and increase effectiveness and efficiency.
32. ISO27001, improvement
Use findings from audits, problem management
and reviews to continuously improve security.
Aim for improving the effectiveness and
efficiency of security within the service, as part
of the whole improvement process.
(Chapter 10)
34. ISO27001, summary
These areas are part of the mandatory ISO27001
standard. Their goal is to get in control of
information security, using a plan-do-check-act
approach.
IMHO: this is easy to align with service delivery,
as most of these models are based on PDCA as
well, infosec is ‘just’ an additional quality
aspect.
35. ISO27002, control domains
To support implementing information security,
the Annex A (or ISO27002) is available.
It is not mandatory but it is a good checklist to
make sure you don’t forget important controls.
14 domains, more than just IT!
37. ISO27002, highlights
Chapter 5: policies
Sets the standards, principles and goals
Chapter 6: organisation of information security
Who is responsible, roles and decisionmaking
Chapter 8: Asset management
What do we need to protect
38. ISO27002, highlights
Chapter 12: operations security
Security in your daily systems management
Chapter 13: communications security
Security in your daily network management
Chapter 14: Systems acquisition
Security requirements in outsourcing and
development
39. ISO27002, highlights
Chapter 15: supplier relationships
Addressing security requirements with your
suppliers
Chapter 16: incident management
What to do when something goes wrong
Chapter 17: Business continuity
How to guarantee delivery of service