Information Security Management Systems (ISMS)

I. ISO/IEC 27001 

ISO 27001 is a global standard for Information Security Management Systems (ISMS) that provides a risk management framework to protect sensitive information. ISO 27001:2022 is the latest version and specifies the requirements for establishing, implementing, maintaining, and improving an ISMS, covering all aspects of information security.

To obtain an ISO 27001 certificate, organizations must follow:

  • Conduct a gap analysis to identify gaps between current info security practices and ISO 27001 requirements.
  • Develop an ISMS that meets ISO 27001 requirements, including policies, procedures, and controls for managing information security risks, based on the gap analysis.
  • Implement the ISMS across the organization, ensuring policy and procedure compliance by all employees.
  • Conduct internal audits to ensure ISMS effectiveness and identify improvement areas.
  • Conduct a certification audit: Engage an accredited certification body to assess the organization's ISMS compliance with the ISO 27001 standard.
  • Correct any non-conformities identified during certification audit.

If the organization's ISMS meets the requirements of the ISO 27001 standard, the certification body (e.g., Bureau Veritas, DNV GL, Lloyd's Register Quality Assurance, SGS, BSI Group, TUV SUD, Intertek, or NSF International) will issue an ISO 27001 certificate.

I.1 ISO 27001 ANNEX A:  ISO 27001 Annex A is a part of the ISO 27001 standard that provides a comprehensive list of information security controls that organizations can use to establish an effective ISMS. Annex A contains the following 14 control categories and 114 individual controls:

  1. Security policy
  2. Organization of information security
  3. Asset management
  4. Human resources security
  5. Physical and environmental security
  6. Communications and operations management
  7. Access control
  8. Information systems acquisition, development, and maintenance
  9. Information security incident management
  10. Business continuity management
  11. Compliance
  12. Cryptography
  13. Operations security
  14. Supplier relationships

Each control category includes a set of controls that are designed to address specific risks and vulnerabilities related to information security. The controls are intended to be implemented based on the organization's risk assessment and risk management processes, considering the organization's specific needs and circumstances.

By using Annex A as a guide, organizations can ensure that they have implemented a comprehensive set of information security controls that are aligned with the requirements of ISO 27001. This can help to minimize the risk of security breaches and protect sensitive information, while also ensuring compliance with relevant laws and regulations.


I.2 ISO 27001 IMPLEMENTATION:

1) Obtain management support: In my experience, this is the main reason why ISO 27001 certification projects fail – management is either not providing enough people to work on the project, or not enough money.

2) Treat it as a project with a detailed roadmap and milestone: ISO 27001 is a complex framework involving various activities and lots of people, lasting from a couple of months to more than a year depending on the size of an organization.

3) Define the scope:  All network equipment, servers, clouds, PCs, laptop, tablet, phone, and employees

4) Design Information Security Policy:

  • Objectives: the general and specific objectives to be achieved by information security.
  • Requirements: reference to legal, statutory, and contractual requirements that must be fulfilled.
  • Risk management: reference to the process to select the information security controls.
  • Responsibilities: responsibilities for implementation, maintenance, and reporting of ISMS performance.
  • Communication: to whom this policy needs to be communicated.
  • Support: commitment with resources to implement and improve information security.

5) Define the risk assessment methodology: The purpose of the methodology is to define the rules for identifying the risks, impacts, and likelihood, and to define the acceptable level of risk.

6) Perform risk assessment and treatment: Identify and address unacceptable risks through the use of Annex A controls. Create a Risk Assessment Report and obtain approval for residual risks.

7) Write the Statement of Applicability (SoA): Once you have completed your risk assessment and treatment process, you will know exactly which controls from ISO 27001 Annex A you need. The purpose of this document is to list all controls and to define which are applicable and which are not, the reasons for such a decision, and a description of how they are implemented in the organization. The Statement of Applicability is also the most suitable document to obtain management authorization for the implementation of the ISMS. 

8) Write the Risk Treatment Plan: Define exactly how the controls from the SoA are to be implemented – who is going to do it, when, with what budget, etc.

9) Define how to measure the effectiveness of controls:  Define how you are going to measure the fulfillment of objectives you have set both for the whole ISMS, and for security processes and/or controls.

10) Implement the security controls: Implement all necessary documents and technology and change security processes in your organization, which can be a challenging task since it involves enforcing new behavior and potentially creating new policies and procedures. Training and awareness are crucial for avoiding resistance to change.

11) Implement training and awareness programs:  Educate employees and stakeholders on the ISMS policies, procedures, and controls. This helps ensure that everyone understands their roles and responsibilities in maintaining information security and encourages a culture of security awareness throughout the organization.

12) Operate the ISMS:  Keep records (including logs) as proof of completed activities.

13) Track the performance of the ISMS:  Monitor and measure its activities, including incidents, procedures, and results, to ensure they align with the established objectives.

14) Internal audit: Identify unaware of existing or potential problems can hurt your organization

15) Management review: Help management to make decisions approving the security budget, aligning security with business strategy

16) Corrective and preventive actions:  Correct any non-conformities and prevent future occurrences. Identify the root cause of the issue, resolve it, and verify that it has been resolved.


II. NIST CYCBER SECURITY FRAMEWORK

The NIST Cybersecurity Framework is a widely adopted and customizable framework developed by the National Institute of Standards and Technology (NIST). It provides organizations with a structured approach to managing and improving their cybersecurity posture. The framework consists of the following five core functions:

1. Identify: Understand and manage cybersecurity risks to business, systems, resources, assets, data, and capabilities.
2. Protect: Safeguard critical infrastructures to prevent or minimize the impact of a cyber-attack.
3. Detect: Develop and implement mechanisms to identify cybersecurity events and potential compromises.
4. Respond: Develop and implement response plans to address and mitigate the impact of a cybersecurity incident.
5. Recover: Develop and implement processes for restoring services and recovering from a cybersecurity incident.


Comments

Post a Comment

Popular posts from this blog

QUALITY MANAGEMENT PRINCIPLES & PRACTICES

Image
  I.       QUALITY MANAGEMENT PRINCIPLES 1.      Meeting Customer Expectations : o    Detail : Quality is defined by how well a product or service meets the needs and expectations of customers. This means understanding what your customers value and ensuring your offerings align with those values. o    Example : If you are developing a software product, quality means delivering a bug-free, user-friendly application that performs the functions your customers need. Regularly gathering customer feedback and making improvements based on their input is crucial.   2.      Everyone's Responsibility : o    Detail : Quality is not just the responsibility of the quality assurance team; it involves every employee in the organization. Each person must ensure that their work meets the required standards and contributes to the overall quality. o    Example : In yo...
Read more

KPIs EXAMPLES

  Corporate Quality, Security, Software Development Life Cycle, Hardware Development Life Cycle, Manufacturing KPIs (Key Performance Indicators) Examples Key  Performance Indicators (KPIs) are specific metrics that are used to evaluate the performance of an organization, team, or individual in achieving their objectives. These metrics are quantifiable and directly linked to strategic goals, allowing for monitoring progress and making informed decisions. KPIs usually include primary owners, secondary owners, key objectives, measurements, due dates, status updates, percentage completions, comments etc. Here are some examples of KPIs: I.                QUALITY KPIs:   1. Customer Satisfaction Index (CSI):    - Definition: CSI measures how satisfied customers are with a company's products or services.    - Calculation: CSI can be calculated through surveys, feedback forms, o...
Read more

Firmware Development and Debugging

An Approach To Firmware Development and Debugging 1. Understand the Hardware: Before writing firmware, you need a deep understanding of the hardware you're working with. Study the datasheets, reference manuals, and schematics for the microcontroller or embedded system you're using. This will help you understand the available peripherals, memory layout, and other hardware-specific details. 2. Choose a Programming Language: Firmware can be written in various programming languages, with C and C++ being the most common due to their low-level capabilities and efficiency. Choose a language that is supported by the microcontroller's toolchain and suits the project's requirements. 3. Set Up the Development Environment: - Install the necessary Integrated Development Environment (IDE) or text editor. - Install the toolchain (compiler, linker, debugger) that supports your microcontroller. - Set up any necessary drivers for programming and debugging hardware. 4. Start Writing Code:...
Read more