Calder Implementing Information Security based on ISO 27001/ISO 27002
1. Auflage 2011
ISBN: 978-90-8753-543-8
Verlag: Van Haren Publishing
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
E-Book, Englisch, 90 Seiten
Reihe: A Management Guide
ISBN: 978-90-8753-543-8
Verlag: Van Haren Publishing
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
Information is the currency of the information age and in many cases is the most valuable asset possessed by an organisation. Information security management is the discipline that focuses on protecting and securing these assets against the threats of natural disasters, fraud and other criminal activity, user error and system failure.
Effective information security can be defined as the ‘preservation of confidentiality, integrity and availability of information.’ This book describes the approach taken by many organisations to realise these objectives. It discusses how information security cannot be achieved through technological means alone, but should include factors such as the organisation’s approach to risk and pragmatic day-to-day business operations.
This Management Guide provides an overview of the implementation of an Information Security Management System that conforms to the requirements of ISO/IEC 27001:2005 and which uses controls derived from ISO/IEC 17799:2005.
It covers the following:
Certification
Risk
Documentation and Project Management issues
Process approach and the PDCA cycle
Preparation for an Audit
Autoren/Hrsg.
Weitere Infos & Material
1;CHAPTER 1 Introduction;10
1.1;1.1 ISO/IEC 27001:2005 (‘ISO 27001’ or ‘the Standard’);10
1.2;1.2 ISO/IEC 27002:2005 (‘ISO 27002’);10
1.3;1.3 Definitions;11
2;CHAPTER 2 Information security and ISO 27001;12
2.1;2.1 Approach to information security;12
2.2;2.2 The ISMS and organizational needs;12
2.3;2.3 Reasons to implement an ISMS;13
2.4;2.4 The ISMS and regulation;14
3;CHAPTER 3 Certification;16
3.1;3.1 Read and study the Standards;16
3.2;3.2 ‘Badge on the wall’ debate;17
3.3;3.3 Certification;18
3.4;3.4 Qualifications and further study;18
4;CHAPTER 4 ISO 27001 and ISO 27002;20
4.1;4.1 ISO 27002;20
4.2;4.2 ISO 27001;20
5;CHAPTER 5 Frameworks and management system integration;22
5.1;5.1 ITIL;22
5.2;5.2 ISO 20000;23
5.3;5.3 ISO 27001 Annex C;23
5.4;5.4 Management system integration;25
5.5;5.5 BS25999;25
5.6;5.6 CobiT;26
6;CHAPTER 6 Documentation requirements and record control;28
6.1;6.1 ISO 27001 Document control requirements;28
6.2;6.2 Annex A document controls;29
6.3;6.3 Document approval;29
6.4;6.4 Contents of the ISMS documentation;30
6.5;6.5 Record control;31
6.6;6.6 Documentation process and toolkits;31
7;CHAPTER 7 Project team;34
7.1;7.1 Demonstrating management commitment;34
7.2;7.2 Project team/steering committee;34
7.3;7.3 Information security co-ordination;35
8;CHAPTER 8 Project initiation;36
8.1;8.1 Awareness;36
8.2;8.2 Awareness tools;37
9;CHAPTER 9 Process approach and the PDCA cycle;38
9.1;9.1 PDCA mapped to the clauses of ISO 27001;39
9.2;9.2 ISMS project roadmap;40
10;CHAPTER 10 Plan - establish the ISMS;42
10.1;10.1 ISMS policy;42
10.2;10.2 Policy and business objectives;42
11;CHAPTER 11 Scope definition;44
11.1;11.1 Scoping, boundaries and third party risk;44
11.2;11.2 Scoping in small organizations;45
11.3;11.3 Scoping in large organizations;46
11.4;11.4 Legal and regulatory frameworks;46
11.5;11.5 Network infrastructure;46
12;CHAPTER 12 Risk management;48
12.1;12.1 Risk treatment plans;48
12.2;12.2 Acceptable risks;48
12.3;12.3 Risk assessment;49
13;CHAPTER 13 Assets within scope;50
13.1;13.1 Asset classes;50
13.2;13.2 Asset owners;51
14;CHAPTER 14 Assessing risk;52
14.1;14.1 Threats (4.2.1.d2);52
14.2;14.2 Vulnerabilities (4.2.1.d3);53
14.3;14.3 Impacts (4.2.1.d4);53
14.4;14.4 Risk assessment (likelihood and evaluation) (4.2.1.e);54
14.5;14.5 Risk level;54
15;CHAPTER 15 Risk treatment plan;56
16;CHAPTER 16 Risk assessment tools;58
16.1;16.1 Gap analysis tools;58
16.2;16.2 Vulnerability assessment tools;59
16.3;16.3 Penetration testing;59
16.4;16.4 Risk assessment tools;60
16.5;16.5 Statement of Applicability;61
17;CHAPTER 17 Statement of Applicability;62
17.1;17.1 Controls (4.2.1.f.1);62
17.2;17.2 Controls and control objectives;63
17.3;17.3 ISO 27001:2005 Annex A;64
17.4;17.4 Drafting the Statement of Applicability;65
17.5;17.5 Excluded controls;66
18;CHAPTER 18 Third party checklists and resources;68
18.1;18.1 Third party sources;68
18.2;18.2 Configuration checklists;68
18.3;18.3 Vulnerability databases;69
19;CHAPTER 19 Do - implement and operate the ISMS;70
19.1;19.1 Gap analysis;70
19.2;19.2 Implementation;71
20;CHAPTER 20 Check - monitor and review the ISMS;74
20.1;20.1 Audits;74
20.2;20.2 Audit programme;74
20.3;20.3 Reviews;75
21;CHAPTER 21 Act - maintain and improve the ISMS;76
21.1;21.1 Management review;76
22;CHAPTER 22 Measurement;78
22.1;22.1 NIST SP800-55;78
23;CHAPTER 23 Preparing for an ISMS audit;80
23.1;A APPENDIX Bibliography of related standards, guides and books;82
23.2;APPENDIX B Accredited certification and other bodies;84
