Working in Information Security field, need to know ISMS and RA.
The ISO 27001 Perspective: An Introduction to Information Security
Contents
Initial review questions
What is 'Information Security'?
Introduction to information security mechanisms
Information security standards
ISO 27002
ISO 27001 (formerly BS 7799 Part 2)
The 'Information Security Management System' (ISMS)
Overview
Organisation decides to implement ISO 27001
Management commitment, assign project responsibilities
Define the information security policy
Define the scope of the ISMS
Perform the risk assessment (RA) for the scope of the ISMS
Decide how to manage the risks identified
Select objectives and controls to be implemented
Implement controls
Undergo certification
Reviewing the management system
Improving the ISMS
Corrective action
Preventive action
Things to watch
Commitment
Information security policy
Scope of the ISMS
The risk assessment process
Selection of controls / the SoA
Implementing controls
The audit process
The process of risk assessment and risk management
Introduction to risk
Introduction to risk management
The risk management process
The generic ISO risk process
Risk analysis
Risk Evaluation
Risk Treatment
Monitoring and review of the risk management process
Risk reporting and communication
Risk policy, roles and responsibilities
Quantitative risk assessment
Problems with the quantitative approach
Qualitative Risk Assessment
Comparing the Two Approaches
Risk management standards
Risk assessment methodology based on AS/NZS 4360
The risk register
Benefits of good risk management
Risk mitigation Risk financing
Risk acceptance
Risk transfer: the concept of insurance
Types of insurance
Self-insurance
Problems with insurance
Risk management tools
Overview
Business processes
Modelling risk in a business manner
Choosing the correct tool
ISO27002 - Code of Practice for Information Security Management
Commentary
Things to watch
ISO 27002 Clause 5: Security policy
Information security policy
Commentary
Security policy checklist
Things to Watch
ISO 27002 Clause 6: Organisation of information security
Internal organisation
External parties
Commentary
Things to Watch
ISO 27002 Clause 7: Asset management Information classification
Commentary
Things to Watch
ISO 27002 Clause 8: Human resources security
Prior to employment
During employment
Termination or change of employment
Commentary
Things to Watch
ISO 27002 Clause 9: Physical and environmental security
Secure areas
Equipment security
Commentary
Things to Watch
ISO 27002 Clause 10: Communications and operations management
Operational procedures and responsibilities
Third party service delivery management
System planning and acceptance
Protection against malicious and mobile code
Backup
Network security management
Media handling
Exchange of information
Electronic commerce services
Monitoring
Commentary
Things to watch
ISO 27002 Clause 11: Access control
Business requirement for access control
User access management
User responsibilities
Network access control
Operating system access control
Application and information access control
Mobile computing and teleworking
Commentary
Things to watch
ISO 27002 Clause 12: Information systems acquisition, development and maintenance
Security requirements of systems
Correct processing in applications
Cryptographic controls
Security of system files
Security in development and support processes
Technical vulnerability management
Commentary
Things to watch
ISO 27002 Clause 13: Information security incident management
Reporting information security events and weaknesses
Management of information security incidents and improvements
Commentary
Things to watch
ISO 27002 Clause 14: Business continuity management
Aspects of business continuity management
Commentary
Things to watch
ISO 27002 Clause 15: Compliance
Compliance with legal requirements
Compliance with security policies and standards and technical compliance
Information systems audit considerations
Commentary
Things to watch
Certification
Why does my organisation need certification?
Accredited certification
What does 'Accredited' mean?
Different types of audit
How does the certification scheme work?
Six step certification process
Summary
Appendix A - References
AppendiX B - Some examples of Risks & Their Drivers
Financial Risks
Operational Risks
Hazard Risks
Strategic Risks
Appendix C - A Sample Risk Register
Appendix D - Consequences
Three by Three
Five by Five
Using a 5 layer impact matrix
Appendix E - Probability of Ocurrence
Three by Three - Threats
Three by Three - Opportunities
Five by Five
Ten by Ten
Appendix F - Risk ratings
Risk Reduction
Appendix G - Risk Terms and Definitions
Appendix H - Further Reading
List of Figures
Glossary
What is 'Information Security'?
Introduction to information security mechanisms
Information security standards
ISO 27002
ISO 27001 (formerly BS 7799 Part 2)
The 'Information Security Management System' (ISMS)
Overview
Organisation decides to implement ISO 27001
Management commitment, assign project responsibilities
Define the information security policy
Define the scope of the ISMS
Perform the risk assessment (RA) for the scope of the ISMS
Decide how to manage the risks identified
Select objectives and controls to be implemented
Implement controls
Undergo certification
Reviewing the management system
Improving the ISMS
Corrective action
Preventive action
Things to watch
Commitment
Information security policy
Scope of the ISMS
The risk assessment process
Selection of controls / the SoA
Implementing controls
The audit process
The process of risk assessment and risk management
Introduction to risk
Introduction to risk management
The risk management process
The generic ISO risk process
Risk analysis
Risk Evaluation
Risk Treatment
Monitoring and review of the risk management process
Risk reporting and communication
Risk policy, roles and responsibilities
Quantitative risk assessment
Problems with the quantitative approach
Qualitative Risk Assessment
Comparing the Two Approaches
Risk management standards
Risk assessment methodology based on AS/NZS 4360
The risk register
Benefits of good risk management
Risk mitigation Risk financing
Risk acceptance
Risk transfer: the concept of insurance
Types of insurance
Self-insurance
Problems with insurance
Risk management tools
Overview
Business processes
Modelling risk in a business manner
Choosing the correct tool
ISO27002 - Code of Practice for Information Security Management
Commentary
Things to watch
ISO 27002 Clause 5: Security policy
Information security policy
Commentary
Security policy checklist
Things to Watch
ISO 27002 Clause 6: Organisation of information security
Internal organisation
External parties
Commentary
Things to Watch
ISO 27002 Clause 7: Asset management Information classification
Commentary
Things to Watch
ISO 27002 Clause 8: Human resources security
Prior to employment
During employment
Termination or change of employment
Commentary
Things to Watch
ISO 27002 Clause 9: Physical and environmental security
Secure areas
Equipment security
Commentary
Things to Watch
ISO 27002 Clause 10: Communications and operations management
Operational procedures and responsibilities
Third party service delivery management
System planning and acceptance
Protection against malicious and mobile code
Backup
Network security management
Media handling
Exchange of information
Electronic commerce services
Monitoring
Commentary
Things to watch
ISO 27002 Clause 11: Access control
Business requirement for access control
User access management
User responsibilities
Network access control
Operating system access control
Application and information access control
Mobile computing and teleworking
Commentary
Things to watch
ISO 27002 Clause 12: Information systems acquisition, development and maintenance
Security requirements of systems
Correct processing in applications
Cryptographic controls
Security of system files
Security in development and support processes
Technical vulnerability management
Commentary
Things to watch
ISO 27002 Clause 13: Information security incident management
Reporting information security events and weaknesses
Management of information security incidents and improvements
Commentary
Things to watch
ISO 27002 Clause 14: Business continuity management
Aspects of business continuity management
Commentary
Things to watch
ISO 27002 Clause 15: Compliance
Compliance with legal requirements
Compliance with security policies and standards and technical compliance
Information systems audit considerations
Commentary
Things to watch
Certification
Why does my organisation need certification?
Accredited certification
What does 'Accredited' mean?
Different types of audit
How does the certification scheme work?
Six step certification process
Summary
Appendix A - References
AppendiX B - Some examples of Risks & Their Drivers
Financial Risks
Operational Risks
Hazard Risks
Strategic Risks
Appendix C - A Sample Risk Register
Appendix D - Consequences
Three by Three
Five by Five
Using a 5 layer impact matrix
Appendix E - Probability of Ocurrence
Three by Three - Threats
Three by Three - Opportunities
Five by Five
Ten by Ten
Appendix F - Risk ratings
Risk Reduction
Appendix G - Risk Terms and Definitions
Appendix H - Further Reading
List of Figures
Glossary
No comments:
Post a Comment