1. Gap Analysis
1.1. Gap analysis of current management system compliance and effectiveness against the requirement of the standard and document the gap
1.2. The Gap Analysis is a technique to determine the steps to move from current state to a desired future state. This is a response to three questions:
1.2.1. What is our current situation?
1.2.2. What is the target?
1.2.3. What is the difference between current and target?
1.3. Inventory List
1.3.1. Asset Register
1.3.2. Information Classification
1.4. Department Process and Procedures
1.4.1. Interviews of Employees
1.4.2. Analysis of Process and Procedures
1.5. Internal
1.5.1. Internal VA/PT Tests
1.5.2. Internal Application Assessments
1.6. External
1.6.1. External PT/Perimeter
1.6.2. Tests Physical Security Assessments
1.6.3. Social Engineering Attacks
2. History
2.1. 1992
2.1.1. Guide of good practices of the industry (September) initially published as a British Standard Institute (BSI) publication;
2.1.2. This guide was the basis for the British Standard: BS 7799-1
2.2. 1995
2.2.1. Release of BS 7799-1
2.3. 1998
2.3.1. Release of the ISMS certification model (Published as BS 7799-2:1998)
2.4. 1999
2.4.1. Revision of BS 7799-1:1999 (updates and addition of new security controls)
2.4.2. Release of BS 7799-2
2.5. 2000
2.5.1. Release of ISO 17799
2.6. 2002
2.6.1. Release of BS 7799-2:2002
2.7. 2005
2.7.1. Publication of the new version of ISO 17799:2005
2.7.2. Release of ISO 27001:2005, which replaces BS7799-2
2.8. 2007
2.8.1. Release of ISO 27002:2005 replacing ISO 17799:2005 (No change in the content, just identification number)
2.8.2. Release of ISO 27006:2007
2.9. 2008
2.9.1. Release of ISO 27005:2008
2.9.2. Release of ISO 27011:2008
2.10. 2009
2.10.1. Release of ISO 27000:2009
2.10.2. Release of ISO 27004:2009
2.10.3. Release of ISO 27033-1:2009
2.11. 2010
2.11.1. Release of ISO 27003:2010
2.11.2. Release of ISO 27033-3:2010
2.12. 2011
2.12.1. Release of ISO 27005:2011
2.12.2. Release of ISO 27006:2011
2.12.3. Release of ISO 27007:2011
2.12.4. Release of ISO 27008:2011
2.13. 2013
2.13.1. Revised version of ISO 27001
3. ISO 27001:2013 Sections
3.1. 0 Introduction
3.2. 1 Scope
3.3. 2 Normative references
3.4. 3 Terms and definitions
3.5. 4 Context of the Organization
3.5.1. Understanding the organization and its context
3.5.2. Understanding the needs and expectations of interested parties
3.5.3. Determining the scope of the ISMS
3.5.4. Information security management system
3.5.4.1. ISMS maintenance
3.6. 5 Leadership (top management)
3.6.1. Leadership and commitment
3.6.2. Policy
3.6.2.1. Security policy
3.6.3. Organizational roles, responsibilities and authorities
3.7. 6 Planning
3.7.1. Information security objectives and planning to achieve them
3.7.2. Actions to address risks and opportunities
3.8. 7 Support
3.8.1. Resources
3.8.2. Competence
3.8.2.1. Determine competence of people working
3.8.3. Awareness
3.8.3.1. Security awareness for people working
3.8.4. Communication
3.8.4.1. Determine need for internal and external communications
3.8.5. Documented information
3.8.5.1. Documented and publish necessary information
3.9. 8 Operation
3.9.1. Operational planning and control
3.9.1.1. Plan, implement and control the required processes
3.9.2. Information security risk assessment
3.9.2.1. Perform risk assessments at planned intervals or after significant changes
3.9.3. Information security risk treatment
3.9.3.1. Implement risk treatment plan
3.10. 9 Performance Evaluation
3.10.1. Monitoring, measurement, analysis and evaluation
3.10.1.1. Evaluate performance and effectiveness of ISMS
3.10.2. Internal audit
3.10.2.1. Conduct internal audits at planned intervals
3.10.3. Management review
3.10.3.1. Review of ISMS by management at regular intervals
3.11. 10 Improvement
3.11.1. Nonconformity and corrective action
3.11.1.1. Actions for nonconformity
3.11.2. Continual improvement
3.11.2.1. Continually improve ISMS
3.12. Annex A
3.12.1. A5 Information security policies
3.12.1.1. A5.1 Management direction for information security
3.12.2. A6 Organization of information security
3.12.2.1. A6.1 Internal organization
3.12.2.2. A6.2 Mobile devices and teleworking
3.12.3. A7 Human resource security
3.12.3.1. A7.1 Prior to employment
3.12.3.2. A7.2 During employment
3.12.3.3. A7.3 Termination and change of employment
3.12.4. A8 Asset management
3.12.4.1. A8.1 Responsibility of assets
3.12.4.2. A8.2 Information classification
3.12.4.3. A8.3 Media handling
3.12.5. A9 Access control
3.12.5.1. A9.1 Business requirements of access control
3.12.5.2. A9.2 User access management
3.12.5.3. A9.3 User responsibilities
3.12.5.4. A9.4 System and application access control
3.12.6. A10 Cryptography
3.12.6.1. A10.1 Cryptographic controls
3.12.7. A11 Physical and environmental security
3.12.7.1. All.l Secure areas
3.12.7.2. A11.2 Equipment
3.12.8. A12 Operations security
3.12.8.1. A12.1 Operational procedures and responsibilities
3.12.8.2. A12.2 Protection from malware
3.12.8.3. A12.3 Backup
3.12.8.4. A12.4 Logging and monitoring
3.12.8.5. A12.5 Control of operational software
3.12.8.6. A12.6 Technical vulnerability management
3.12.8.7. A12.7 Information systems audit considerations
3.12.9. A13 Communications security
3.12.9.1. A13.1 Network security management
3.12.9.2. A13.2 Information transfer
3.12.10. A14 System acquisition, development and maintenance
3.12.10.1. A14.1 Security requirements of information systems
3.12.10.2. A14.2 Security in development and support processes
3.12.10.3. A14.3 Test data
3.12.11. A15 Supplier relationships
3.12.11.1. A15.1 Information security in supplier relationships
3.12.11.2. A15.2 Supplier service delivery management
3.12.12. A16 Incident management
3.12.12.1. A16.1 Management of security incidents and improvements
3.12.13. A17 Business continuity management
3.12.13.1. A17.1 Information security continuity
3.12.13.2. A17.2 Redundancies
3.12.14. A18 Compliance
3.12.14.1. A18.1 Compliance with legal and contractual requirements
3.12.14.2. A18.2 Information security reviews
4. General information
4.1. ISO 27001 is a set of guidelines / best practices for Information Security Management System (NOT Information Technology Security Management System)
4.1.1. Simply saying ISMS has business context not just Technology context
4.2. Requirements
4.2.1. Context of Organization
4.2.2. Leadership
4.2.3. Planning
4.2.4. Support
4.2.5. Operation
4.2.6. Performance Evaluation Improvement
4.3. Controls
4.3.1. 2005 version
4.3.1.1. 11 control sections
4.3.1.2. 133 Controls
4.3.2. 2013 version
4.3.2.1. 14 control sections
4.3.2.2. 114 Controls
4.4. Is based on PDCA Cycle
4.4.1. Plan
4.4.1.1. Establish the ISMS
4.4.2. Do
4.4.2.1. Implement and operate the ISMS
4.4.3. Check
4.4.3.1. Monitor and review the ISMS
4.4.4. Act
4.4.4.1. Maintain and improve the ISMS
5. Implementation Process
5.1. 1. Management Support
5.1.1. Obtain management interest
5.1.2. Clarify organization’s priorities
5.1.3. Define security objectives
5.1.4. Create business case and project plan
5.1.5. Identify roles and responsibilities
5.1.6. Get approval from the management
5.2. 2. Scoping
5.2.1. Define organizational scope
5.2.2. Define physical scope
5.2.3. Define technology scope
5.3. 3. Create Inventory Lists
5.3.1. Identify assets
5.3.2. Identify asset owner and information classification
5.4. 4. Perform Gap Analysis
5.4.1. Conduct external assessments
5.4.1.1. technology perimeter assessment
5.4.1.2. physical security assessment
5.4.2. Conduct internal assessments
5.4.2.1. assessment of critical applications
5.4.3. Review departmental processes
5.4.3.1. interview department head
5.4.3.2. interview mid-level employee in the department
5.4.3.3. analyse process and practices
5.5. 5. Perform Risk Assessment
5.5.1. Create a risk treatment policy
5.5.2. Define a risk calculation procedure
5.5.3. Calculate the risk
5.5.4. Identify controls to mitigate (remove/reduce/transfer) identified risks
5.6. 6. Create SOA
5.6.1. Select the relevant controls from the standard
5.6.2. Create a document with the objectives/exceptions for the selected controls
5.7. 7. Create RTP
5.7.1. Create a risk treatment plan
5.7.2. Obtain management approval
5.8. 8. Create ISMS (Policies, Procedures, Training and Reports)
5.8.1. Create security policy
5.8.2. Create all referenced individual policies
5.8.3. Create procedure documents
5.8.4. Publish the policies
5.8.5. Conduct awareness training
5.9. 9. Management Review / Internal Audit
5.9.1. Review all documentation
5.9.2. Review SOA, RTP and policies
5.9.3. Review controls
5.9.4. Measure effectiveness
5.10. 10. Pre-Certification Audit
5.10.1. Conduct a mock audit
5.10.2. Identify all NCs
5.10.3. Take relevant actions to close identified NCs
5.11. Identify and contact a certification body for the audit
6. References / Publications
6.1. Guide to Implementing and Auditing of ISMS Controls
6.1.1. http://shop.bsigroup.com/ProductDetail/?pid=000000000030282631
6.2. How to Achieve 27001 Certification: An Example of Applied Compliance Management
6.2.1. http://www.amazon.com/How-Achieve-27001-Certification-Compliance/dp/0849336481/
7. 3rd party software / toolkits
7.1. IS027k Forum
7.1.1. IS027k Toolkit
7.1.1.1. http://www.iso27001security.com/html/iso27k_toolkit.html
7.2. SANS
7.2.1. ISO 17799 Checklist
7.2.1.1. http://www.sans.org/score/checklists/ISO_17799_2005.doc
7.2.2. SANS Security Policy Project
7.2.2.1. http://www.sans.org/security-resources/policies/
7.3. SerNet
7.3.1. Verinice
7.3.1.1. http://www.verinice.org/en/
7.4. PTA
7.4.1. Practical Threat Analysis
7.4.1.1. http://www.ptatechnologies.com
8. Related ISO Standards
8.1. ISO 27002
8.1.1. Code of practice for information security controls
8.1.2. Generic guidance document
8.1.3. ISO 27011
8.1.3.1. Guidelines for telecommunications companies
8.1.4. ISO 27015
8.1.4.1. Guidelines for financial services
8.1.5. ISO 27019
8.1.5.1. Guidelines for energy utility companies
8.1.6. ISO 27799
8.1.6.1. Guidelines for healthcare companies
8.2. ISO 27003
8.2.1. Guidance on ISMS implementation
8.3. ISO 27004
8.3.1. Security metrics for measuring effectiveness
8.4. ISO 27005
8.4.1. Information security risk management
8.5. ISO 27006
8.5.1. Requirements of auditing / certification bodies
8.6. ISO 27007
8.6.1. Guidelines for ISMS auditing (management system)
8.7. ISO 27008
8.7.1. Guidelines for ISMS auditing (controls)
8.8. ISO 27010
8.8.1. Guidelines on inter-organisation communications
8.9. ISO 27013
8.9.1. Guidelines on integrating ISO 27001 and ISO 20000
8.10. ISO 27014
8.10.1. Guidelines for governance of information security
8.11. ISO 27031
8.11.1. Guidelines for business continuity (ICT)
8.12. ISO 27032
8.12.1. Guidelines for cybersecurity
8.13. ISO 27033
8.13.1. Guidelines for network security
8.14. ISO 27034
8.14.1. Guidelines for application security
8.15. ISO 27035
8.15.1. Guidelines for incident management
8.16. ISO 22301
8.16.1. Business Continuity Management standard
8.16.2. Updated version of ISO 25999 standard ISO 22301
8.17. ISO 31000
8.17.1. Risk management - Principles and guidlines
9. Pre-certification audit
9.1. Simulation of an actual audit
9.2. Identify any NCs
9.3. Take necessary actions to close any identified NCs
10. Certification
10.1. Phase 1
10.1.1. Document review
10.1.2. 1 day
10.1.3. Mandatory
10.2. Phase 2
10.2.1. Control review
10.2.2. Multi-day based on scope
10.2.3. Mandatory
11. Risk Management
11.1. Risk Management Policy
11.2. Risk Assessment Procedure
11.2.1. Procedure for Risk Calculation
11.3. Risk Assessment Document
11.4. RTP
11.4.1. Risk Treatment Plan
12. Polices and Procedures
12.1. Security Policy
12.1.1. Obtain management objectives
12.1.2. Create the policy
12.1.3. Refer individual policies
12.1.4. Obtain management approval
12.2. Referenced Policies
12.2.1. Acceptable Use Policy
12.2.2. Email Use Policy
12.2.3. Internet Use Policy
12.2.4. Mobile Use Policy
12.2.5. Wireless Security Policy
12.2.6. Incident Handling Policy
12.2.7. Change Management Policy
12.2.8. ...
12.3. Procedures
12.3.1. Define procedure to implement each policy
13. Scope
13.1. Organization Scope
13.1.1. Organizational units: department, service project, subsidiary, etc.
13.1.2. Organizational structures and responsibilities of managers
13.1.3. Business Process: Sales management. Procurement process, hiring, etc.
13.2. Physical Scope
13.2.1. All physical locations, both internal and external, that are included in the ISMS should be considered.
13.2.2. Identify area (data centre/server rooms/specific area)
13.2.3. In the case of outsourced physical sites, the interfaces with the ISMS and the applicable service agreements have to be considered.
13.3. Information Systems Scope
13.3.1. Networks: internal networks, wireless networks, etc.
13.3.2. Operating Systems: Windows, Linux, etc.
13.3.3. Applications: CRM, software management payroll, ERP. utilities, database
13.3.4. Data: customer records, medical data, research and development, etc.
13.3.5. Processes: Consider processes that transport, store or process information.
13.3.6. Telecommunications equipment: routers, firewalls, etc.
13.4. Any change in scope must be evaluated, approved and documented!
14. Mandatory Documents
14.1. Leadership
14.1.1. Logs of Management Review Meetings
14.1.2. Review Plans
14.1.3. Action Reports
14.2. ISMS Related
14.2.1. Scope Statement
14.2.2. Roles and Responsibilities Document
14.2.3. Statement of Applicability (SoA)
14.2.4. Security Metrics
14.3. Policies
14.3.1. Security Policy
14.3.2. Individual Policies
14.3.3. Procedure Documents
14.4. Risk Management
14.4.1. Risk Management Policy
14.4.2. Risk Assessment Procedure
14.4.3. Risk Assessment Document
14.4.4. Risk Treatment Plan
14.5. Security Awareness Training
14.5.1. Training Records
14.5.2. Training Material
14.5.3. Metrics
14.6. Other Documents
14.6.1. Operating Procedures
14.6.2. Document Control Procedure
14.6.3. Record Control Procedure
14.6.4. Corrective Action Procedure
14.6.5. Preventive Action Procedure
15. Statement of Applicability (SOA)
15.1. Statement of Applicability
15.2. Defines which controls from ISO 27001 you select to implement
15.2.1. Document listing the controls applicable along with their objective
15.3. ISO 27001 does not specify the form of the statement of applicability.
15.3.1. It simply requires making a list of security controls, selected or not, the reasons for these choices and actions being implemented to meet the security controls being selected in the document.
15.3.2. The additional controls put in place must also appear in the statement of applicability.
15.4. It is good practice to include in the statement of applicability, the title or function of the responsible person per control and the list of documents or records relating to it.
16. This freeware, non-commercial mind map was carefully hand crafted with passion and love for learning and constant improvement... (please share, like and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)
16.1. Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Feel free to visit my website: www.miroslawdabrowski.com
16.1.1. http://www.miroslawdabrowski.com
16.1.2. http://www.linkedin.com/in/miroslawdabrowski
16.1.3. https://www.google.com/+MiroslawDabrowski
16.1.4. https://play.spotify.com/user/miroslawdabrowski/
16.1.5. https://twitter.com/mirodabrowski
16.1.6. miroslaw_dabrowski
17. White Papers
17.1. Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
17.1.1. http://www.bsigroup.com/LocalFiles/en-GB/iso-iec-27001/resources/BSI-ISO27001-transition-guide-UK-EN-pdf.pdf