Implementing An ISMS Participant Guide V1.1
Implementing An ISMS Participant Guide V1.1
Implementing An ISMS Participant Guide V1.1
Implementing an ISMS
Participant Guide
1
IMPLEMENTING AN ISMS
2
IMPLEMENTING AN ISMS
CONDITION OF USE
All rights reserved. No part of this work may be reproduced or copied in any form or by any
means (graphic, electronic or mechanical, including photocopying, recording, taping or
information retrieval systems) without the written permission of the Queensland Government
Chief Information Office or as otherwise permitted by the operation of the law.
3
IMPLEMENTING AN ISMS
4
IMPLEMENTING AN ISMS
PURPOSE
Critical in today’s information centric environment is the subject of ‘information
security’, whether for reasons of safety, security, legal, ethics or compliance.
The management of such information is of paramount importance and an
essential element of good organisational practice in today’s rapidly evolving
world. This is equally important in both the private and public sectors.
Participants will learn how to evaluate their agency’s information risks and
implement a practical Information Security Management System (ISMS) that is
compliant with the ISO/IEC 27001:2013 standard.
Participants will also learn the necessary activities to transition from the existing
IS18 framework to an operational ISMS and understand the steps necessary to
ensure the ongoing operations of the ISMS
5
IMPLEMENTING AN ISMS
LEARNING OUTCOMES
6 S
IMPLEMENTING AN ISMS
7
IMPLEMENTING AN ISMS
8 S
IMPLEMENTING AN ISMS
INFORMATION SECURITY
9
IMPLEMENTING AN ISMS
Please note: For the purposes of this course, when the term ISO 27001 is
used, it refers to the ISO/IEC 27001:2013 standard. Similarly, for ISO 27002
read the correct reference as ISO/IEC 27002:2013
10 S
IMPLEMENTING AN ISMS
To discuss the information security drivers that may exist within agencies
and the perceived value of information security with the agency.
TIME
15 minutes
TASK
2. Why?
11
IMPLEMENTING AN ISMS
NOTES
12 S
IMPLEMENTING AN ISMS
13
IMPLEMENTING AN ISMS
14 S
IMPLEMENTING AN ISMS
BACKGROUND - IS18
15
IMPLEMENTING AN ISMS
16 S
IMPLEMENTING AN ISMS
THE CHANGES
Note that adoption of the ISMS still provides an environment where all
requirements of IS18 are met and does not weaken the security posture.
17
IMPLEMENTING AN ISMS
NOTES
18 S
IMPLEMENTING AN ISMS
19
IMPLEMENTING AN ISMS
20 S
IMPLEMENTING AN ISMS
KEY CONSIDERATIONS
The transition from IS18 is not designed to weaken the security posture of
agencies. The implementation of an ISMS will leverage the work already done
in this space by agencies by utilising the control information during the ISMS
construction, implementation and operations phases.
The key paradigm shift is from a model focussing at a control level to one that
considers the objective of the control and the risks being managed. Controls
are selected to manage risk and therefore understanding risks and thus the
objective of the control set provides a more structured but flexible approach to
security management.
21
IMPLEMENTING AN ISMS
NOTES
22 S
IMPLEMENTING AN ISMS
Module 4: ISMS
23
IMPLEMENTING AN ISMS
24 S
IMPLEMENTING AN ISMS
The design of the ISMS and how it is implemented depends on the needs and
objectives of the organisation. Factors to be considered include the size and
structure of the organisation, the market or service area in which it operates and
the sensitivity of the information it owns or manages on behalf of others.
25
IMPLEMENTING AN ISMS
COMPONENTS OF AN ISMS
Ignoring people and their behaviour will compromise the operations of the ISMS
and therefore the information security environment.
26 S
IMPLEMENTING AN ISMS
IMPLEMENTATION PITFALLS
One common pitfall is that this support is present during the “project” phase,
that it, the implementation of the ISMS, but then falls away when the system is
operationalised.
Another key reason that ISMS deployments fail is the “over-engineering” trap.
Often those that build such systems seek to build significant detail into the
system. However, the ISMS is an organic system and like all organic systems,
the more complicated the organism, the more opportunity for failure.
As elements of the system are developed they should be deployed and used.
ISMS implementation is not “big bang” and does not require all elements in
place to bring benefits.
The key focus should always be on simplicity in terms of design and operations.
Do not strive for perfection. The ISMS contains enough mechanisms for self-
correction and improvement.
27
IMPLEMENTING AN ISMS
An ISMS does not need to be built on the ISO 27001 standard but this standard
provides a globally recognised and understood framework. This common
framework also allows globally-recognised certification of the ISMS.
An ISMS based on the ISO 27001 standard adopts a holistic, structured and
coordinated approach to identifying and managing information security risks. It
involves consideration of issues of policy and procedure, technologies and tools
deployed and most importantly, people and their behaviour.
28 S
IMPLEMENTING AN ISMS
NOTES
29
IMPLEMENTING AN ISMS
30 S
IMPLEMENTING AN ISMS
31
IMPLEMENTING AN ISMS
32 S
IMPLEMENTING AN ISMS
ISO 27001
33
IMPLEMENTING AN ISMS
BS 7799.1 provided guidance and eventually became ISO 17799 and then in
2007, was renumbered to ISO/IEC 27002:2005 to align with ISO/IEC
27001:2005.
Both ISO 27001 and ISO 27002 were updated in 2013. An Australian version
eventually followed in 2015 (AS ISO/IEC 27001:2015). Note that this is identical
to the ISO version.
34 S
IMPLEMENTING AN ISMS
ISO 27001 is one of a series of standards in the ISO 27000 range. This set of
standards is focussed on information security. Whilst ISO 27001 is the most
recognised of the family, there are a number of standards in the range providing
guidance and information.
35
IMPLEMENTING AN ISMS
Note that a number of these standards are still in draft stages. Information
about the current status of the standards can be found at
http://www.iso27001security.com
Also note that the ISO 31000 standard, whilst not formally part of the ISO
27000 family, plays a critical role in providing information about
organisational risk management practices. Most organisations in Australia
have adopted this standard as part of their Risk Management framework.
The Queensland Government model has taken this approach.
36 S
IMPLEMENTING AN ISMS
The ISO 27001 standard uses ‘Shall’ within the text.,. All mandatory elements
and selected controls are therefore mandatory.
ISO 27001 can be used for Third Party Audit and Certification.
ISO 2701 and ISO 27002 are paired standards. ISO 27001 Annex A is derived
from ISO 27002.
37
IMPLEMENTING AN ISMS
38 S
IMPLEMENTING AN ISMS
ISO 27002
Within ISO 27002 ‘should’ is used in the text. The use of this term differentiates
this standard from ISO 27001. Controls listed in this standard are therefore
“optional”. Use of this language makes this standard ineligible for use for
certification purposes. It is a guideline only.
39
IMPLEMENTING AN ISMS
NOTES
40 S
IMPLEMENTING AN ISMS
41
IMPLEMENTING AN ISMS
42 S
IMPLEMENTING AN ISMS
CONTENTS
ISO 27001 comprises and number of clauses and one annexure. Within the
standard clauses 4-10 are mandatory and any ISMS claiming conformance to
ISO 27001 MUST implement all components of those clauses.
43
IMPLEMENTING AN ISMS
4. Communication
5. Documentation
8. Operation
1. Planning and control
2. Risk assessment
3. Risk treatment
9. Performance Evaluation
1. Monitoring and analysis
2. Internal audit
3. Management review
10. Improvement
1. Nonconformity and corrective action
2. Continual improvement
Clause 4 Design
Clause 5 Design
Clause 6 Implement
Clause 8 Operate
Clause 10 Improve
44 S
IMPLEMENTING AN ISMS
DETAILS OF CLAUSE 4
Clause 4 addresses the context of the organisation. Clauses 4.1 and 4.2
requires the consideration of internal and external issues that affect the
organisations ability to achieve its intended security outcomes and to consider
the requirements and expectations of interested parties. These requirements
must include any legal, regulatory or contractual obligations.
Clause 4.3 then requires the scope of the ISMS to be defined and documented.
You need to consider what third parties (if any) are within scope.
45
IMPLEMENTING AN ISMS
CLAUSE 5 LEADERSHIP
1. Commitment
2. Information security policy
3. Roles and responsibilities
46 S
IMPLEMENTING AN ISMS
Note that this policy requirement replaces the ISMS Policy required by ISO/IEC
27001:2005. The ISMS policy document is no longer required as a mandatory
document but its purpose may still exist and therefore the document may still
exist in that form.
47
IMPLEMENTING AN ISMS
CLAUSE 6 PLANNING
The first part of this clause captures the requirement to ensure that both
corrective action (ensure event does not re-occur) and improvement (ensure
event does not occur) activities are undertaken as part of continually improving
the ISMS.
Note that this clause does not attempt to deal only with negative outcomes.
The use of identified opportunities to ensure the ISMS can achieve its intended
outcomes provides a focus on the positive aspects of good information security
management.
48 S
IMPLEMENTING AN ISMS
Clause 6.1, also deals with the risk assessment process. This clause requires
that a documented risk assessment process exists and that the criteria for
performing the risk assessments has been identified.
This clause also mandates the documentation of the risk acceptance criteria.
The standard also requires the identification of the “risk owner”. The definition
of the risk owner as per ISO 31000 is the “person or entity with the accountability
and authority to manage a risk”. This person or entity may not be charged with
any risk remediation activity but is the individual or entity who is accountable to
top management in terms of ensuring proper management of the risk.
Clause 6.1 also addresses control selection, the creation of the Statement of
Applicability, acceptance of risk by the risk owner and approval of risk treatment
plans.
Again, the standard requires the retention of documented information about the
risk treatments. This may exist in documentation such as risk treatment plans
or risk registers or may be contained within a risk management tool.
Clause 6.2 identifies the need to document the information security objectives.
It is critical that the organisation identifies its security requirements. There are
three main sources of security requirements:
49
IMPLEMENTING AN ISMS
50 S
IMPLEMENTING AN ISMS
CLAUSE 7 SUPPORT
There is a logical sequence that is reflected within this clause of the standard
when addressing competency:
• Determine the necessary competency requirements
51
IMPLEMENTING AN ISMS
52 S
IMPLEMENTING AN ISMS
CLAUSE 8 OPERATIONS
53
IMPLEMENTING AN ISMS
This clause of the standard provides the requirements for the assessment of the
performance of the ISMS. It includes the requirements for:
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
ISO 27001 does not require you to measure everything. An organisation must
determine the following:
a) what needs to be monitored and measured, including processes and
controls;
b) the methods for monitoring, measurement, analysis and evaluation, to
ensure valid results;
c) when the monitoring will happen;
d) who shall perform the activity;
e) when the results will be analysed; and
f) who shall do this.
Clause 9.2 of the standard specifies the requirements for ISMS Internal Audit.
54 S
IMPLEMENTING AN ISMS
ISMS internal audits must be conducted to determine the status of the system.
The organisation needs to plan audits, taking into account the most important
aspects of the business, then conduct the audits using competent staff.
Note that an ISMS audit does not need to cover off all elements of the ISMS
during the audit. An ISMS audit program is produced which may contain a
number of audits. The audit program must ensure that all elements of the
system are reviewed.
NOTE: ISO 27007, ISO TR 27008 and ISO 19011:2002 (Guidelines for quality
and/or environmental management systems auditing), will provide helpful
guidance for carrying out the internal ISMS audits.
Clause 9.3 addresses the need for a Management Review. This occurs at
planned intervals, generally after the completion of the ISMS Internal Audit.
The standard explicitly defines the minimum inputs into the Management
Review. These include:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the
information security management system;
c) feedback on the information security performance, including trends in:
a. nonconformities and corrective actions;
b. monitoring and measurement results;
c. audit results; and
d. fulfilment of information security objectives;
d) feedback from interested parties;
e) results of risk assessment and status of risk treatment plans; and
f) opportunities for continual improvement.
These reviews by management are conducted for the purposes of ensuring the
ISMS is operating as expected. These reviews are often performed by the
governance forum of the ISMS.
55
IMPLEMENTING AN ISMS
CLAUSE 10 IMPROVEMENT
Clause 10 of the standard specifies the requirements for improving the ISMS.
An effective ISMS contains a number of elements that assist with the aim of
continually improving the operations of the management system. Such
elements include identifying areas of non-conformity with the standard or the
organisation’s own policies and procedures and taking any necessary actions
to correct the non-conformance. This is addressed in Clause 10.1
Clause 10.2 addresses the requirement for continual improvement of the ISMS.
Improvement of the ISMS will occur provided all of the previous requirements of
the standard have been implemented and are working effectively. Evidence of
such improvements should be maintained.
56 S
IMPLEMENTING AN ISMS
TIME
10 minutes
TASK
57
IMPLEMENTING AN ISMS
NOTES
58 S
IMPLEMENTING AN ISMS
59
IMPLEMENTING AN ISMS
60 S
IMPLEMENTING AN ISMS
KEY ACTIVITIES
A sample project plan is provided for an ISMS implementation. Note that the
timings will be affected by the size and complexity of the agency, the availability
of resources, the scope of the ISMS and external factors affecting timing.
61
IMPLEMENTING AN ISMS
NOTES
62 S
IMPLEMENTING AN ISMS
63
IMPLEMENTING AN ISMS
64 S
IMPLEMENTING AN ISMS
ISMS SCOPE
A very important element of the ISMS is its scope. The scope will be used for
identifying the targets of the risk assessments and thus supports the remaining
elements of the ISMS. As the agency is required to implement an ISMS based
on the international standard, it must define the scope of the ISMS.
Note that it is not necessary to implement the same level of security for the
whole agency.
One reason for the failure of an ISMS implementation is a poorly defined scope.
Whatever the scope, a formal documented definition of the scope of the ISMS
is required (clause 4.3).
65
IMPLEMENTING AN ISMS
Exclusions may occur when the agency has limited or no management control
across that area, making it difficult to manage any risks.
66 S
IMPLEMENTING AN ISMS
TIME
20 minutes
TASK
• In your teams, attempt to capture (in bullet point form) the key elements
of a scope statement for your agencies
• Core objective(s)
• Interested parties
• Boundaries
• Exclusions
67
IMPLEMENTING AN ISMS
NOTES
68 S
IMPLEMENTING AN ISMS
69
IMPLEMENTING AN ISMS
70 S
IMPLEMENTING AN ISMS
Governance
The governance forum (steering committee, security committee etc) plays a vital
role in the ongoing health of the ISMS. This committee has oversight of the
key activities, risk treatments and changes to the management system.
71
IMPLEMENTING AN ISMS
AGENDA CONSIDERATIONS
The review of the metrics should be focussed on the review of a limited number
of metrics. These metrics are generally those that executive and senior
management have a strong interest in. These metrics may form the elements
of security dashboards for reporting to audit committees and executive forums.
72 S
IMPLEMENTING AN ISMS
TIME
15 minutes
TASK
73
IMPLEMENTING AN ISMS
NOTES
74 S
IMPLEMENTING AN ISMS
75
IMPLEMENTING AN ISMS
76 S
IMPLEMENTING AN ISMS
RESOURCING CONSIDERATIONS
One critical success factor for an ISMS implementation is having access to the
right resources at the appropriate time. Remember that each person fulfilling
a role within the ISMS is required to be competent in that role. It is therefore
important to remind yourself of the core roles and consequently the core
resources you will require. This applies to both the implementation and
operations of the ISMS.
77
IMPLEMENTING AN ISMS
RESOURCING QUESTIONS
There are a number of questions that need to be posed and answered during
implementation planning.
Decisions about these choices will depend on the extent of the competency gap
and whether the competencies are required for implementation or ongoing
operation of the ISMS.
78 S
IMPLEMENTING AN ISMS
79
IMPLEMENTING AN ISMS
80 S
IMPLEMENTING AN ISMS
Whilst the latest version of ISO 27001 does not require you to identify assets
before undertaking risk assessments, it is often a good strategy to provide clarity
around the risk targets. This will allow a more focussed approach to risk
assessment.
Note that Annex A.8.1.1 still requires the creation of an information asset
inventory. Ownership of assets must also be identified as part of Annex A.8.1.2.
This Information Asset inventory should not be confused with any fixed asset
registers. They serve different purposes.
81
IMPLEMENTING AN ISMS
1. Identify the critical business processes within scope. For most agencies,
this will be all their critical processes given the expected broad nature of
the scope of the agency’s ISMS;
2. Identify the core (primary) information required by each process. This
will be information such as financial information, health records, citizen
information;
3. Identify all the supporting (secondary) assets that are required to allow
access to this information. Such supporting assets will include all
necessary ICT and physical infrastructure and also include the human
assets required;
4. Identify the information asset owners for all assets;
5. Discuss and agree the value of the asset with the owners. This can use
the information classification framework discussed next.
82 S
IMPLEMENTING AN ISMS
INFORMATION CLASSIFICATION
83
IMPLEMENTING AN ISMS
TIME
20 minutes
TASK
84 S
IMPLEMENTING AN ISMS
NOTES
85
IMPLEMENTING AN ISMS
NOTES
86 S
IMPLEMENTING AN ISMS
87
IMPLEMENTING AN ISMS
88 S
IMPLEMENTING AN ISMS
RISK ASSESSMENT
The standard does not dictate specific methods for risk assessment. It is up to
the organisation to select a method that aligns with the organisational risk
methodology. However, consequence and likelihood must be considered.
89
IMPLEMENTING AN ISMS
Management must determine and approve criteria for accepting the risk. For
example, an organisation may say “We will accept all risks in the ‘low’ category
and treat those rated above this value”.
Management must also determine the criteria for performing risk assessments.
This may include consideration of risk assessments during projects, significant
changes, as a result of incident reviews or as an outcome of business continuity
exercises.
Criteria may also be based on the value of the information assets involved. For
instance, highly sensitive assets may automatically require a risk assessment
around any changes on how those assets are used.
90 S
IMPLEMENTING AN ISMS
Note that the standard does not require you to adopt this approach. In fact, as
previously discussed, the standard does not require you to identify the
information assets before undertaking the risk assessment.
91
IMPLEMENTING AN ISMS
MEASURES OF LIKELIHOOD
Tables similar to the one below are often seen within risk models. One consideration
should be if the timeframes within these types of tables are appropriate for assessing
information security risks. One challenge related to the use of a single likelihood table
for all types of risk has been the relevance to information security events.
Use of single likelihood tables across an organisation have been known to skew risk
values related to security risks down.
Likelihood should take into account the effectiveness of the current control
environment.
92 S
IMPLEMENTING AN ISMS
MEASURES OF CONSEQUENCE
The more detailed the information in the consequence table, the more likely that
a comparable value will be selected during risk assessments.
Note that there may be consequences in a number of impact areas. The risk
assessor should select the highest impact value.
93
IMPLEMENTING AN ISMS
MEASURES OF RISK
Once the consequence and likelihood have been assessed, generally there is
some form of lookup table to determine the risk value. This risk tables may look
similar to that above, although sometimes the axes are transposed or the scales
on the axes are transposed.
Note that likelihood assessment may include business and control owners and
consequence assessment will certainly include the business owner.
The risk value obtained from the risk assessment will be used to determine
whether further risk treatment is required.
94 S
IMPLEMENTING AN ISMS
A question is often posed that if ISO 27001 is about risk management, why do
we not do risk assessments against all in-scope assets? This is fundamentally
a question on practicality. Few organisations have enough competent
resources to undertake such an intensive program.
95
IMPLEMENTING AN ISMS
TIME
30 minutes
TASK
As a group, use the template provided to assess the risks against one of
the information assets identified previously
96 S
IMPLEMENTING AN ISMS
NOTES
97
IMPLEMENTING AN ISMS
NOTES
98 S
IMPLEMENTING AN ISMS
99
IMPLEMENTING AN ISMS
100 S
IMPLEMENTING AN ISMS
RISK TREATMENT
Once the risk assessment has been concluded and the risk is rated, the rating
is compared to the agreed risk acceptance criteria.
If the risk rating is greater than the acceptable level of risk treatment options
need to be considered.
Transference of risk is an effective choice when the impact from this risk is
financial in nature. For instance, insuring against loss from an environmental
event such as a flood reduces the financial impact on the organisation.
101
IMPLEMENTING AN ISMS
If the treatment choice is “mitigate” with additional controls, what control sets
should be considered? As with the existing control environment, the standard
does not mandate any specific set.
Remember that after the risk treatment has been determined, you need to
reassess the ‘likelihood’ and “consequence” and calculate the measure of
residual risk.
At the conclusion of the control selection process, the control objectives and
controls selected need to be compared to the control objectives and controls
from Annex A to ensure that no necessary controls have been omitted.
Note that the risk owner MUST approve the risk treatments selected and also
must accept any residual risk. This must be documented.
102 S
IMPLEMENTING AN ISMS
Annex A of ISO 27001 is derived directly from ISO 27002. The only difference
is in the use of “shall” and “should”.
There are 35 control objectives and 114 controls in the 2013 versions of these
standards.
For example, the Annex A control A.5.1.1 relating to organisations and their
security policies is supported by ISO 27002 section 5.1.1. This section provides
additional implementation guidance.
Note again that the control objectives and controls listed in Annex A are not
exhaustive and additional control objectives and controls may be selected from
any source.
103
IMPLEMENTING AN ISMS
104 S
IMPLEMENTING AN ISMS
TIME
30 minutes
TASK
105
IMPLEMENTING AN ISMS
NOTES
106 S
IMPLEMENTING AN ISMS
107
IMPLEMENTING AN ISMS
It is built from the results of the risk assessments and risk treatments, so is
composed both of controls that are already implemented and those controls
contained in risk treatments.
You are required to compare these selected controls against Annex A to ensure
no areas have been missed.
108 S
IMPLEMENTING AN ISMS
Any controls from other controls sets also must be documented in the SoA.
109
IMPLEMENTING AN ISMS
The ISMS certification process and the certificate itself is linked to a particular
version of the SoA. Therefore, if there is a change in the number of controls,
the certified organisation should prepare a new SOA and have the certificate
reissued.
The SoA is derived from the output of the risk assessment/risk treatment
process and therefore is often linked to the risk register.
When planning an audit and selecting the audit team, the SoA is important to
facilitate the development of the audit plan and to ensure appropriate audit
resources are selected.
110 S
IMPLEMENTING AN ISMS
TIME
15 minutes
TASK
In your teams, using the SoA template provided, complete the relevant
rows for the controls previously selected
111
IMPLEMENTING AN ISMS
NOTES
112 S
IMPLEMENTING AN ISMS
113
IMPLEMENTING AN ISMS
114 S
IMPLEMENTING AN ISMS
DOCUMENTATION
115
IMPLEMENTING AN ISMS
Apart from the record types listed above, other useful records may include:
• Management decisions – e.g. evidence of the risk owner’s approval for
selected controls or acceptance of risk;
• Visitor’s logs, access logs and CCTV images;
• Records of security incidents, root cause analysis, corrective actions and
improvements.
116 S
IMPLEMENTING AN ISMS
DOCUMENTATION
117
IMPLEMENTING AN ISMS
You don’t need to document everything. If the standard uses terms such as
“formal” or “established, documented and reviewed” then these documents
must formally exist.
Procedure that are not formally documented are permissible and have the
following characteristics:
• Procedure is systematically:
Communicated
Understood
Applied
Effective
118 S
IMPLEMENTING AN ISMS
119
IMPLEMENTING AN ISMS
120 S
IMPLEMENTING AN ISMS
TRAINING
The ISMS requires that all personnel are competent in terms of their role within
the ISMS. Any competency gaps that have been identified need to be
addressed.
However, there is some specific ISMS-focussed training for some target user
groups. Some of these groups and the type of training that may be required are
listed in the following table.
121
IMPLEMENTING AN ISMS
122 S
IMPLEMENTING AN ISMS
TRAINING
When developing any training plan consideration must be given to the following:
• who the target audience is?
• what messages do they need?
• how will the message/training be delivered? Face-to-face, online,
PowerPoint, team briefings?
• when the training will occur and how often it needs to happen?
• who will be responsible for organising the training, updating the content
and delivering the material?
• Are assessments or effectiveness metrics required? Quizzes? Surveys?
123
IMPLEMENTING AN ISMS
TIME
15 minutes
TASK
• In your teams, identify 2 target groups that will require some form of
training
• Document:
– A few of the key messages
– How the training will be delivered
– How often it will happen
– Assessment requirements
124 S
IMPLEMENTING AN ISMS
NOTES
125
IMPLEMENTING AN ISMS
COMMUNICATIONS
126 S
IMPLEMENTING AN ISMS
COMMUNICATIONS
Again, some process like a Communications Needs Analysis can identify these
elements and allow for the development of a comprehensive communications
plan.
127
IMPLEMENTING AN ISMS
NOTES
128 S
IMPLEMENTING AN ISMS
129
IMPLEMENTING AN ISMS
130 S
IMPLEMENTING AN ISMS
MEASUREMENT
Note that more mature management systems tend to have more metrics
available than systems in the early days of operations.
131
IMPLEMENTING AN ISMS
MEASUREMENT
Agencies should not try to “reinvent the wheel”. Most agencies already
accumulate some data or information about information security and how certain
controls are functioning. This is a good place to start.
One strategy commonly used is to select controls based on the types or levels
of risks that they are mitigating. The more risks a control is mitigating, the more
likely that control is important and should be measured.
Remember that Internal Audit and Management Review are also both
improvement vehicles.
132 S
IMPLEMENTING AN ISMS
TIME
15 minutes
TASK
In your teams, identify 3 security metrics that are already being collected
by agencies
133
IMPLEMENTING AN ISMS
NOTES
134 S
IMPLEMENTING AN ISMS
135
IMPLEMENTING AN ISMS
136 S
IMPLEMENTING AN ISMS
The second objective of the ISMS Internal Audit is the opportunity to identify
improvements to the ISMS.
Internal audits are conducted under the banner of the ISMS audit program.
This program tends to span a period of several years and outlines the scope
of each of the planned audits within the program. Audits need to occur at
planned intervals. This does not mean regular intervals.
The audit program must address all mandatory clauses and all controls
specified within the SoA.
137
IMPLEMENTING AN ISMS
Each individual ISMS audit may only be focussed on certain clauses and
control domains. The auditor for each of these audits cannot audit outside
the scope of that specific audit without approval.
The focus on any ISMS audit is on the system and NOT the people. If any
resource weaknesses are identified it must always be related to a system
weakness. It could be mistakes introduced because of a lack of awareness
of their responsibilities, a competency gap or poor supporting policies and
procedures. These are the deficiencies that need to be addressed.
138 S
IMPLEMENTING AN ISMS
As with all roles within the ISMS, ISMS Auditors need to be competent and
have the necessary skills to conduct an ISMS audit. Whilst the general ICT
auditor has the necessary skills to audit the control elements, it is important
that the auditor has sufficient skills to audit the management system
components.
139
IMPLEMENTING AN ISMS
140 S
IMPLEMENTING AN ISMS
141
IMPLEMENTING AN ISMS
142 S
IMPLEMENTING AN ISMS
MANAGEMENT REVIEW
These inputs and outputs must be documented, usually in the minutes of the
Management Review meeting.
Given that the results of the ISMS Internal Audit form part of the inputs into the
Management review, this means that the audit should occur before the
management review is conducted.
144 S
IMPLEMENTING AN ISMS
145
IMPLEMENTING AN ISMS
146 S
IMPLEMENTING AN ISMS
The need for corrective action can arise from a number of ISMS activities.
These include:
• Internal audits;
• Management reviews;
• External audits;
• Security incidents;
• Security reviews and testing.
147
IMPLEMENTING AN ISMS
CORRECTIVE ACTION
148 S
IMPLEMENTING AN ISMS
IMPROVEMENTS
149
IMPLEMENTING AN ISMS
150 S
IMPLEMENTING AN ISMS
151
IMPLEMENTING AN ISMS
This approach has several benefits. Firstly, the business doesn’t see this as a
“big bang” approach. The benefits for these new or amended processes are
recognised early, building support for the ISMS. The other major benefit comes
with the early collection of measures and evidence to assist in improving the
ISMS.
It is important to ensure that these new and changed processes are made
available to the operational teams. As much as possible, the operations of the
ISMS should be as close to the front line operational teams as possible. It
should become “business-as-usual”.
152 S
IMPLEMENTING AN ISMS
ORGANISATIONAL CHANGE
Keeping the system as simple as possible is another factor that can help
overcome some of these challenges.
153
IMPLEMENTING AN ISMS
The ISMS Security Calendar may form part of a larger compliance calendar.
154 S
IMPLEMENTING AN ISMS
TIME
15 minutes
TASK
Consider:
• ISMS-specific activities
• Control effectiveness reviews
• Other security activities
155
IMPLEMENTING AN ISMS
NOTES
156 S
IMPLEMENTING AN ISMS
157
IMPLEMENTING AN ISMS
158 S
IMPLEMENTING AN ISMS
CERTIFICATION
The first step of the certification process involves the organisation completing
an application form with a selected certification organisation.
The next step is the conduct of a Stage 1 certification audit. This is followed up
by the final Stage 2 audit. At the completion of this Stage 2 audit a
recommendation for certification will be made assuming no major non-
conformances has been identified.
159
IMPLEMENTING AN ISMS
CERTIFICATION AUDITS
During the Stage 1 certification audit, the auditor examines the documentation
from the system to ensure that it meets the requirements of the standard. From
a control perspective, this review focusses on the “intent”, that is, the
organisation has or will implement this control. This assessment of intent is
driven by those controls included in the SoA.
The auditor will also examine all mandatory documentation required by the
standard.
During a Stage 2 audit, the auditor is looking for evidence that the processes
and controls have been implemented and are effective.
Note that most Queensland Government agencies do not currently have the
requirement to seek certification for their ISMS.
160 S
IMPLEMENTING AN ISMS
Summary
161
IMPLEMENTING AN ISMS
162 S
IMPLEMENTING AN ISMS
SUMMARY
Implementation is quite linear, and once the scope is well-defined, the rest of
the implementation steps is straightforward.
Like all larger programs of work, good planning generally leads to a good
outcome.
Try not to over-engineer the processes, particularly risk management, and don’t
over-document. Make sure the documentation is “fit for purpose” and targeted
at the desired audience.
Remember clauses 4-10 are the heart of the ISMS and are mandatory. You
must address all requirements in these clauses.
163
IMPLEMENTING AN ISMS
SUMMARY
The use of security calendars has proven beneficial for most ISMS
implementations and is strongly recommended.
The deployment of an ISMS is a shift from the IS18 compliance model to a risk-
based model, taking into account the differences between agencies. The ISMS
provides a platform for a proactive security environment and acts as a driver to
strengthen security culture.
164 S