Get Started. It's Free
or sign up with your email address
Rocket clouds
ISO 27001:2013 by Mind Map: ISO 27001:2013

1. Gap Analysis

1.1. Gap analysis of current management system compliance and effectiveness against the requirement of the standard and document the gap

1.2. The Gap Analysis is a technique to determine the steps to move from current state to a desired future state. This is a response to three questions:

1.2.1. What is our current situation?

1.2.2. What is the target?

1.2.3. What is the difference between current and target?

1.3. Inventory List

1.3.1. Asset Register

1.3.2. Information Classification

1.4. Department Process and Procedures

1.4.1. Interviews of Employees

1.4.2. Analysis of Process and Procedures

1.5. Internal

1.5.1. Internal VA/PT Tests

1.5.2. Internal Application Assessments

1.6. External

1.6.1. External PT/Perimeter

1.6.2. Tests Physical Security Assessments

1.6.3. Social Engineering Attacks

2. History

2.1. 1992

2.1.1. Guide of good practices of the industry (September) initially published as a British Standard Institute (BSI) publication;

2.1.2. This guide was the basis for the British Standard: BS 7799-1

2.2. 1995

2.2.1. Release of BS 7799-1

2.3. 1998

2.3.1. Release of the ISMS certification model (Published as BS 7799-2:1998)

2.4. 1999

2.4.1. Revision of BS 7799-1:1999 (updates and addition of new security controls)

2.4.2. Release of BS 7799-2

2.5. 2000

2.5.1. Release of ISO 17799

2.6. 2002

2.6.1. Release of BS 7799-2:2002

2.7. 2005

2.7.1. Publication of the new version of ISO 17799:2005

2.7.2. Release of ISO 27001:2005, which replaces BS7799-2

2.8. 2007

2.8.1. Release of ISO 27002:2005 replacing ISO 17799:2005 (No change in the content, just identification number)

2.8.2. Release of ISO 27006:2007

2.9. 2008

2.9.1. Release of ISO 27005:2008

2.9.2. Release of ISO 27011:2008

2.10. 2009

2.10.1. Release of ISO 27000:2009

2.10.2. Release of ISO 27004:2009

2.10.3. Release of ISO 27033-1:2009

2.11. 2010

2.11.1. Release of ISO 27003:2010

2.11.2. Release of ISO 27033-3:2010

2.12. 2011

2.12.1. Release of ISO 27005:2011

2.12.2. Release of ISO 27006:2011

2.12.3. Release of ISO 27007:2011

2.12.4. Release of ISO 27008:2011

2.13. 2013

2.13.1. Revised version of ISO 27001

3. ISO 27001:2013 Sections

3.1. 0 Introduction

3.2. 1 Scope

3.3. 2 Normative references

3.4. 3 Terms and definitions

3.5. 4 Context of the Organization

3.5.1. Understanding the organization and its context

3.5.2. Understanding the needs and expectations of interested parties

3.5.3. Determining the scope of the ISMS

3.5.4. Information security management system

3.5.4.1. ISMS maintenance

3.6. 5 Leadership (top management)

3.6.1. Leadership and commitment

3.6.2. Policy

3.6.2.1. Security policy

3.6.3. Organizational roles, responsibilities and authorities

3.7. 6 Planning

3.7.1. Information security objectives and planning to achieve them

3.7.2. Actions to address risks and opportunities

3.8. 7 Support

3.8.1. Resources

3.8.2. Competence

3.8.2.1. Determine competence of people working

3.8.3. Awareness

3.8.3.1. Security awareness for people working

3.8.4. Communication

3.8.4.1. Determine need for internal and external communications

3.8.5. Documented information

3.8.5.1. Documented and publish necessary information

3.9. 8 Operation

3.9.1. Operational planning and control

3.9.1.1. Plan, implement and control the required processes

3.9.2. Information security risk assessment

3.9.2.1. Perform risk assessments at planned intervals or after significant changes

3.9.3. Information security risk treatment

3.9.3.1. Implement risk treatment plan

3.10. 9 Performance Evaluation

3.10.1. Monitoring, measurement, analysis and evaluation

3.10.1.1. Evaluate performance and effectiveness of ISMS

3.10.2. Internal audit

3.10.2.1. Conduct internal audits at planned intervals

3.10.3. Management review

3.10.3.1. Review of ISMS by management at regular intervals

3.11. 10 Improvement

3.11.1. Nonconformity and corrective action

3.11.1.1. Actions for nonconformity

3.11.2. Continual improvement

3.11.2.1. Continually improve ISMS

3.12. Annex A

3.12.1. A5 Information security policies

3.12.1.1. A5.1 Management direction for information security

3.12.2. A6 Organization of information security

3.12.2.1. A6.1 Internal organization

3.12.2.2. A6.2 Mobile devices and teleworking

3.12.3. A7 Human resource security

3.12.3.1. A7.1 Prior to employment

3.12.3.2. A7.2 During employment

3.12.3.3. A7.3 Termination and change of employment

3.12.4. A8 Asset management

3.12.4.1. A8.1 Responsibility of assets

3.12.4.2. A8.2 Information classification

3.12.4.3. A8.3 Media handling

3.12.5. A9 Access control

3.12.5.1. A9.1 Business requirements of access control

3.12.5.2. A9.2 User access management

3.12.5.3. A9.3 User responsibilities

3.12.5.4. A9.4 System and application access control

3.12.6. A10 Cryptography

3.12.6.1. A10.1 Cryptographic controls

3.12.7. A11 Physical and environmental security

3.12.7.1. All.l Secure areas

3.12.7.2. A11.2 Equipment

3.12.8. A12 Operations security

3.12.8.1. A12.1 Operational procedures and responsibilities

3.12.8.2. A12.2 Protection from malware

3.12.8.3. A12.3 Backup

3.12.8.4. A12.4 Logging and monitoring

3.12.8.5. A12.5 Control of operational software

3.12.8.6. A12.6 Technical vulnerability management

3.12.8.7. A12.7 Information systems audit considerations

3.12.9. A13 Communications security

3.12.9.1. A13.1 Network security management

3.12.9.2. A13.2 Information transfer

3.12.10. A14 System acquisition, development and maintenance

3.12.10.1. A14.1 Security requirements of information systems

3.12.10.2. A14.2 Security in development and support processes

3.12.10.3. A14.3 Test data

3.12.11. A15 Supplier relationships

3.12.11.1. A15.1 Information security in supplier relationships

3.12.11.2. A15.2 Supplier service delivery management

3.12.12. A16 Incident management

3.12.12.1. A16.1 Management of security incidents and improvements

3.12.13. A17 Business continuity management

3.12.13.1. A17.1 Information security continuity

3.12.13.2. A17.2 Redundancies

3.12.14. A18 Compliance

3.12.14.1. A18.1 Compliance with legal and contractual requirements

3.12.14.2. A18.2 Information security reviews

4. General information

4.1. ISO 27001 is a set of guidelines / best practices for Information Security Management System (NOT Information Technology Security Management System)

4.1.1. Simply saying ISMS has business context not just Technology context

4.2. Requirements

4.2.1. Context of Organization

4.2.2. Leadership

4.2.3. Planning

4.2.4. Support

4.2.5. Operation

4.2.6. Performance Evaluation Improvement

4.3. Controls

4.3.1. 2005 version

4.3.1.1. 11 control sections

4.3.1.2. 133 Controls

4.3.2. 2013 version

4.3.2.1. 14 control sections

4.3.2.2. 114 Controls

4.4. Is based on PDCA Cycle

4.4.1. Plan

4.4.1.1. Establish the ISMS

4.4.2. Do

4.4.2.1. Implement and operate the ISMS

4.4.3. Check

4.4.3.1. Monitor and review the ISMS

4.4.4. Act

4.4.4.1. Maintain and improve the ISMS

5. Implementation Process

5.1. 1. Management Support

5.1.1. Obtain management interest

5.1.2. Clarify organization’s priorities

5.1.3. Define security objectives

5.1.4. Create business case and project plan

5.1.5. Identify roles and responsibilities

5.1.6. Get approval from the management

5.2. 2. Scoping

5.2.1. Define organizational scope

5.2.2. Define physical scope

5.2.3. Define technology scope

5.3. 3. Create Inventory Lists

5.3.1. Identify assets

5.3.2. Identify asset owner and information classification

5.4. 4. Perform Gap Analysis

5.4.1. Conduct external assessments

5.4.1.1. technology perimeter assessment

5.4.1.2. physical security assessment

5.4.2. Conduct internal assessments

5.4.2.1. assessment of critical applications

5.4.3. Review departmental processes

5.4.3.1. interview department head

5.4.3.2. interview mid-level employee in the department

5.4.3.3. analyse process and practices

5.5. 5. Perform Risk Assessment

5.5.1. Create a risk treatment policy

5.5.2. Define a risk calculation procedure

5.5.3. Calculate the risk

5.5.4. Identify controls to mitigate (remove/reduce/transfer) identified risks

5.6. 6. Create SOA

5.6.1. Select the relevant controls from the standard

5.6.2. Create a document with the objectives/exceptions for the selected controls

5.7. 7. Create RTP

5.7.1. Create a risk treatment plan

5.7.2. Obtain management approval

5.8. 8. Create ISMS (Policies, Procedures, Training and Reports)

5.8.1. Create security policy

5.8.2. Create all referenced individual policies

5.8.3. Create procedure documents

5.8.4. Publish the policies

5.8.5. Conduct awareness training

5.9. 9. Management Review / Internal Audit

5.9.1. Review all documentation

5.9.2. Review SOA, RTP and policies

5.9.3. Review controls

5.9.4. Measure effectiveness

5.10. 10. Pre-Certification Audit

5.10.1. Conduct a mock audit

5.10.2. Identify all NCs

5.10.3. Take relevant actions to close identified NCs

5.11. Identify and contact a certification body for the audit

6. References / Publications

6.1. Guide to Implementing and Auditing of ISMS Controls

6.1.1. http://shop.bsigroup.com/ProductDetail/?pid=000000000030282631

6.2. How to Achieve 27001 Certification: An Example of Applied Compliance Management

6.2.1. http://www.amazon.com/How-Achieve-27001-Certification-Compliance/dp/0849336481/

7. 3rd party software / toolkits

7.1. IS027k Forum

7.1.1. IS027k Toolkit

7.1.1.1. http://www.iso27001security.com/html/iso27k_toolkit.html

7.2. SANS

7.2.1. ISO 17799 Checklist

7.2.1.1. http://www.sans.org/score/checklists/ISO_17799_2005.doc

7.2.2. SANS Security Policy Project

7.2.2.1. http://www.sans.org/security-resources/policies/

7.3. SerNet

7.3.1. Verinice

7.3.1.1. http://www.verinice.org/en/

7.4. PTA

7.4.1. Practical Threat Analysis

7.4.1.1. http://www.ptatechnologies.com

8. Related ISO Standards

8.1. ISO 27002

8.1.1. Code of practice for information security controls

8.1.2. Generic guidance document

8.1.3. ISO 27011

8.1.3.1. Guidelines for telecommunications companies

8.1.4. ISO 27015

8.1.4.1. Guidelines for financial services

8.1.5. ISO 27019

8.1.5.1. Guidelines for energy utility companies

8.1.6. ISO 27799

8.1.6.1. Guidelines for healthcare companies

8.2. ISO 27003

8.2.1. Guidance on ISMS implementation

8.3. ISO 27004

8.3.1. Security metrics for measuring effectiveness

8.4. ISO 27005

8.4.1. Information security risk management

8.5. ISO 27006

8.5.1. Requirements of auditing / certification bodies

8.6. ISO 27007

8.6.1. Guidelines for ISMS auditing (management system)

8.7. ISO 27008

8.7.1. Guidelines for ISMS auditing (controls)

8.8. ISO 27010

8.8.1. Guidelines on inter-organisation communications

8.9. ISO 27013

8.9.1. Guidelines on integrating ISO 27001 and ISO 20000

8.10. ISO 27014

8.10.1. Guidelines for governance of information security

8.11. ISO 27031

8.11.1. Guidelines for business continuity (ICT)

8.12. ISO 27032

8.12.1. Guidelines for cybersecurity

8.13. ISO 27033

8.13.1. Guidelines for network security

8.14. ISO 27034

8.14.1. Guidelines for application security

8.15. ISO 27035

8.15.1. Guidelines for incident management

8.16. ISO 22301

8.16.1. Business Continuity Management standard

8.16.2. Updated version of ISO 25999 standard ISO 22301

8.17. ISO 31000

8.17.1. Risk management - Principles and guidlines

9. Pre-certification audit

9.1. Simulation of an actual audit

9.2. Identify any NCs

9.3. Take necessary actions to close any identified NCs

10. Certification

10.1. Phase 1

10.1.1. Document review

10.1.2. 1 day

10.1.3. Mandatory

10.2. Phase 2

10.2.1. Control review

10.2.2. Multi-day based on scope

10.2.3. Mandatory

11. Risk Management

11.1. Risk Management Policy

11.2. Risk Assessment Procedure

11.2.1. Procedure for Risk Calculation

11.3. Risk Assessment Document

11.4. RTP

11.4.1. Risk Treatment Plan

12. Polices and Procedures

12.1. Security Policy

12.1.1. Obtain management objectives

12.1.2. Create the policy

12.1.3. Refer individual policies

12.1.4. Obtain management approval

12.2. Referenced Policies

12.2.1. Acceptable Use Policy

12.2.2. Email Use Policy

12.2.3. Internet Use Policy

12.2.4. Mobile Use Policy

12.2.5. Wireless Security Policy

12.2.6. Incident Handling Policy

12.2.7. Change Management Policy

12.2.8. ...

12.3. Procedures

12.3.1. Define procedure to implement each policy

13. Scope

13.1. Organization Scope

13.1.1. Organizational units: department, service project, subsidiary, etc.

13.1.2. Organizational structures and responsibilities of managers

13.1.3. Business Process: Sales management. Procurement process, hiring, etc.

13.2. Physical Scope

13.2.1. All physical locations, both internal and external, that are included in the ISMS should be considered.

13.2.2. Identify area (data centre/server rooms/specific area)

13.2.3. In the case of outsourced physical sites, the interfaces with the ISMS and the applicable service agreements have to be considered.

13.3. Information Systems Scope

13.3.1. Networks: internal networks, wireless networks, etc.

13.3.2. Operating Systems: Windows, Linux, etc.

13.3.3. Applications: CRM, software management payroll, ERP. utilities, database

13.3.4. Data: customer records, medical data, research and development, etc.

13.3.5. Processes: Consider processes that transport, store or process information.

13.3.6. Telecommunications equipment: routers, firewalls, etc.

13.4. Any change in scope must be evaluated, approved and documented!

14. Mandatory Documents

14.1. Leadership

14.1.1. Logs of Management Review Meetings

14.1.2. Review Plans

14.1.3. Action Reports

14.2. ISMS Related

14.2.1. Scope Statement

14.2.2. Roles and Responsibilities Document

14.2.3. Statement of Applicability (SoA)

14.2.4. Security Metrics

14.3. Policies

14.3.1. Security Policy

14.3.2. Individual Policies

14.3.3. Procedure Documents

14.4. Risk Management

14.4.1. Risk Management Policy

14.4.2. Risk Assessment Procedure

14.4.3. Risk Assessment Document

14.4.4. Risk Treatment Plan

14.5. Security Awareness Training

14.5.1. Training Records

14.5.2. Training Material

14.5.3. Metrics

14.6. Other Documents

14.6.1. Operating Procedures

14.6.2. Document Control Procedure

14.6.3. Record Control Procedure

14.6.4. Corrective Action Procedure

14.6.5. Preventive Action Procedure

15. Statement of Applicability (SOA)

15.1. Statement of Applicability

15.2. Defines which controls from ISO 27001 you select to implement

15.2.1. Document listing the controls applicable along with their objective

15.3. ISO 27001 does not specify the form of the statement of applicability.

15.3.1. It simply requires making a list of security controls, selected or not, the reasons for these choices and actions being implemented to meet the security controls being selected in the document.

15.3.2. The additional controls put in place must also appear in the statement of applicability.

15.4. It is good practice to include in the statement of applicability, the title or function of the responsible person per control and the list of documents or records relating to it.

16. This freeware, non-commercial mind map was carefully hand crafted with passion and love for learning and constant improvement... (please share, like and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)

16.1. Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Feel free to visit my website: www.miroslawdabrowski.com

16.1.1. http://www.miroslawdabrowski.com

16.1.2. http://www.linkedin.com/in/miroslawdabrowski

16.1.3. https://www.google.com/+MiroslawDabrowski

16.1.4. https://play.spotify.com/user/miroslawdabrowski/

16.1.5. https://twitter.com/mirodabrowski

16.1.6. miroslaw_dabrowski

17. White Papers

17.1. Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

17.1.1. http://www.bsigroup.com/LocalFiles/en-GB/iso-iec-27001/resources/BSI-ISO27001-transition-guide-UK-EN-pdf.pdf