Scribd Logo
Upload

Welcome to Scribd!

  • Iso 27001 Implementation Roadmap

    Uploaded by

    Vaibhav Nagariya
    3K views1 page
    Iso 27001 Implementation Roadmap

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Iso 27001 Implementation Roadmap

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3K views1 page

    Iso 27001 Implementation Roadmap

    Uploaded by

    Vaibhav Nagariya
    Iso 27001 Implementation Roadmap

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    ISO 27001

    I m p l e m e n t a t i o n Ro a d m a p
    Vulnerability Assessment/Penetration Test of Key Applications/Systems
    Provides substantiative evidence that the net security objectives (e.g., ensuring the confidentiality of information) are being achieved. * Cost Effective * Well Regarded * Early Identification of Critical Risks

    F o r c o n s u l t i n g o n I S O 2 7 0 0 1 , v i s i t u s a t w w w. p i v o t p o i n t s e c u r i t y. c o m o r c a l l 1 . 8 8 8 . P I V O T P O I N T ( 8 8 8 . 7 4 8 . 6 8 7 6 )

    Address ShortTerm Attestation Requirements


    Proving that you are secure while you are working towards 27001 Certification is crtical to the success of your organization. Where stronger interim attestation is required see Shared Assessment Phase below.

    <1 Month

    Secure Data Flow Diagram (SDFD)


    Provides evidence that key client risks are being mitigated to an acceptable level by reasonable and appropriate security design. * Integral to Risk Assessment and Scoping * Facilitates Risk Identification * Evidence of Secure Design and Substantiative Test is effective attestation

    Preliminary 27001 Project Plan


    Where key clients have already requested 27001 compliance/certification, communicating a plan & progress towards it is critical to satisfying their requirements.

    Define ISMS Scope

    Assess Gaps
    Optimally scoping and understanding the current gap between the desired and current state are integral to appropriately allocating the resources (personnel, third party support, expenditures, and time) necessary to ensure the project achieves objectives on time and on budget.

    Logically/physically limit the scope of the ISMS to the maximum extent possible consistent with initiative objectives. Optimizes likelihood of project success (prevents boil the ocean exercises).

    27005 Risk Assessment


    Identifies major risks (& impacts) the ISMS intended to mitigate. * Leverages SDFD * Basis of 27001 *

    Risk Treatment Plan


    Establish acceptance criteria and define treatments (avoid/control/transfer/accept) for all key risks.

    1- 3 Months

    Conduct Gap Assessment O R


    Via documentation review, ICQ's and/or surveys determine where risk treatment gaps exist in: * Existence * Appropriateness * Completeness of Documentation & ISMS support

    Shared Assessment (BITS)


    Same functionality as Gap Assessment except produces a Shared Assessment worksheet that may be accepted as interim attestation by clients (e.g. financial industry)

    Develop & Execute the Roadmap


    Prioritize and execute the work effort necessary to address the issues identified.

    Prioritized Roadmap (Remediation Plan)


    Develop a work plan based on a number of factors: * Risk * Ease of Mitigation to an Acceptable Level * Client Concerns *Reusability/Commonality * Resource and Skill Set Availability * Other Initiatives

    3-18 Months

    Execute the Plan


    * Correct Design Deficiencies * Close Compliance Gaps * Update/Create Necessary Documentation * Implement New Controls

    Operate the Environment


    Assess efficacy of environment, monitor the ISMS, tune controls accordingly, and accumulate audit evidence for attestation and certification.

    Monitor the Environment


    Integral to 27001 is ongoing monitoring of the ISMS. Tune control design/output to facilitate monitoring.

    Respond to Incidents
    Integral to 27001 is demonstrable Incident Response. Tune Incident Response processes to facilitate ISMS improvements.

    1-12 Months

    Implement Continuous Improvement Principles


    Integral to 27001 is demonstrable Continuous Improvement. Based on monitoring and Incident Response evolve the control environment in a demonstrable manner.

    Certify
    While there are many significant advantages to implementing 27001, most notably demonstrably reducing risk and simplifying Information Security, for most entities certification is the most important.

    Pre-Certification Audit
    "Friendly" pre-audit structured in accordance with certification audit (Tabletop Review then Compliance Review).

    Certification Audit
    27001 Certification Audit conducted by Certification Body resulting in issuance of ISO 27001 Certificate

    and Beyond

    Surveillance Audit (Year 2)


    Mini-audit conducted by the Certification Body to validate ISMS efficacy. ISMS scope extension possible.

    Triennial Audit (Every 3rd year)


    Re-Certification Audit conducted by Certification Body

    We make it simple to know youre secure and prove youre compliant

    You might also like