ISO 27001
documentation, management, information security control
3 types of ISMS requirements
all Annex A controls (114), justification for inclusion/exclusion, reviewed by by management, mapping of control objectives to identified risks, showing of implementation
SOA inclusions
ISO 27001
a comprehensive minimum baseline of information security controls that information security programs SHALL address in some manner; requirements
any item, process, or resource that is valued by an organization which could cause impact on the business
asset
a systematic, risk based approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization's information security to achieve business objectives
definition of an ISMS
documented statement describing the control objectives and controls that are relevant and applicable to the organization
statement of applicability
updated
the risk treatment plan is to be used and ____proactively
organizational structure/BU, people, locations, technology, physical, assets, exclusions with justification, interfaces and dependencies, interested parties and their requirements
scope requirements
an occurrence of an undesired event, which may result in harm of an assets
threat
people, process, technology
types of info threats
a lack of safeguard or weakness of an asset or a group of assets that can be exploited by a threat
vulnerability
initial, surveillance
1 year maximum between the _____audit and ____audit
asset is expected to be decommissioned, legal obligations, cost benefit analysis
3 reasons for risk acceptance
detective, preventive, corrective
3 types of controls
accept, mitigate, avoid, transfer
4 risk treatment options
ISMS Policy
_____provides direction from "what do we do now (Mission)" to "What do we want to do in the future (Vision)" leading towards a strategy - main purpose of this is to elevate IS to the top of the "To - Do" list evolving into the "Must-Do" list
monitoring
determining the status of a system, a process, a product, a service or an activity
what happened
effectiveness measures, measure _________ -measures that express the effect that realization of planned activities has on the organizations information security objectives
person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity
interested party
process/procedures
level 2 doc that describes processes - who, what, where, when
1 3 4
level ____ through ____ docs we maintain, and level __ we retain
requirement
need or expectation that is stated, generally implied or obligatory
to protect the information assets from the loss of confidentiality, integrity, and availability
objective of any ISMS
Continuous Improvement -corrective action tracker -non-conformity reports
output of clause 10
Organization: -scope and bounds
output of clause 4
Leadership: -leadership commitment -IS Policy -Roles and responsibilities
output of clause 5
Planning: -risk assessment methodology -risk assessment + treatment plan -SOA -Information security objectives
output of clause 6
Support: -documentation standard + records -communication policy -awareness program -competence measures -assign resources
output of clause 7
Operation: -evidence of control operations -results of risk assessment + risk treatment review
output of clause 8
Performance Eval -monitoring + measurement -Internal audit (plan and results) -Management review
output of clause 9
goal
performance measures are the _____ -measures that express the planned results in terms of the characteristics of the planned activity
measurement
process to determine a value
annually
risk assessments must be conducted at a minimum
the consequence of uncertainty on objectives
risk definition
threat x vulnerability x asset
risk formula
scope, acceptance levels, acceptance criteria, risk assess/analysis, risk treatment, risk monitoring/review
risk management lifecycle