- What is a certificate good for?
- Facts / Misconceptions.
- Selection of the Certification Body.
- Validation of the Certificates.
- Type of Audits.
- Failed / Pass. Type of Non-Conformities.
What you need to do before the Implementation Project:
- Understanding the organization and its context
- Determining of scope of ISMS
- Understanding the needs and expectations of interested parties
- IS Objectives IS Metrics
"A Team is needed" (Ede Minarik, the laundry man):
- Members of the Implementation Team.
- Organizational roles, responsibilities and authorities.
- Management awareness.
Internal Audits, Management Review
"Type of Assets”:
- IT Resources
Responsibility of Assets:
- Inventory of Assets
- Acceptable use of Assets
- Mobile devices + Teleworking
- Return of Assets
- Classification of Information
- Type of damages
- Handling of Asset
IS Risk Management / Analysis / Assessment:
- The CRAMM Methodology
- Other Risk Assessment Methodologies
- Labelling of Information
Media handling Removable media:
-Disposal (reuse) of media
-Physical media transfer
-Personal Data Handling
-Jd + NDA
-Segregation of duties
-Termination and change of employment
-User Registration and de-registration
-Privileged Access Rights
-Physical security perimeter
-Physical entry controls
-Securing offices, rooms and facilities
-Protecting against external and environmental threats
-Operational procedures and responsibilities
-Controls against malware
-Logging and monitoring
-Technical vulnerability management
-Security of network services
-Segregation in networks
-Security requirements of information systems
-Secure development policy
-System security testing + Test Data
-Secure development environment
- Information security policy for supplier relationships
- Addressing security within supplier agreements.
- Monitoring and review of supplier services.
- ITIL (iso20000) name convention
- Event, Incident, Problem, etc.
- Responsibilities and procedures
- Reporting information security events
- Assessment of and decision on information security events.
- Collection of evidence
- Learning from information security incidents
- Business Impact Analysis
- Business Continuity Plans
- Disaster Recovery Plans
- Planning information security continuity
- Verify, review and evaluate information security continuity
- Identification of applicable legislation and contractual requirements
- Intellectual property rights
- Privacy and protection of personally identifiable information
Independent review of information security:
- Technical compliance review