IS0 27001: 2013 -INFORMATION SECURITY MANAGEMENT SYSTEM
Information Security Management System formally specifies a management system that helps organizations identify, design, and implement the information security controls that are necessary to ensure the confidentiality, integrity and availability of its information assets. ISO 27001:2013 certifications validates Companies capabilities in developing and maintaining state-of-art Data Center facility and Network Infrastructure.
ISO 27001 standard details all that is needed to establish, operate, maintain, and review a documented Information Security Management System (ISMS) through security controls tailored to the requirements of an organization. It encompasses all manner of organizations from businesses to government agencies to nonprofit groups.
Information Security Management System is that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security and always follows Plan-Do-Check-Act methodology.
The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
The Do phase involves implementing and operating the controls.
The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
In the Act phase, changes are made where necessary to bring the ISMS back to peak performance
By implementing ISMS through ISO 27001, Companies can ensure that it is managing its information security processes in a structured manner and that it can customize its ISMS to its business needs.
Specifically, ISO 27001- Information Security Management System is used within an organization to:
• Identify security requirements and frame objectives.
• Ensure that the organization’s security objectives are fulfilled.
• Ensure that security risks are economically managed.
• Ensure that applicable laws and regulations are complied with.
• Determine the status of information security management activities.
• Supply information on information security policies, directives, standards and procedures to other organizations.
• Provide information on information security to customers.
Methodology
Details of Key Roadmap Activities for ISMS Implementation
PHASE I: ISO 27001:2013 ISMS AWARENESS TRAINING PROGRAM
Purpose The purpose of this step is creating a familiarization across a large group of people in the Organization on the ISMS Standard and sensitizes the Organization on the Standard implementation aspects and requirements.
It also serves to motivate key people in the Organization to appreciate the benefits of ISMS for driving process excellence in the Organization and prepares champions and leaders who can contribute to the initiative in the future roadmap.
Objectives
• Familiarize people on ISMS Standard
• Sensitize Organization on the implementation aspects and expectations of the model
• Create core group of champions & leaders to lead the initiative
Activities
• Identify the Core ISMS Team
• Provide training on ISO 27001:2013
Deliverables
• Provide training for the Core Team
• Training Materials for the Core ISMS Team
NRS Responsibilities • Provide master copy of courseware
• Faculty with Extensive Experience in the domain
• Conduct the Internal Auditor Training program
Client Responsibilities
• Identify participants for the Training
• Provide facility to conduct the training program
• Material for Training need shall be organized
PHASE II: DIAGNOSTIC STUDY- IMPLEMENTATION, REVIEW & ACTION PLANNING
Purpose The purpose of this activity is to perform the base-lining activity
to get a snapshot of the organization’s current strengths and weakness. This information gathered from the baseline will then be used to initiate development of the strategic action plan that will provide guidance and direction to the process improvement program
To accomplish base-lining activities require a significant amount of coordination of people, data, facilities, training activities and support services. Hence, it is recommended that some time is spent on planning the initiative, especially because this activity involves drawing out the future implementation action plan.
Objectives
Gather a snapshot of actual strengths and weakness in the Information Security related areas vis-a vis Control objectives as per ISO 27001:2013 Controls
Activities
• Assess the conformance of documented processes to ISO 27001: 2013 standard
• Understand Organizations requirements and improvement goals
• Identify improvement opportunities
• Assess the degree of implementation and institutionalization of these processes
• Brief senior management on the Assessment findings and present an action plan (presentation/workshop, as appropriate)
Deliverables
• An assessment findings report giving the Security Controls and their profile (functional characteristics, strengths, weaknesses) and Improvement opportunities (Gaps with respect to ISO 27001: 2013 standard)
• Identify Key metrics on which improvement can be committed
Nepal Realistic Solution Responsibilities
• Administer the capability questionnaire.
• Conduct structured interviews & Analyze responses
• Review documentation & assess conformance to ISO 27001:2013 standard
• Prepare the assessment report
• Brief senior management
• Facilitate production of an initial Action Plan
Client Responsibilities
• Identify, assign and schedule appropriate resources for answering the questionnaire, and for interviews where appropriate
• Make all requested documents available
• Create an Action Plan, with help from Nepal Realistic Solution
PHASE III: EXECUTION POLICY/ PROCEDURE DESIGN, DEVELOPMENT & FACILITATION
Purpose The purpose of this step is to develop solutions for the procedure/policy definition and implementation gaps identified during the organizational base-lining activity. The solutions for the procedures/ policies to be improved have to be defined, documented and must enable the achievement of business objective.
The solution selected should be compatible with the organization’s culture so that it will be readily accepted and institutionalized. To enable institutionalization in an accelerated manner, the needed supporting elements [policy, procedure, template, checklist, guidelines, exceptions, roles & responsibilities must be clearly defined for each of the process of ISMS.
Objectives
• Investigate alternative solutions to procedure/policy issues
• discovered
• Refine the existing procedures and policies to eliminate errors and reduce variation
Activities
• Conduct Risk assessment & create Risk treatment plans
• Refine existing procedures/policies as identified in the Action Plan
• Create Statement of Applicability
• Create ISMS manual
• Identify process stakeholders and understand their needs
• Determine the current process, boundary and context
• Define the effectiveness measures
Deliverables
• Fully developed and documented ISMS policies & procedures aligned
• to the business needs, based on ISMS best practices.
• Effectiveness measures
• Mandatory procedures
Nepal Realistic Solution Responsibilities
• Facilitate process development efforts by ISMS team(s)
• Review developed policies/procedures against ISO 27001 standard and against organizational process improvement goals
• Review achievements of other planning goals, as appropriate
• Help make it happen!
Client Responsibilities
• Allocate resources, time and budget
• Develop and/or improve processes – make it happen!
• Apply developed ISMS processes
• Monitor and record progress of the pilot projects
• Have all results available for review and recommendations
PHASE IV: REVIEW – IMPLEMENTATION REVIEW AND INTERNAL AUDIT
Purpose The purpose of this step is to ensure that all the lessons learned data is available for starting an improvement process in the organization, for sustaining the process excellence. This activity involves creation of organizational process database and creates a memory for the organization to ensure that it does not repeat the mistakes.
Based on the lessons learnt, the step emphasizes on revising the organization approach to make changes more effectively, with reduced resistance and allowing process improvement to happen in a dynamic and rapid manner. In addition, this step involves revisiting of goals, sponsorship, and management commitment to enable better results.
For a sustained change culture in the organization, it is imperative that there are three cycles of improvement demonstrated for each process implemented in the organization for achieving a successful appraisal.
Objectives
• Create an organizational database for processes on lessons learnt
• Analyze processes & practices to make the process improvement effective
• Consider adding variations that will make the process improvement better
• Ensure that resources are available for continuous improvement
• Refine measurements and goals to objectively determine goal satisfaction
Activities
• Pilot the developed ISMS processes within the context of the scope
• of the IT service for which certification is being sought
• Tool customization/implementations
• Trainings and awareness (Including Internal Auditor Training)
• Carry out Internal Audits & review results with ISMS teams
Deliverables
• Institutionalized ISMS processes.
• Plan for improvements
• Internal assessments and audit reports
• Report on corrective actions
Nepal Realistic Solution Responsibilities
• Help select appropriate processes for piloting
• Review results of applying developed ISMS processes, in the context of ISMS requirements and the impact on the IT service, or service component, concerned
• Recommend changes
• Trainings (as required and agreed)
• Consult/assist/Mentor the Project team and Process owners.
• Provide support during external audit
Client Responsibilities
• Identify candidate processes for piloting
• Apply developed ISMS processes
• Monitor and record progress of the pilot projects
• Have all results available for review and recommendations
PHASE V: CERTIFICATION AUDIT
Purpose Certification of the ISMS by the certification body
Objectives
To ensure the defined management system is in compliance with ISO 27001:2013
Activities Conduct stage-1 audit (Document review) by certification body
Conduct stage -2 audit Certification audit by certification body
Deliverables
• Audit report
• Certificate from the certification body
Nepal Realistic Solution Responsibilities
• Coordinate with certification body
• Participate in stage 1 and stage 2 audit
• Close the Non-conformities, if any Recommend changes
Client Responsibilities
• Provide the resources to participate in the audit
• Provide the evidences during the audit
Timelines
Resource
Particulars : Mon1 Mon 2 Mon 3 Mon 4 Mon 5 Mon 6
Information Security Awareness Training Program to core Senior
1 Team Consultant
Detail Gap Assessment & Action Planning Senior
2 Consultant
Process Design and Development on Security Policies, Senior
3 Procedures, Templates, Checklists, Risk Assessment etc., Consultant
Process Implementation
– Conduct periodic Implementation Review Senior
– Internal Audit Training program for selected team Consultant
4 members
– Conduct Internal Audit by team Senior
– Close all open non-conformance – identified from Pre Consultant
5 Audit by Auditor
6 Stage 1 – Pre-Audit by Certification Body Lead Auditor
7 Stage 2 – Final Certification Audit by Certification Body Lead Auditor