1. History
1.1. 1992
1.1.1. Guide of good practices of the industry (September) initially published as a British Standard Institute (BSI) publication;
1.1.2. This guide was the basis for the British Standard: BS 7799-1
1.2. 1995
1.2.1. Release of BS 7799-1
1.3. 1998
1.3.1. Release of the ISMS certification model (Published as BS 7799-2:1998)
1.4. 1999
1.4.1. Revision of BS 7799-1:1999 (updates and addition of new security controls)
1.4.2. Release of BS 7799-2
1.5. 2000
1.5.1. Release of ISO 17799
1.6. 2002
1.6.1. Release of BS 7799-2:2002
1.7. 2005
1.7.1. Publication of the new version of ISO 17799:2005
1.7.2. Release of ISO 27001:2005, which replaces BS7799-2
1.8. 2007
1.8.1. Release of ISO 27002:2005 replacing ISO 17799:2005 (No change in the content, just identification number)
1.8.2. Release of ISO 27006:2007
1.9. 2008
1.9.1. Release of ISO 27005:2008
1.9.2. Release of ISO 27011:2008
1.10. 2009
1.10.1. Release of ISO 27000:2009
1.10.2. Release of ISO 27004:2009
1.10.3. Release of ISO 27033-1:2009
1.11. 2010
1.11.1. Release of ISO 27003:2010
1.11.2. Release of ISO 27033-3:2010
1.12. 2011
1.12.1. Release of ISO 27005:2011
1.12.2. Release of ISO 27006:2011
1.12.3. Release of ISO 27007:2011
1.12.4. Release of ISO 27008:2011
1.13. 2013
1.13.1. Revised version of ISO 27001
2. References / Publications
2.1. Guide to Implementing and Auditing of ISMS Controls
2.1.1. http://shop.bsigroup.com/ProductDetail/?pid=000000000030282631
2.2. How to Achieve 27001 Certification: An Example of Applied Compliance Management
2.2.1. http://www.amazon.com/How-Achieve-27001-Certification-Compliance/dp/0849336481/
3. 3rd party software / toolkits
3.1. IS027k Forum
3.1.1. IS027k Toolkit
3.1.1.1. http://www.iso27001security.com/html/iso27k_toolkit.html
3.2. SANS
3.2.1. ISO 17799 Checklist
3.2.1.1. http://www.sans.org/score/checklists/ISO_17799_2005.doc
3.2.2. SANS Security Policy Project
3.2.2.1. http://www.sans.org/security-resources/policies/
3.3. SerNet
3.3.1. Verinice
3.3.1.1. http://www.verinice.org/en/
3.4. PTA
3.4.1. Practical Threat Analysis
3.4.1.1. http://www.ptatechnologies.com
4. Related ISO Standards
4.1. ISO 27002
4.1.1. Code of practice for information security controls
4.1.2. Generic guidance document
4.1.3. ISO 27011
4.1.3.1. Guidelines for telecommunications companies
4.1.4. ISO 27015
4.1.4.1. Guidelines for financial services
4.1.5. ISO 27019
4.1.5.1. Guidelines for energy utility companies
4.1.6. ISO 27799
4.1.6.1. Guidelines for healthcare companies
4.2. ISO 27003
4.2.1. Guidance on ISMS implementation
4.3. ISO 27004
4.3.1. Security metrics for measuring effectiveness
4.4. ISO 27005
4.4.1. Information security risk management
4.5. ISO 27006
4.5.1. Requirements of auditing / certification bodies
4.6. ISO 27007
4.6.1. Guidelines for ISMS auditing (management system)
4.7. ISO 27008
4.7.1. Guidelines for ISMS auditing (controls)
4.8. ISO 27010
4.8.1. Guidelines on inter-organisation communications
4.9. ISO 27013
4.9.1. Guidelines on integrating ISO 27001 and ISO 20000
4.10. ISO 27014
4.10.1. Guidelines for governance of information security
4.11. ISO 27031
4.11.1. Guidelines for business continuity (ICT)
4.12. ISO 27032
4.12.1. Guidelines for cybersecurity
4.13. ISO 27033
4.13.1. Guidelines for network security
4.14. ISO 27034
4.14.1. Guidelines for application security
4.15. ISO 27035
4.15.1. Guidelines for incident management
4.16. ISO 22301
4.16.1. Business Continuity Management standard
4.16.2. Updated version of ISO 25999 standard ISO 22301
4.17. ISO 31000
4.17.1. Risk management - Principles and guidlines
5. This freeware, non-commercial mind map was carefully hand crafted with passion and love for learning and constant improvement... (please share, like and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)
5.1. Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Feel free to visit my website: www.miroslawdabrowski.com
5.1.1. http://www.miroslawdabrowski.com
5.1.2. http://www.linkedin.com/in/miroslawdabrowski
5.1.3. https://www.google.com/+MiroslawDabrowski
5.1.4. https://play.spotify.com/user/miroslawdabrowski/
5.1.5. https://twitter.com/mirodabrowski
5.1.6. miroslaw_dabrowski
6. White Papers
6.1. Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
6.1.1. http://www.bsigroup.com/LocalFiles/en-GB/iso-iec-27001/resources/BSI-ISO27001-transition-guide-UK-EN-pdf.pdf
7. Gap Analysis
7.1. Gap analysis of current management system compliance and effectiveness against the requirement of the standard and document the gap
7.2. The Gap Analysis is a technique to determine the steps to move from current state to a desired future state. This is a response to three questions:
7.2.1. What is our current situation?
7.2.2. What is the target?
7.2.3. What is the difference between current and target?
7.3. Inventory List
7.3.1. Asset Register
7.3.2. Information Classification
7.4. Department Process and Procedures
7.4.1. Interviews of Employees
7.4.2. Analysis of Process and Procedures
7.5. Internal
7.5.1. Internal VA/PT Tests
7.5.2. Internal Application Assessments
7.6. External
7.6.1. External PT/Perimeter
7.6.2. Tests Physical Security Assessments
7.6.3. Social Engineering Attacks
8. ISO 27001:2013 Sections
8.1. 0 Introduction
8.2. 1 Scope
8.3. 2 Normative references
8.4. 3 Terms and definitions
8.5. 4 Context of the Organization
8.5.1. Understanding the organization and its context
8.5.2. Understanding the needs and expectations of interested parties
8.5.3. Determining the scope of the ISMS
8.5.4. Information security management system
8.5.4.1. ISMS maintenance
8.6. 5 Leadership (top management)
8.6.1. Leadership and commitment
8.6.2. Policy
8.6.2.1. Security policy
8.6.3. Organizational roles, responsibilities and authorities
8.7. 6 Planning
8.7.1. Information security objectives and planning to achieve them
8.7.2. Actions to address risks and opportunities
8.8. 7 Support
8.8.1. Resources
8.8.2. Competence
8.8.2.1. Determine competence of people working
8.8.3. Awareness
8.8.3.1. Security awareness for people working
8.8.4. Communication
8.8.4.1. Determine need for internal and external communications
8.8.5. Documented information
8.8.5.1. Documented and publish necessary information
8.9. 8 Operation
8.9.1. Operational planning and control
8.9.1.1. Plan, implement and control the required processes
8.9.2. Information security risk assessment
8.9.2.1. Perform risk assessments at planned intervals or after significant changes
8.9.3. Information security risk treatment
8.9.3.1. Implement risk treatment plan
8.10. 9 Performance Evaluation
8.10.1. Monitoring, measurement, analysis and evaluation
8.10.1.1. Evaluate performance and effectiveness of ISMS
8.10.2. Internal audit
8.10.2.1. Conduct internal audits at planned intervals
8.10.3. Management review
8.10.3.1. Review of ISMS by management at regular intervals
8.11. 10 Improvement
8.11.1. Nonconformity and corrective action
8.11.1.1. Actions for nonconformity
8.11.2. Continual improvement
8.11.2.1. Continually improve ISMS
8.12. Annex A
8.12.1. A5 Information security policies
8.12.1.1. A5.1 Management direction for information security
8.12.2. A6 Organization of information security
8.12.2.1. A6.1 Internal organization
8.12.2.2. A6.2 Mobile devices and teleworking
8.12.3. A7 Human resource security
8.12.3.1. A7.1 Prior to employment
8.12.3.2. A7.2 During employment
8.12.3.3. A7.3 Termination and change of employment
8.12.4. A8 Asset management
8.12.4.1. A8.1 Responsibility of assets
8.12.4.2. A8.2 Information classification
8.12.4.3. A8.3 Media handling
8.12.5. A9 Access control
8.12.5.1. A9.1 Business requirements of access control
8.12.5.2. A9.2 User access management
8.12.5.3. A9.3 User responsibilities
8.12.5.4. A9.4 System and application access control
8.12.6. A10 Cryptography
8.12.6.1. A10.1 Cryptographic controls
8.12.7. A11 Physical and environmental security
8.12.7.1. All.l Secure areas
8.12.7.2. A11.2 Equipment
8.12.8. A12 Operations security
8.12.8.1. A12.1 Operational procedures and responsibilities
8.12.8.2. A12.2 Protection from malware
8.12.8.3. A12.3 Backup
8.12.8.4. A12.4 Logging and monitoring
8.12.8.5. A12.5 Control of operational software
8.12.8.6. A12.6 Technical vulnerability management
8.12.8.7. A12.7 Information systems audit considerations
8.12.9. A13 Communications security
8.12.9.1. A13.1 Network security management
8.12.9.2. A13.2 Information transfer
8.12.10. A14 System acquisition, development and maintenance
8.12.10.1. A14.1 Security requirements of information systems
8.12.10.2. A14.2 Security in development and support processes
8.12.10.3. A14.3 Test data
8.12.11. A15 Supplier relationships
8.12.11.1. A15.1 Information security in supplier relationships
8.12.11.2. A15.2 Supplier service delivery management
8.12.12. A16 Incident management
8.12.12.1. A16.1 Management of security incidents and improvements
8.12.13. A17 Business continuity management
8.12.13.1. A17.1 Information security continuity
8.12.13.2. A17.2 Redundancies
8.12.14. A18 Compliance
8.12.14.1. A18.1 Compliance with legal and contractual requirements
8.12.14.2. A18.2 Information security reviews
9. General information
9.1. ISO 27001 is a set of guidelines / best practices for Information Security Management System (NOT Information Technology Security Management System)
9.1.1. Simply saying ISMS has business context not just Technology context
9.2. Requirements
9.2.1. Context of Organization
9.2.2. Leadership
9.2.3. Planning
9.2.4. Support
9.2.5. Operation
9.2.6. Performance Evaluation Improvement
9.3. Controls
9.3.1. 2005 version
9.3.1.1. 11 control sections
9.3.1.2. 133 Controls
9.3.2. 2013 version
9.3.2.1. 14 control sections
9.3.2.2. 114 Controls
9.4. Is based on PDCA Cycle
9.4.1. Plan
9.4.1.1. Establish the ISMS
9.4.2. Do
9.4.2.1. Implement and operate the ISMS
9.4.3. Check
9.4.3.1. Monitor and review the ISMS
9.4.4. Act
9.4.4.1. Maintain and improve the ISMS
10. Implementation Process
10.1. 1. Management Support
10.1.1. Obtain management interest
10.1.2. Clarify organization’s priorities
10.1.3. Define security objectives
10.1.4. Create business case and project plan
10.1.5. Identify roles and responsibilities
10.1.6. Get approval from the management
10.2. 2. Scoping
10.2.1. Define organizational scope
10.2.2. Define physical scope
10.2.3. Define technology scope
10.3. 3. Create Inventory Lists
10.3.1. Identify assets
10.3.2. Identify asset owner and information classification
10.4. 4. Perform Gap Analysis
10.4.1. Conduct external assessments
10.4.1.1. technology perimeter assessment
10.4.1.2. physical security assessment
10.4.2. Conduct internal assessments
10.4.2.1. assessment of critical applications
10.4.3. Review departmental processes
10.4.3.1. interview department head
10.4.3.2. interview mid-level employee in the department
10.4.3.3. analyse process and practices
10.5. 5. Perform Risk Assessment
10.5.1. Create a risk treatment policy
10.5.2. Define a risk calculation procedure
10.5.3. Calculate the risk
10.5.4. Identify controls to mitigate (remove/reduce/transfer) identified risks
10.6. 6. Create SOA
10.6.1. Select the relevant controls from the standard
10.6.2. Create a document with the objectives/exceptions for the selected controls
10.7. 7. Create RTP
10.7.1. Create a risk treatment plan
10.7.2. Obtain management approval
10.8. 8. Create ISMS (Policies, Procedures, Training and Reports)
10.8.1. Create security policy
10.8.2. Create all referenced individual policies
10.8.3. Create procedure documents
10.8.4. Publish the policies
10.8.5. Conduct awareness training
10.9. 9. Management Review / Internal Audit
10.9.1. Review all documentation
10.9.2. Review SOA, RTP and policies
10.9.3. Review controls
10.9.4. Measure effectiveness
10.10. 10. Pre-Certification Audit
10.10.1. Conduct a mock audit
10.10.2. Identify all NCs
10.10.3. Take relevant actions to close identified NCs
10.11. Identify and contact a certification body for the audit
11. Pre-certification audit
11.1. Simulation of an actual audit
11.2. Identify any NCs
11.3. Take necessary actions to close any identified NCs
12. Certification
12.1. Phase 1
12.1.1. Document review
12.1.2. 1 day
12.1.3. Mandatory
12.2. Phase 2
12.2.1. Control review
12.2.2. Multi-day based on scope
12.2.3. Mandatory
13. Risk Management
13.1. Risk Management Policy
13.2. Risk Assessment Procedure
13.2.1. Procedure for Risk Calculation
13.3. Risk Assessment Document
13.4. RTP
13.4.1. Risk Treatment Plan
14. Polices and Procedures
14.1. Security Policy
14.1.1. Obtain management objectives
14.1.2. Create the policy
14.1.3. Refer individual policies
14.1.4. Obtain management approval
14.2. Referenced Policies
14.2.1. Acceptable Use Policy
14.2.2. Email Use Policy
14.2.3. Internet Use Policy
14.2.4. Mobile Use Policy
14.2.5. Wireless Security Policy
14.2.6. Incident Handling Policy
14.2.7. Change Management Policy
14.2.8. ...
14.3. Procedures
14.3.1. Define procedure to implement each policy
15. Scope
15.1. Organization Scope
15.1.1. Organizational units: department, service project, subsidiary, etc.
15.1.2. Organizational structures and responsibilities of managers
15.1.3. Business Process: Sales management. Procurement process, hiring, etc.
15.2. Physical Scope
15.2.1. All physical locations, both internal and external, that are included in the ISMS should be considered.
15.2.2. Identify area (data centre/server rooms/specific area)
15.2.3. In the case of outsourced physical sites, the interfaces with the ISMS and the applicable service agreements have to be considered.
15.3. Information Systems Scope
15.3.1. Networks: internal networks, wireless networks, etc.
15.3.2. Operating Systems: Windows, Linux, etc.
15.3.3. Applications: CRM, software management payroll, ERP. utilities, database
15.3.4. Data: customer records, medical data, research and development, etc.
15.3.5. Processes: Consider processes that transport, store or process information.
15.3.6. Telecommunications equipment: routers, firewalls, etc.
15.4. Any change in scope must be evaluated, approved and documented!
16. Mandatory Documents
16.1. Leadership
16.1.1. Logs of Management Review Meetings
16.1.2. Review Plans
16.1.3. Action Reports
16.2. ISMS Related
16.2.1. Scope Statement
16.2.2. Roles and Responsibilities Document
16.2.3. Statement of Applicability (SoA)
16.2.4. Security Metrics
16.3. Policies
16.3.1. Security Policy
16.3.2. Individual Policies
16.3.3. Procedure Documents
16.4. Risk Management
16.4.1. Risk Management Policy
16.4.2. Risk Assessment Procedure
16.4.3. Risk Assessment Document
16.4.4. Risk Treatment Plan
16.5. Security Awareness Training
16.5.1. Training Records
16.5.2. Training Material
16.5.3. Metrics
16.6. Other Documents
16.6.1. Operating Procedures
16.6.2. Document Control Procedure
16.6.3. Record Control Procedure
16.6.4. Corrective Action Procedure
16.6.5. Preventive Action Procedure
17. Statement of Applicability (SOA)
17.1. Statement of Applicability
17.2. Defines which controls from ISO 27001 you select to implement
17.2.1. Document listing the controls applicable along with their objective
17.3. ISO 27001 does not specify the form of the statement of applicability.
17.3.1. It simply requires making a list of security controls, selected or not, the reasons for these choices and actions being implemented to meet the security controls being selected in the document.
17.3.2. The additional controls put in place must also appear in the statement of applicability.