Effektivt stöd för GRC med nya ISO Standarder Anders Carlstedt, Editor ISO/IEC 27002, 27005 & 28008 Partner, Amentor

About Amentor A Swedish GRC professional services company, founded in 2004, servicing leading multinationals and government agencies - Active members in ISACA and SIS & ISO/IEC - PCI/QSA accredited - Provides ISO/IEC standards training and certification for professionals, e.g. Lead Auditor, Risk Manager

About Amentor

Om presentationen ”Effektivt stöd för GRC och säkerhets- åtgärder med nya ISO-standarder”

Områden Bakgrund Governance – ISO/IEC 27014 Risk – ISO/IEC 27005 Compliance – ISO/IEC 27008 Sammanfattning

Bakgrund Risk Compliance ”Effect of uncertainty on objectives” Governance: “The system by which organizations are directed and controlled.” (Cadbury 1992 and OECD 1999) Corporate governance of IT “The system by which the current and future use of IT is directed and controlled. Risk ”Effect of uncertainty on objectives” Compliance (Comply) ”act in accordance with a wish or command: we are unable to comply with your request.”

Områden Bakgrund Governance – ISO/IEC 27014 Risk – ISO/IEC 27005 Compliance – ISO/IEC 27008 Sammanfattning

Governance - 27014 ISO/IEC 27014 - Governance of information security ”…provides guidance on concepts and principles for the governance of information security, by which organisations can evaluate, direct, monitor and communicate the information security related activities within the organisation. ”

Governance – Cobit 5

Information Security Governance - 27014

Information Security Governance - 27014

Information Security Governance - 27014 “Evaluate” is the governance process that considers the current and forecast achievement of security objectives based on current processes and planned changes, and determines where any adjustments are required to optimise the achievement of strategic objectives in future. To perform the “evaluate” process, the governing body should: ensure that business initiatives take into account information security issues, respond to information security performance results, prioritize and initiate required actions. To enable the “evaluate” process, executive management should: ensure that information security adequately supports and sustains the business objectives, submit new information security projects with significant impact to governing body.

Information Security Governance - 27014 “Direct” is the governance process, by which the governing body gives direction about the information security objectives and strategy that need to be implemented. Direction can include changes in resourcing levels, allocation of resources, prioritisation of activities, and approvals of policies, material risk acceptance and risk management plans. To perform the “direct” process, the governing body should: determine the organisation’s risk appetite, approve the information security strategy and policy, allocate adequate investment and resources. To enable the “direct” process, executive management should: develop and implement information security strategy and policy, align information security objectives with business objectives, promote a positive information security culture.

Information Security Governance - 27014 “Monitor” is the governance process that enables the governing body to assess the achievement of strategic objectives. To perform the “monitor” process, the governing body should: assess the effectiveness of information security management activities, ensure conformance with internal and external requirements, consider the changing business, legal and regulatory environment and their potential impact on information risk. To enable the “monitor” process, executive management should: select appropriate performance metrics from a business perspective, provide feedback on information security performance results to the governing body including performance of action previously identified by governing body and their impacts on the organisation, alert the governing body of new developments affecting information risks and information security.

Information Security Governance - 27014 “Communicate” is the bi-directional governance process by which the governing body and stakeholders exchange information about information security, appropriate to their specific needs. To perform the “communicate” process, the governing body should: report to external stakeholders that the organisation practices a level of information security commensurate with the nature of its business, notify executive management of the results of any external reviews that have identified information security issues, and request corrective actions, recognize regulatory obligations, stakeholders expectations, and business needs with regard to information security. To enable the “communicate” process, executive management should: advise the governing body of any matters that require its attention and, possibly, decision, instruct relevant stakeholders on detailed actions to be taken in support of the governing body’s directives and decisions.

Information Security Governance - 27014 “Assure” is the governance process by which the governing body commissions independent and objective audits, reviews or certifications. These will identify and validate the objectives and actions related to carrying out governance activities and conducting operations in order to attain the desired level of information security. To perform the “assure” process, the governing body should: commission independent and objective opinions of how it is complying with its accountability for the desired level of information security. To enable the “assure” process, executive management should: support the audit, reviews or certifications commissioned by governing body.

Information Security Governance - 27014 Principle 1: Establish organisation-wide information security Principle 2: Adopt a risk-based approach Principle 3: Set the direction of investment decisions Principle 4: Ensure conformance with internal and external requirements Principle 5: Foster a security-positive environment Principle 6: Review performance in relation to business outcomes

Områden Bakgrund Governance – ISO/IEC 27014 Risk – ISO/IEC 27005 Compliance – ISO/IEC 27008 Sammanfattning

Risk - 27005 ISO/IEC 27005 - Riskhantering för informationssäkerhet ”…innehåller en beskrivning av processen för riskhantering för informationssäkerhet och de aktiviteter som den omfattar.”

Risk - 27005 En allmän översikt av processen för riskhantering för informationssäkerhet redovisas i avsnitt 6. Fastställande av kontext i avsnitt 7, Riskbedömning i avsnitt 8, Riskbehandling i avsnitt 9, Riskacceptans i avsnitt 10, Riskkommunikation i avsnitt 11, Övervakning och granskning av risker i avsnitt 12.

Risk - 27005

Risk - 27005

Risk – 31000 vs. 27005

Risk 27005

Risk - 27005 Ytterligare information om aktiviteter för hantering av informationssäkerhetsrisker presenteras i bilagorna. Fastställandet av kontext stöds av bilaga A (Fastställande av omfattning och begränsningar för processen för riskhantering för informationssäkerhet). Identifiering och värdering av tillgångar samt bedömning av påverkan diskuteras i bilaga B (Exempel på identifiering av tillgångar), bilaga C (Exempel på typiska hot) och bilaga D (Sårbarheter och metoder för bedömning av sårbarhet). Exempel på förhållningssätt för bedömning av informationssäkerhetsrisker presenteras i bilaga E. Begränsningar för reducering av risk presenteras i bilaga F. Skillnader i definitioner mellan SS-ISO/IEC 27005:27008 och SS- ISO/IEC 27005:2012 redovisas i Annex G!

Områden Bakgrund Governance – ISO/IEC 27014 Risk – ISO/IEC 27005 Compliance – ISO/IEC 27008 Sammanfattning

Compliance - 27008 ISO/IEC 27008 - Vägledning om säkerhetsåtgärder för revisorer ”…ger vägledning om granskning av införande och drift av säkerhetsåtgärder, inklusive granskning av teknisk efterlevnad avseende säkerhetsåtgärder i systemmiljö, mot etablerade informationssäkerhetsstandarder inom en organisation.”

Compliance - 27008 Struktur och innehåll: …en beskrivning av granskningsprocessen för säkerhetsåtgärder, inklusive granskning av teknisk efterlevnad. Bakgrundsinformation återfinns i avsnitt 5. Avsnitt 6 erbjuder en översikt över granskningar av säkerhetsåtgärder. Granskningsmetoderna presenteras i avsnitt 7 Granskningsaktiviteterna i avsnitt 8. Granskning av teknisk efterlevnad återfinns bilaga A Stöd avseende inledande informationsinsamling återfinns i bilaga B.

Compliance - 27008

Compliance - 27008

Compliance - 27008

Områden Bakgrund Governance – ISO/IEC 27014 Risk – ISO/IEC 27005 Compliance – ISO/IEC 27008 Sammanfattning

Sammanfattning Corporate Governance Information Security Governance Key Security Governance Responsibilities Corporate Governance Shareholder value from security investments Minimize and manage risks Information Security Governance Plan and execute strategy to deliver business security and shareholder value Minimize and manage risks Information Security Management Deliver ISMS Deliver security solutions Operate security capabilities

Functional leadership Enterprise perspective Sammanfattning Functional leadership Enterprise perspective Less responsive to end users Scale economies Potentially more costly BU ownership No BU ownership Variable security competencies Control of standards Users control priorities No BU cost control Responsiveness to needs Wheel reinvention Critical mass of skills Does not meet everyone’s needs No synergy Pooled experience Synergy Centralized Decentralized

Sammanfattning Hårdare krav på effektiv företagsstyrning och intern kontroll Genom att integrera de nya ”Governance” kraven med företagets existerande ledningssystem skapar organisationen en flexibel plattform och är redo för nya anpassningar i framtiden. Kommande ISO/IEC 27014 ”ISG ”kommer att tydligöra kopplingen mellan IT Governance – Information Security Governance – och Ledningsystem för Informationssäkerhet (”ISMS”) ISO/IEC 27005 ger tydlig vägledning och stöd för hanteringen av informationssäkerhetsrisker ISO/IEC 27008 ger handledning både för kravställning inför eventuell upphandling av, och inför/under/efter genomförande av revisioner

Tack för mig anders.carlstedt@amentor.se