Secure & Simple – A Small-Business Guide to Implementing ISO 27001 On Your Own电子书

COVER

ABOUT THE AUTHOR

TABLE OF CONTENTS

PREFACE

ACKNOWLEDGMENTS

1 INTRODUCTION

1.1 Why information security? Why ISO 27001?

1.2 Basic information security principles

1.3 ISO 27001 puts it all together

1.4 Who should read this book?

1.5 How to read this book

1.6 What this book is not

1.7 Additional resources

2 WHAT EXACTLY IS ISO 27001?

2.1 The most popular information security standard worldwide

2.2 Information security vs. IT security

2.3 How does ISO 27001 work?

2.4 What ISO 27001 is not – 7 most common myths

2.5 Where does information security belong?

2.6 For which type and size of companies is ISO 27001 intended?

2.7 Short history of ISO 27001

2.8 What does the standard look like? The structure and main clauses

2.9 Introduction to the Information Security Management System

3 GETTING THE BUY-IN FROM YOUR MANAGEMENT AND OTHER EMPLOYEES

3.1 How to convince your top management to implement ISO 27001

3.2 How to present the benefits to your top management

3.3 Is it possible to calculate the Return on Security Investment (ROSI)?

3.4 Dealing with line managers and other employees

3.5 Bridging the gap between IT and the business

3.6 Success factors

4 PREPARING FOR THE IMPLEMENTATION

4.1 ISO 27001 strategy: Three options for the implementation

4.2 How to choose a consultant

4.3 Should you use Gap analysis?

4.4 Sequence of implementing ISO 27001 & relationship with PDCA cycle

4.5 Setting up an ISO 27001 implementation project

4.6 Who should be the project manager

4.7 How long does it take?

4.8 How much does it cost?

4.9 Using tools and templates

4.10 Decide on your documentation strategy

4.11 Success factors

5 FIRST STEPS IN THE PROJECT

5.1 Understanding the context of your company (clause 4.1)

5.2 Listing interested parties and their requirements (clause 4.2)

5.3 Defining the ISMS scope (clause 4.3)

5.4 What is required of the top management (clause 5.1)

5.5 Writing the Information Security Policy (clause 5.2)

5.6 Defining top-level ISMS objectives (clauses 5.2 b and 6.2)

5.7 Roles and responsibilities, and how to document them (clause 5.3)

5.8 Success factors

6 NON-SECURITY THINGS NECESSARY FOR SECURITY MANAGEMENT

6.1 Managing documents and records (clause 7.5)

6.2 Providing resources for the ISMS (clause 7.1)

6.3 Providing security training (clause 7.2)

6.4 Making your people aware of why information security is important (clause 7.3)

6.5 How to communicate and with whom (clause 7.4)

6.6 Success factors

7 RISK MANAGEMENT

7.1 Addressing risks and opportunities (clause 6.1.1)

7.2 Five steps in the risk management process (clause 6.1)

7.3 Writing the risk assessment methodology (clause 6.1.2)

7.4 Risk assessment part I: Identifying the risks (clauses 6.1.2 and 8.2)

7.5 Risk assessment part II: Analyzing and evaluating the risks (clauses 6.1.2 and 8.2)

7.6 Performing risk treatment (clauses 6.1.3 and 8.3)

7.7 Statement of Applicability: The central document of the whole ISMS (clause 6.1.3 d)

7.8 Developing the Risk treatment plan (clauses 6.1.3, 6.2, and 8.3)

7.9 Success factors

8 IMPLEMENTING SECURITY CONTROLS; OPERATIONAL PLANNING AND CONTROL

8.1 Setting the objectives for security controls and processes (clause 6.2)

8.2 Where to start with the documentation

8.3 Deciding which policies and procedures to write

8.4 Writing documentation that will be accepted by the employees

8.5 Operating the ISMS on a daily basis (clause 8.1)

8.6 Managing changes in the ISMS (clause 8.1)

8.7 Maintenance of the documentation (clause 7.5.2)

8.8 Managing outsourced services (clause 8.1)

8.9 Regular review of the risk assessment and treatment (clause 8.2)

8.10 Success factors

9 OVERVIEW OF ANNEX A CONTROLS

9.1 Introduction to ISO 27001 Annex A

9.2 Structure of Annex A

9.3 Structuring the documentation for Annex A

9.4 Information security policies (A.5)

9.5 Organization of information security (A.6)

9.6 Human resources security (A.7)

9.7 Asset management (A.8)

9.8 Access control (A.9)

9.9 Cryptography (A.10)

9.10 Physical and environmental security (A.11)

9.11 Operational security (A.12)

9.12 Communications security (A.13)

9.13 System acquisition, development and maintenance (A.14)

9.14 Supplier relationships (A.15)

9.15 Information security incident management (A.16)

9.16 Information security aspects of business continuity management (A.17)

9.17 Compliance (A.18)

9.18 Success factors

10 MAKING SURE YOUR ISMS WILL WORK AS EXPECTED

10.1 Monitoring, measurement, analysis, and evaluation of the ISMS (clause 9.1)

10.2 Internal audit part I: Preparation (clause 9.2)

10.3 Internal audit part II: Steps in the audit & preparing the checklist

10.4 Management review that makes sense (clause 9.3)

10.5 Practical use of nonconformities and corrective actions (clause 10.1)

10.6 Constant improvement of the ISMS (clause 10.2)

10.7 Success factors

11 ENSURING YOUR COMPANY PASSES THE CERTIFICATION AUDIT

11.1 Do you really need the certificate?

11.2 Certification vs. registration vs. accreditation

11.3 Final preparations before the certification

11.4 How to choose a certification body

11.5 Steps in the company certification and how to prepare

11.6 Which questions will the ISO 27001 certification auditor ask?

11.7 How to talk to the auditors to benefit from the audit

11.8 What the auditor can and cannot do

11.9 Nonconformities and how to resolve them

11.10 Success factors

12 BONUS CHAPTER I: CAREER OPPORTUNITIES WITH ISO 27001

12.1 Most popular courses to attend

12.2 What do the Lead Auditor Course and Lead Implementer Course look like?

12.3 How to become a certification auditor

12.4 How to become a consultant

13 BONUS CHAPTER II: RELATED STANDARDS, CONCEPTS, AND FRAMEWORKS

13.1 The most important standards from the ISO 27k series

13.2 ISO 27001 vs. ISO 27002

13.3 ISO 27001 vs. ISO 27005 vs. ISO 31000

13.4 ISO 27001 vs. ISO 27017 vs. cloud security

13.5 ISO 27001 vs. ISO 27018 vs. privacy in the cloud

13.6 ISO 27001 vs. ISO 27032 vs. cybersecurity

13.7 Relationship with ISO 22301, ISO 20000, ISO 9001, ISO 14001, and ISO 45001

13.8 Using ISO 22301 for the implementation of business continuity in ISO 27001

13.9 ISO 27001 and COBIT, PCI DSS, NIST SP800, Cybersecurity Framework and ITIL

13.10 ISO 27001 as a compliance platform for various frameworks

14 BONUS CHAPTER III: ISO 27001 MINI CASE STUDIES

14.1 Defining an ISMS scope in a small cloud provider

14.2 Applying secure engineering principles in a software development company

14.3 Awareness raising in a government agency

14.4 Getting the top management commitment in a state-owned company

14.5 Listing the interested parties and their requirements in a European bank

14.6 Writing the information security policies in a manufacturing company

14.7 Preparing a telecom company for a certification

14.8 Performing risk assessment in a small hospital

14.9 Setting security objectives and measurement in a service company

14.10 Implementing ISO 27001 in data centers – An interview

15 GOOD LUCK!

APPENDIX A – CHECKLIST OF MANDATORY DOCUMENTATION REQUIRED BY ISO 27001:2013

APPENDIX B – DIAGRAM OF ISO 27001:2013 IMPLEMENTATION

APPENDIX C – APPLICABILITY OF ISO 27001 DIVIDED BY INDUSTRY

APPENDIX D – INFOGRAPHIC: ISO 27001 2013 REVISION – WHAT HAS CHANGED?

APPENDIX E – ISO 27001 VS ISO 20000 MATRIX

APPENDIX F – PROJECT PROPOSAL FOR ISO 27001 IMPLEMENTATION TEMPLATE

APPENDIX G – PROJECT CHECKLIST FOR ISO 27001 IMPLEMENTATION

APPENDIX H – PROJECT PLAN TEMPLATE FOR ISO 27001 IMPLEMENTATION

APPENDIX I – LIST OF QUESTIONS TO ASK YOUR ISO 27001 CONSULTANT

APPENDIX J – LIST OF QUESTIONS TO ASK AN ISO 27001 CERTIFICATION BODY

APPENDIX K – INFOGRAPHIC: THE BRAIN OF AN ISO AUDITOR – WHAT TO EXPECT AT A CERTIFICATION AUDIT

APPENDIX L – WHAT IS THE JOB OF CHIEF INFORMATION SECURITY OFFICER (CISO) IN ISO 27001?

APPENDIX M – CATALOG OF THREATS AND VULNERABILITIES

GLOSSARY

BIBLIOGRAPHY