The ISO 27001 Perspective:
An Introduction to Information Security

Contents

Initial review questions
What is 'Information Security'?
Introduction to information security mechanisms
    Information security standards
    ISO 27002
    ISO 27001 (formerly BS 7799 Part 2)
The 'Information Security Management System' (ISMS)
    Overview
    Organisation decides to implement ISO 27001
    Management commitment, assign project responsibilities
    Define the information security policy
    Define the scope of the ISMS
    Perform the risk assessment (RA) for the scope of the ISMS
    Decide how to manage the risks identified
    Select objectives and controls to be implemented
    Implement controls
    Undergo certification
    Reviewing the management system
    Improving the ISMS
        Corrective action
        Preventive action
    Things to watch
        Commitment
        Information security policy
        Scope of the ISMS
        The risk assessment process
        Selection of controls / the SoA
        Implementing controls
        The audit process
The process of risk assessment and risk management
    Introduction to risk
    Introduction to risk management
    The risk management process
        The generic ISO risk process
        Risk analysis
        Risk Evaluation
        Risk Treatment
        Monitoring and review of the risk management process
        Risk reporting and communication
        Risk policy, roles and responsibilities
        Quantitative risk assessment
        Problems with the quantitative approach
        Qualitative Risk Assessment
        Comparing the Two Approaches
Risk management standards
        Risk assessment methodology based on AS/NZS 4360
        The risk register
        Benefits of good risk management
    Risk mitigation
    Risk financing
        Risk acceptance
        Risk transfer: the concept of insurance
        Types of insurance
        Self-insurance
        Problems with insurance
Risk management tools
    Overview
    Business processes
    Modelling risk in a business manner
    Choosing the correct tool
ISO27002 - Code of Practice for Information Security Management
    Commentary
    Things to watch
    ISO 27002 Clause 5: Security policy
        Information security policy
        Commentary
        Security policy checklist
        Things to Watch
    ISO 27002 Clause 6: Organisation of information security
        Internal organisation
        External parties
        Commentary
        Things to Watch
    ISO 27002 Clause 7: Asset management
    Information classification
        Commentary
        Things to Watch
    ISO 27002 Clause 8: Human resources security
        Prior to employment
        During employment
        Termination or change of employment
        Commentary
        Things to Watch
    ISO 27002 Clause 9: Physical and environmental security
        Secure areas
        Equipment security
        Commentary
        Things to Watch
        ISO 27002 Clause 10: Communications and operations management
        Operational procedures and responsibilities
        Third party service delivery management
        System planning and acceptance
        Protection against malicious and mobile code
        Backup
        Network security management
        Media handling
        Exchange of information
        Electronic commerce services
        Monitoring
        Commentary
        Things to watch
    ISO 27002 Clause 11: Access control
        Business requirement for access control
        User access management
        User responsibilities
        Network access control
        Operating system access control
        Application and information access control
        Mobile computing and teleworking
        Commentary
        Things to watch
    ISO 27002 Clause 12: Information systems acquisition, development and maintenance
        Security requirements of systems
        Correct processing in applications
        Cryptographic controls
        Security of system files
        Security in development and support processes
        Technical vulnerability management
        Commentary
        Things to watch
    ISO 27002 Clause 13: Information security incident management
        Reporting information security events and weaknesses
        Management of information security incidents and improvements
        Commentary
        Things to watch
    ISO 27002 Clause 14: Business continuity management
        Aspects of business continuity management
        Commentary
        Things to watch
    ISO 27002 Clause 15: Compliance
        Compliance with legal requirements
        Compliance with security policies and standards and technical compliance
        Information systems audit considerations
        Commentary
        Things to watch
    Certification
    Why does my organisation need certification?
    Accredited certification
    What does 'Accredited' mean?
    Different types of audit
    How does the certification scheme work?
    Six step certification process
    Summary
Appendix A - References
AppendiX B - Some examples of Risks & Their Drivers
    Financial Risks
    Operational Risks
    Hazard Risks
    Strategic Risks
Appendix C - A Sample Risk Register
Appendix D - Consequences
    Three by Three
    Five by Five
    Using a 5 layer impact matrix
Appendix E - Probability of Ocurrence
    Three by Three - Threats
    Three by Three - Opportunities
    Five by Five
    Ten by Ten
Appendix F - Risk ratings
    Risk Reduction
Appendix G - Risk Terms and Definitions
Appendix H - Further Reading
List of Figures
Glossary