如何在您的組織環境中合規應用ISO/IEC27001 Practical … · The contents of this...
Transcript of 如何在您的組織環境中合規應用ISO/IEC27001 Practical … · The contents of this...
如何在您的組織環境中合規應用ISO/IEC27001 Practical Implementation of ISO/IEC 27001 in Your Environment
Date : 26th Oct , 2016
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
2
AboutMeExperience&Specialities• RonaldisanInformationSecurityProfessionalwhohas18yearsofexperienceinthisbusiness.HisresponsibleAield included Information Security Management, Compliance Audit, Computer Forensics, Anti-Hacking,TrainingandClassicalCryptographer.RonaldhasaoutstandingtrackrecordinInformationTechnologyAieldhas helped enhance the reputations of such Airms and organisations as International Banking, Finances,Government,Education,ManufacturingandLaw’sEnforcementinGreatChinaArea.
• ProfessionalFiled:ComputerForensicinvestigator/ProfessionalLecturer/InformationSecurityandHackingExpert/CreditCardPaymentSecurityProfessional/Inventor/ClassicalCryptographers
• Professionalcertificates:•PaymentCardApplicationSecurityAssessor(PAQSA) •ISO/IEC27001ISMSLeadAuditorCertificate•PCIQualifiedSecurityAssessor(PCIQSA) •ISO/IEC20000ITSMAuditor•PCIApprovedScanningVendors(ASV)
• Membership:• BritishComputerSociety(BCS) • InstituteofElectricalandElectronicsEngineers(IEEE)• ChineseAssociationforCryptologicResearch(CACR)(中 • InternationalRegisterofCertiAicatedAuditors(IRCA)国密码学会) • Hong Kong Information and System Security Professional Associatio
• (HKISSP)InformationSystemSecurityAssociation(ISSA)• PaymentCardIndustryProfessional(PCIP)• International Association for Crypto logic Research
(IACR)• HongKongPublicKeyInfrastructureForum(HKPKI)
n
RonaldPong
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
3
Practical Implementation of ISO/IEC 27001 in Your Environment
Agenda
•ISO/IEC27000:2014orISO/IEC27001:2013,whatisthedifference?
•ThedifferencebetweenvariousdocumentsinISO/IEC27000:2014series,Howdoweusethem?
•AllyouneedisISO27001,27002,27003,27004and27005
•DoyouknowwhatisthedifferencebetweenVulnerabilityandThreat?
•Processiseverything,whatisyourmajorbusinessprocess?LetuslearnmorefromISO/IEC27005:2011
•DeveloptheThreatModelbasedontheISO/IEC27004Requirement
•UsingISO/IEC27005:2011asImpactAnalysisandRiskAssessmentRequirement
•Q&A
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
4
ISO/IEC 27000 : 2014 or ISO/IEC 27001:2013, what is the difference?
•ISO/IEC27000ispartofagrowingfamilyofISO/IECInformationSecurity Management Systems (ISMS) standards, the 'ISO/IEC
27000series'.ISO/IEC27000isaninternationalstandardentitled:
Information technology — Security techniques — Information
securitymanagementsystems—Overviewandvocabulary.
•The standardwas developed by sub-committee 27 (SC27) of thefirst Joint Technical Committee (JTC1) of the International
Organization for Standardization and the International
ElectrotechnicalCommission.
•ISO/IEC27000provides:• AnoverviewofandintroductiontotheentireISO/IEC27000family of Information SecurityManagement Systems (ISMS)
standards.
• A glossary or vocabulary of fundamental terms anddefinitionsusedthroughouttheISO/IEC27000family.
27000
Overview*and*Vocabulary
Provides)background,)terms)and)de4initions)applicable)to)the)ISMS)Family)of)Standards
27001
Requirement
27006
Certi<ication*Body*Requirement
27005
Risk*Management
27003
Implementation*
Guidance
27004
Measurements
27002
Code*of*Practice
27007
Audit*Guidenlines
27013
Guideline*on*the*integrated*
implementation*of*ISO/IEC*2000O1*
and*ISO/IEC*27001
27011
Telecommunications*
Organization
27799
Health*Organization
27037
Guidelines for identification, collection and/or acquisition and preservation of digital
evidence
Gen
eral
R
equi
rem
ent
Term
inol
ogy
Gen
eral
Gui
delin
esSe
ctor
-spe
cific
Gud
elin
es
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
•
5
ISO27001:2013isaninformationsecuritystandardthatwaspublishedonthe25thSeptember2013.It
supersedesISO/IEC27001:2005,andispublishedbytheInternationalOrganizationforStandardization
(ISO)andtheInternationalElectrotechnicalCommission(IEC)underthejointISOandIECsubcommittee,
ISO/IEC JTC 1/SC 27. It is a specification for an information security management system (ISMS).
Organisationswhichmeetthestandardmaygainanofficialcertificationissuedbyanindependentand
accreditedcertificationbodyonsuccessfulcompletionofaformalauditprocess.
ISO/IEC 27000 : 2014 or ISO/IEC 27001:2013, what is the difference?
Information security management systems
10 Requirements
+ Annex A: List of controls and their objectives
114 Requirements
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
6
Do you know that what is the difference between Vulnerability and Threat ?
Information Security Risk Management
Riskmanagementistheprocessofidentifyingvulnerabilitiesandthreatstotheinformationresourcesusedbyanorganizationinachievingbusinessobjectives,anddecidingwhatcountermeasures,ifany,totake in reducing risk to an acceptable level, based on the value of the information resource to theorganization.-CISA2006ReviewManual•Risk-isthelikelihoodthatsomethingbadwillhappenthatcausesharmtoaninformationalasset(orthelossoftheasset).Vulnerability•Avulnerability isaweaknessthatcouldbeusedtoendangerorcauseharmtoan informationalasset.
Threat•Athreatisanything(manmadeoractofnature)thathasthepotentialtocauseharm.
•ManagementTheterm"management"characterizestheprocessofand/orthepersonnelleadinganddirectingallorpartofanorganization(oftenabusiness)throughthedeploymentandmanipulationofresources(human,capital,natural,intellectualorintangible).•Process•Theprocessofriskmanagementisanongoingiterativeprocess.ItmustberepeatedindeAinitely.
Choiceofcontrol•Controlisusedtomanagerisksmuststrikeabalancebetweenproductivity,cost,effectivenessofthecountermeasure,andthevalueoftheinformationalassetbeingprotected.
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
7
All you need is ISO 27001, 27002, 27003, 27004 and 27005
MUST MAJOR REFERENCE SUPPORTIVE
• ISO/IEC 27001 — Information technology - Security Techniques - Informationsecuritymanagementsystems
• ISO/IEC 27002 — Code of prac4ce for informa4on securitymanagement
• ISO/IEC 27003 — Information security management system implementa4onguidance
• ISO/IEC 27004 — Information security management —Measurement
• ISO/IEC 27005—Informationsecurityriskmanagement• ISO/IEC 27006 — Requirements for bodies providing audit and certificationofinformationsecuritymanagementsystems
• ISO/IEC 27007—Guidelinesforinformationsecuritymanagement systemsauditing
• ISO/IEC27035—Informationsecurityincidentmanagement• ISO/IEC 27037 — Guidelines for iden4fica4on, collec4on,acquisi4onandpreserva4onofdigitalevidence
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
8
All you need is ISO 27001, 27002, 27003, 27004 and 27005
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
9
Process is everything, what is your major business process? Let us learn more from ISO/IEC 27005 : 2011
Scoping is everythingISO 27005 page 28
OBJECTIVE
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
•
10
Process is everything, what is your major business process? Let us learn more from ISO/IEC 27005 : 2011
The scope and boundaries
•Oheorganizationshoulddefinethescopeandboundariesofinformationsecurityriskmanagement.•The scope of the information security risk management process needs to be deAined to ensure that allrelevant assets are taken into account in the risk assessment. In addition, the boundaries need to beidentiAied [see also ISO/IEC 27001 Clause 4.2.1 a)] to address those risks thatmight arise through theseboundaries.•Informationabouttheorganizationshouldbecollectedtodeterminetheenvironmentitoperatesinanditsrelevancetotheinformationsecurityriskmanagementprocess.•WhendeAiningthescopeandboundaries,theorganizationshouldconsiderthefollowinginformation:•Theorganization'sstrategicbusinessobjectives,strategiesandpolicies•Businessprocesses•Theorganization’sfunctionsandstructure•Legal, regulatory and contractual requirements applicable to the organization The organization'sinformationsecuritypolicy•Theorganization’soverallapproachtoriskmanagement•Informationassets•LocationsoftheorganizationandtheirgeographicalcharacteristicsConstraintsaffectingtheorganization•Expectationofstakeholders•Socio-culturalenvironment•Interfaces(i.e.informationexchangewiththeenvironment)
•Additionally,theorganizationshouldprovidejustiAicationforanyexclusionfromthescope.Examples of the riskmanagement scopemay be an IT application, IT infrastructure, a businessprocess,orade2inedpartofanorganization.
Scoping is everythingISO 27005 page 28
SCOPING
Financial constraints
Environmental constraints
Time constraints
Constraints related to
methods and Know-How
Organization constraints
Organizational constraints
Operation
Maintenance Human
resources management
Development management
Administrative management
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
11
Develop the Threat Model based on the ISO/IEC 27004 requirement
MEASUREMENT OF INFORMATION SECURITY MANAGEMENT SYSTEM
HowtoMeasuringtheEffectivenessofSecurityinISO27001ObjectiveofMeasurement•Toshowongoingimprovement;•Toshowcompliance(withStandards,contracts,SLAs,OLAs,etc);•Tojustifyanyfutureexpenditure(newsecuritysoftware,training,people,etc);•ISO27001requiresit.OtherManagementSystemsalsorequireit–ISO9001,ISO20000;•Toidentifywhereimplementedcontrolsarenoteffectiveinmeetingtheirobjectives;•Toprovideconfidencetoseniormanagementandstakeholdersthatimplementedcontrolsareeffective.
So,whichofthe114potentiallyapplicablecontrols(withinISO27001)canbeusedtomeasuresecurity?Well,arguably,allofthem.Inpractice,though,thiswouldinvariablybetooonerousataskandwouldcauseanalreadyoverworkedITDepartmenttocrumbleundertheweightofbureaucracy.Beforeweattempttoanswerthisquestion,then,weshouldalwaysunderstandtherequirementforsuchclarity.•Whyareyoubeingaskedtoprovidesuchinformation?•Whatisthedriver?•Wheredoestherequirementcomefrom?
Otherdriversmayexist,too.ItcouldbethatthecompanyhasjustrealizedthatyoucangetmorefromISO27001,orperhapsit’soperationalriskmanagementsuchasBASEL II, SOX,Turnbull (UKCorporateGovernance)or simplyRegulatoryrequirementsandLegislation that’sdrivingyourbusiness.Eitherway,you’renotalone.Manyorganizations(butnotall)misunderstandthefundamentalconceptsbehindBS7799andISO27001andhavetreateditasamarketingexercise,asopposedtotryingtoachieverealbusinessbeneAitandROI.ISO27001providesmuchmoreclarityandgoesfurtherintowhatshouldbemeasuredforitseffectiveness.Assuch,themuchanticipatedISO27004(guidelinesonhowtomeasureeffectiveness)in2007should Ainallyputanendto this ‘grey’areaandwillhopefullyshedmuchneeded lightonto the typesofcontrols tobemeasuredandwhatresultsweshouldexpect(e.g.IndustryBaseline).
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
12
MEASUREMENTOFINFORMATIONSECURITYMANAGEMENTSYSTEM
Develop the Threat Model based on the ISO/IEC 27004 requirement
ISO27004Informationtechnology-Securitytechniques-Informationsecurity
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
13
Develop the Threat Model based on the ISO/IEC 27004 requirement
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
14
Develop the Threat Model based on the ISO/IEC 27004 requirement
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
15
Develop the Threat Model based on the ISO/IEC 27004 requirement
In risk assessment methods of this type, actual or proposed physical assets are valued in terms ofreplacement or reconstruction costs (i.e. quantitative measurements). These costs are then convertedonto the same qualitative scale as that used for information (see below). Actual or proposed softwareassetsarevaluedinthesamewayasphysicalassets,withpurchaseorreconstructioncostsidentiAiedandthenconvertedtothesamequalitativescaleasthatusedforinformation.Additionally,ifanyapplicationsoftware is found tohave its own intrinsic requirements for conAidentiality or integrity (for example ifsourcecodeisitselfcommerciallysensitive),itisvaluedinthesamewayasforinformation.•The values for information are obtained by interviewing selected business management (the “data owners”) who can speak authoritatively about the data, to determine the value and sensitivity of the data actually in use, or to be stored, processed or accessed.Theinterviewsfacilitateassessmentofthevalueandsensitivityoftheinformationintermsoftheworstcasescenarios thatcouldbereasonablyexpectedtohappenfromadversebusinessconsequencesduetounauthorizeddisclosure,unauthorized modification,non-availabilityforvaryingtimeperiods,anddestruction.•Thevaluationisaccomplishedusinginformationvaluationguidelines,whichcoversuchissuesas:•Personalsafety•Personalinformation• Legalandregulatoryobligations• Lawenforcement• Commercialandeconomicinterests• Financialloss/disruptionofactivities• Publicorder• Businesspolicyandoperations• LossofgoodwillContractoragreementwithacustomer•
•The guidelines facilitate identification of the values on a numeric scale, such as the 0 to 4 scale shown in the example matrix below,thusenablingtherecognitionofquantitativevalueswherepossibleandlogical,andqualitativevalueswherequantitative valuesarenotpossible,e.g.forendangermentofhumanlife.
Standard
Risk Matrix
High impact, Low
probability risksLow probability (below 50%)High impact (8 and above)
Low impact, Low
probability risksLow probability (below 50%)
Low impact (below 8)
High impact, High
probability risksHigh probability (above 50%)High impact (8 and above)
Low impact, High
probability risksHigh probability (above 50%)
Low impact (below 8)
12
4
0% 100%
IMPACT
IMPACT
PROBABILITY
PROBABILITY
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
16
Develop the Threat Model based on the ISO/IEC 27004 requirement
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
17
Develop the Threat Model based on the ISO/IEC 27004 requirement
•For each asset, the relevant vulnerabilities and their corresponding threats are considered. If there is a vulnerability without acorrespondingthreat,orathreatwithoutcorrespondingvulnerability,thereispresentlynorisk(butcareshouldbetakenincasethissituationchanges).NowtheappropriaterowinthematrixisidentiAiedbytheassetvalue,andtheappropriatecolumnisidentiAiedbythelikelihoodofthethreatoccurringandtheeaseofexploitation.Forexample,iftheassethasthevalue3,thethreatis“high”andthevulnerability“low”,themeasureofriskis5.Assumeanassethasavalueof2,e.g.formodiAication,thethreatlevelis“low”andtheease of exploitation is “high”, then the measure of risk is 4. The size of the matrix, in terms of the number of threat likelihoodcategories, ease of exploitation categories and the number of asset valuation categories, can be adjusted to the needs of theorganization.Additionalcolumnsandrowswillnecessitateadditionalriskmeasures.Thevalueofthisapproachisinrankingtheriskstobeaddressed.
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
18
Develop the Threat Model based on the ISO/IEC 27004 requirement
•AsimilarMatrixasshowninpervious tableresults fromtheconsiderationof the likelihoodofan incidentscenario,mappedagainst theestimatedbusinessimpact.Thelikelihoodofanincidentscenarioisgivenbyathreatexploitingavulnerabilitywithacertainlikelihood.TheTablemapsthislikelihoodagainstthebusinessimpactrelatedtotheincidentscenario.Theresultingriskismeasuredonascaleof0to8thatcanbeevaluatedagainstriskacceptancecriteria.Thisriskscalecouldalsobemappedtoasimpleoverallriskrating,forexampleas:•Lowrisk:0-2•MediumRisk:3-5•HighRisk:6-8
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
19
Develop the Threat Model based on the ISO/IEC 27004 requirement
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
20
Develop the Threat Model based on the ISO/IEC 27004 requirement
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
21
Develop the Threat Model based on the ISO/IEC 27004 requirement with 27005 Risk Assessment Method
RISK ASSEMENT
CONTEXT'ESTABLISHMENT
RISK'IDENTIFICATION
RISK'ESTIMATION
RISK'EVALUATION
RISK'TREATMENT
RISK'ACCEPTENCE
RISK ANALYSISRISK'
COMMUNICATION
RISK'MONITORING'AND'REVIEW
YES
YES
NO
NO
RISK DECISION POINT 1ASSESSMENT SATISFACTORY
RISK DECISION POINT 2TREATMENT SATISFACTORY
END OF FIRST OR SUBSEQUENT ITERACTION
Impactcriteria•ImpactcriteriashouldbedevelopedandspeciAiedintermsofthedegreeofdamageorcoststotheorganizationcausedbyaninformationsecurityeventconsideringthefollowing:•LevelofclassiOicationoftheimpactedinformationasset•Breachesofinformationsecurity(e.g.lossofconOidentiality,integrityandavailability)Impairedoperations(internalorthirdparties)•Lossofbusinessandfinancialvalue•Disruptionofplansanddeadlines•Damageofreputation•Breachesoflegal,regulatoryorcontractualrequirements
•NOTESeealsoISO/IEC27001[Clause4.2.1d)4]concerningtheimpactcriteriaidentiAicationforlossesofconAidentiality,integrityandavailability.
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
22
Develop the Threat Model based on the ISO/IEC 27004 requirement with 27005 Risk Assessment Method
RISK ANALYSIS
RISK ASSESSMENT
CONTEXT'ESTABLISHMENT
RISK'IDENTIFICATION
RISK'ESTIMATION
RISK'EVALUATION
RISK'TREATMENT
RISK'ACCEPTANCE
RISK%COMMUNICATION
RISK%MONITORING%AN
D%REVIEW
NONO
YES
YES
NO
Risk%evaluation%criteriaRisk%acceptance%criteriaThe%scope%and%boundariesOrganization%for%information%Security%risk%management
Assets,%Threats,%Vulnerabilities,%Controls
Qualitative%/%Quantitative%estimation
Prioritized%risks%according%to%risk%evaluation%criteria
Risk%Reduction%Risk%Retention%Risk%AvoidanceRisk%Transfer
Monitoring%and%review%of%risk%factorsRisk%Management%monitoring,%reviewing%and%improving
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
23
Develop the Threat Model based on the ISO/IEC 27004 requirement with 27005 Risk Assessment Method
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
24
Develop the Threat Model based on the ISO/IEC 27004 requirement
Riskacceptancecriteria•Risk acceptance criteria should be developed and speciAied. Risk acceptance criteria often depend on the organization's policies, goals,objectivesandtheinterestsofstakeholders.Anorganizationshoulddefineitsownscalesforlevelsofriskacceptance.Thefollowingshouldbeconsideredduringdevelopment:•Riskacceptance criteriamay includemultiple thresholds,withadesired target level of risk, butprovision for seniormanagers toaccept risksabovethislevelunderdefinedcircumstances•Riskacceptancecriteriamaybeexpressedastheratioofestimatedprofit(orotherbusinessbenefit)totheestimatedrisk•Differentriskacceptancecriteriamayapplytodifferentclassesofrisk,e.g.risksthatcouldresultinnon-compliancewithregulationsorlawsmaynotbeaccepted,whileacceptanceofhighrisksmaybeallowedifthisisspecifiedasacontractualrequirement•Risk acceptance criteria may include requirements for future additional treatment, e.g. a risk may be accepted if there is approval andcommitmenttotakeactiontoreduceittoanacceptablelevelwithinadefinedtimeperiod
•Riskacceptancecriteriamaydifferaccordingtohowlongtheriskisexpectedtoexist,e.g.theriskmaybeassociatedwithatemporaryorshorttermactivity.Riskacceptancecriteriashouldbesetupconsideringthefollowing:•Businesscriteria•Legalandregulatoryaspects•Operations•Technology•Finance•Socialandhumanitarianfactors•NOTE:Riskacceptancecriteriacorrespondto“criteriaforacceptingrisksandidentifytheacceptablelevelofrisk”speciAiedinISO/IEC27001Clause4.2.1c)2).
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
25
How about 27002 and 27003 ?
• Howtoestablishsecurityrequirements• It is essential that anorganisation identiAies its security requirements.Thereare threemainsourcesofsecurityrequirements.1. One source is derived from assessing risks to the organisation, taking into account theorganisation’soverallbusinessstrategyandobjectives.Throughariskassessment,threatstoassetsare identiOied, vulnerability toand likelihoodofoccurrence isevaluatedandpotentialimpactisestimated.
2. Another source is the legal, statutory, regulatory, and contractual requirements that anorganisation,itstradingpartners,contractors,andserviceprovidershavetosatisfy,andtheirsocio-culturalenvironment.
3. A further source is the particular set of principles, objectives and business requirements forinformationprocessingthatanorganisationhasdevelopedtosupportitsoperations.
• Assessingsecurityrisks• SecurityrequirementsareidentiAiedbyamethodicalassessmentofsecurityrisks.Expenditureon controls needs to be balanced against the business harm likely to result from securityfailures.
• The results of the risk assessment will help to guide and determine the appropriatemanagement action and priorities for managing information security risks, and forimplementingcontrolsselectedtoprotectagainsttheserisks.
• RiskassessmentshouldberepeatedperiodicallytoaddressanychangesthatmightinAluencethe risk assessment results.More information about the assessmentof security risks canbefoundinclause4.1“Assessingsecurityrisks”.
ocument remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
26
How about 27002 and 27003 ?
The contents of this d
• Selectingcontrols•Once security requirements and riskshavebeen identiAied anddecisions forthe treatment of risks have been made, appropriate controls should beselectedandimplementedtoensurerisksarereducedtoanacceptable level.Controlscanbeselectedfromthisstandardorfromothercontrolsets,ornewcontrolscanbedesignedtomeetspeciAicneedsasappropriate.Theselection 26
ofsecuritycontrols isdependentuponorganisationaldecisionsbasedonthecriteria for risk acceptance, risk treatment options, and the general riskmanagementapproachappliedtotheorganisation,andshouldalsobesubjecttoallrelevantnationalandinternationallegislationandregulations.• Someofthecontrolsinthisstandardcanbeconsideredasguidingprinciplesfor information securitymanagement and applicable formost organisations.They are explained in more detail below under the heading “Informationsecuritystartingpoint”.•More information about selecting controls and other risk treatment optionscanbefoundinclause4.2"Treatingsecurityrisks".
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
27
How about 27006 and 27007?
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
28
How about 27006 and 27007?
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
29
How about 27006 and 27007?
The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd
30
Q&A