WHAT IS ISO/IEC 27002:2013

WHAT IS ISO/IEC 27002:2013

According to ISO/IEC 27000 series, ISO/IEC 27002 is International Standard that provides a list of commonly accepted control objectives and best practice controls to be used as implementation guide when selecting and implementing controls for achieving information security.

This standard gives guidelines on how to select, implement and manage controls and take into consideration to the organization's information security risk environment.

ISO/IEC 27001 uses ISO/IEC 27002 code of practice to indicate suitable information security controls within ISMS but since ISO/IEC 27002 standard is merely a guidelines then organization has a freedom to select and adopt any suitable security controls.

This standard composes of 14 security clauses, 35 domains and 114 controls.

By treating the ISO/IEC 27002 standard as a generic controls checklist just like a menu from which organizations can select their own set of controls and not mandating specific controls is what makes the standard broadly applicable. Even as the technology and security risks has changed, and gives users tremendous flexibility in the implementation. Currently no formal
compliance certificate against ISO/IEC 27002.

WATCH VIDEO ABOUT THIS TOPIC AT YOUTUBE https://youtu.be/xGRoITYNjaU

Video 12 keys success factors to implement ISO 27001:2013.

Watch my video ! https://goo.gl/JsEJsC

12 keys success factors to implement ISO 27001:2013 

This video is part of the book Information Security Management Based on ISO 27001:2013 by Andi Rafiandi & Anis Radianis.

Buy this book at Createspace https://goo.gl/FMQMkc or at Amazon http://goo.gl/DMFwEI
Check my blog at http://goo.gl/1w043R and http://goo.gl/lc9ny2

GAP ANALYSIS: DETERMINE THE SUCCESS

GAP ANALYSIS: DETERMINE THE SUCCESS

In planning the ISMS implementation in the organization, we should do the analysis about existing and expected security condition which is called gap analysis.

Gap analysis is activities that is used to quantitatively assess the actual condition compared with possibility to achieved optimum performance in information security context.  It is also necessary step to be taken in order to move further from its current state to its desired, future state.

The assessment result will show us about current information security condition compared to expected condition according to ISO/IEC 27001 standard.  Gap analysis could be used as a basis to determine investment requirements, such as time, resources, and cost for establishing information security. In conducting gap analysis, top management and security officer as coordinator have to be involved in order to obtain valid results in gap analysis process.

Methods that are being used during gap analysis are the desk assessment and field assessment. A desk-based assessment involves gathering  applicable documents such as  written, graphic, photographic and electronic information that already exists, while field based assessment is observing and examining information security implementation in the field.

The result from both assessment methods will be used as basis for determining gap. Gap analysis gives an overview about existing conditions so efforts and priorities can be taken into account by management.

The gap analysis needs to be perform and reviewed continually before starting ISMS project and before conducting certification audit.

12 KEY SUCCESS FACTORS TO IMPLEMENTING ISO 27001

12 KEY SUCCESS FACTORS TO IMPLEMENTING ISO 27001

Implementation of information security management practice according to ISO/IEC 27001 will depend on how the organization put the effort of the important factors to meet the intended objectives.

Several factors are important that could result whether the implementation is a success or a failure.

These are 12 factors why it is very important for organization.

1. Support and Commitment from Top Management

2. Allocate Sufficient Budget and Resources for Implementation

3. Building Security Culture

4. Effective Project Management

5. Effective Risk Management

6. Clear Roles and Responsibilities

7. Effective Internal and External Communication

8. ISMS Tool Optimization for ISM Implementation

9. Proper Internal Audit

10. Effective Business Continuity Management

11. Effective Knowledge Management

12. Effective Control to Third Parties

HISTORY OF ISO/IEC 27001 AND ISO/IEC 27002

The story started when United Kingdom Department of Trade and Industry (DTI) created a code of good security practice for information security.

This creation led to publication of a document known as DISC PD0003 and continued the development by British Standard Institute (BSI). In 1995 this document became a formal information security standard known as BS7799.

British Standard Institute (BSI) then developed another standard, a specification of information security management system as BS7799-2. In 1999 both standard were published by BSI as BS7799-1:1999 and BS7799-2:1999.

In 2000, ISO adopted security standards from BSI and published it. BS7799 part 1 Code of practice has become ISO/IEC 17799:2000 Code of practice for Information Security Management.

In 2005, BS7799-2 emerged as ISO/IEC 27001:2005 and ISO 17799:2000 was republished as ISO/IEC 17799:2005. Late in 2007, to align with the series numbering system, ISO 17799:2005 was renamed to ISO 27002:2007.

ISO/IEC 27001:2005 specifies a management system that is intended to bring information security under explicit management control. This standard is an ISMS framework where in all elements of the company monitoring and controlling security, minimizing risk and ensuring compliance to the standards using Plan-Do-Check-Action (PDCA) cycle. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.

ISO/IEC 27002:2007 provides best practice recommendations and provide guidance in initiating, planning, implementing and maintaining information security management systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad. This standard also provides a list of controls to be implemented as part of ISMS and it includes 11 control domains, 39 control objectives and 133 controls.

On 25 September 2013 the new edition of ISO/IEC 27001:2013 and ISO/IEC 27002:2013 were published. Many concepts in ISO/IEC 27001 has changed and become more general. More flexibility in how documentation is structured and using ‘continuous improvement’ instead of using only PDCA cycle.

For ISO/IEC 27002 list of controls has changed, some controls being added, some are combined and some are reduced to become 14 control domains, 35 control objectives and 114 controls.

Watch the vidoe on Youtube https://www.youtube.com/watch?v=MV52CKQy3ic

ABOUT ISO/IEC 27001:2013

ISO/IEC 27001:2013 standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

This standard is an ISMS framework for monitoring and controlling security, minimizing risk and ensuring compliance to the standards for an organization.

The standard regulates some of ISMS implementation process as follows:

 All activities should be in accordance with the purpose and process of information security that are clearly defined and documented in policies or procedures.

• Provide security controls that can be used by the organization during the implementation based on specific needs.

• All security measurements that being used in the ISMS as outcome of risk analysis should be implemented to eliminate or reduce the level of risks at an acceptable levels.

• Existence of processes to verify all information security system elements through audit and reviews to ensure continuous improvement.

• Existence of processes to ensure continuous improvement of all ISMS elements. Organization are able to adopt other continuous improvement approach, however PDCA cycle could also be used.

ISO/IEC 27001 standard is intend to be used within organization for the following purposes:

1. As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met.
2. Formulating information security requirements and objectives.
3. Ensuring compliance with laws and regulations.
4. As a way to ensure information security risks are being managed cost-effectively.
5. Defining new information security management processes.
6. Identifying and clarifying existing information security management processes.
7. Determining the status of information security management activities.
8. Providing relevant information about information security policies, directives, standards and procedures to partners.
9. Implementing information security for business enablers.
10. Provide relevant information about information security management  to the customers.

ISO/IEC 27001:2013 standard does not formally mandate any specific information security controls, but information security controls from another ISO standard, ISO/IEC 27002:2013 are noted in annex A of ISO/IEC 27001 standard.

Therefore, organizations adopting ISO/IEC 27001 have a  freedom to choose any applicable information security controls and potentially supplement with other security control from other standard, depending on their security situations. Moreover, ISO/IEC 27001 standard incorporates a summary of controls from ISO/IEC 27002 under Annex A section.

ISO/IEC 27001 standard using  ISO/IEC 27002 standard code of practice to indicate suitable information security controls within ISMS. The standard composes of 14 security clauses, 35 domains and 114 controls.

Buku JURUS SUKSES SERTIFIKASI ISO 27001 oleh Andi Rafiandi & Hadi Cahyono

Judul Buku : Jurus Sukses Sertifikasi ISO 27001

Penulis : Andi Rafiandi & M. Hadi Cahyono

Penerbit : Andita Publishing

Tahun : 2010

ISBN : 978-602-96438-0-0

ISO 27001:2005 adalah standar pengamanan informasi internasional yang secara resmi dipublikasikan pada tahun 2005. Dengan mengimplementasikan ISO 27001:2005 ini secara optimal, akan memberikan kontribusi bagi keberhasilan pelaksanaan proses bisnis perusahaan secara keseluruhan sehingga visi dan misi perusahaan dapat tercapai.

Buku yang memberikan panduan step by step dalam implementasi ISO 27001:2005 ditinjau dari kacamata manajemen ini, juga menerangkan tentang apa yang harus dilakukan oleh seorang IT security expert untuk mengamankan informasi di perusahaan. Oleh sebab itu, bagi Perusahaan yang ingin membuat program keamanan informasi atau meningkatkan program yang sudah ada, buku ini sangat tepat digunakan sebagai panduan berdasarkan "international best practise". Tentu saja buku ini akan sangat membantu anda dalam mendapatkan sertifikasi ISO 27001 bagi perusahaan anda.

Dengan gaya penulisan yang lugas dan mudah dicerna bahkan oleh orang yang awam dalam dunia IT Security sekalipun, buku ini memberikan apa yang dibutuhkan perusahaan dalam pengimplementasian ISO 27001:2005 dan sukses mendapatkan sertifikasinya. Pengalaman "hands on experience" penulis yang terjun langsung dalam pengimplementasian ISO 27001:2005 selama beberapa tahun di beberapa perusahaan terkemuka di Indonesia, membantu dalam memberikan gambaran penuh dan lebih detail yang dilengkapi dengan tips-tips dalam pengamanan informasi.

Bagi anda yang ingin membeli buku ini dapat mengirimkan email ke lemtiui at ie.ui.ac.id
Penulis merupakan konsultan ISO 27001, ISO 20000, ISO 28001 dan ISO 38500 yang berpengalaman dalam implementasi standar ISO ini.

Akhir kata selamat membaca buku ini.

http://arafiandi.wix.com/blog

http://lemtiui.wordpress.com

http://lemtiui.blogger.com

http://arafiandi.wordpress.com