EXIN Information Security Foundation based on ISO/IEC 27001
Version 202306 Copyright © EXIN Holding B.V. 2023. All rights reserved. EXIN® is a registered trademark. No part of this publication may be reproduced, stored, utilized or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written permission from EXIN. 002
Introduction to the Body of Knowledge • These slides contain presentation material designed to prepare students for the EXIN Information Security Management Professional based on ISO/IEC 27001 certification. You can also use this slide deck as the basis for accredited training. • The material refers to all exam specifications and basic concepts. It covers the body of knowledge of the certification. • A proper training requires examples of practical experience, deepening of exam specifications and basic concepts, exercises, elaborating subjects of particular interest to the audience. • In case of minimal training duration, candidates should study this Body of Knowledge (compare training duration with study load in Preparation Guide). • The order of the topics presented in this slide deck follows the order in the exam specifications. • When you make use of this Body of Knowledge, your organization will still need to go through EXIN's standard accreditation procedure. You can find the requirements for accreditation in the Accreditation Manual. • Please note that this Body of Knowledge cannot be sold commercially. ATO’s are allowed to use these materials for the sole purpose of developing their own full courseware to be used in EXIN accredited training. They may not create other commercial products and services based on this file without permission from EXIN. When parts of it are used in another context the source must be referenced and the EXIN copyright statement added. 003
EXIN Information Security Management based on ISO/IEC 27001 program 004
Course objectives and target audience • This certification is intended for all security professionals who are involved in the implementation, evaluation and reporting of an information security program, including the following roles: • information security manager (ISM) • information security officer (ISO) • line manager • process manager • project manager with security responsibilities. Course objectives Target audience • Information security perspectives (10%) • Risk management (30%) • Information security controls (60%) 005
Certification requirements In order to become certified, a professional needs: • Successful completion of the EXIN Information Security Management System based on ISO/IEC 27001 exam. • Accredited EXIN Information Security Management System based on ISO/IEC 27001 training, including completion of the practical assignments. 006
Exam details • Examination type: multiple-choice questions • Number of questions: 30 • Pass mark: 65% (20/30 questions) • Open book: No • Notes: No • Electronic equipment/aides permitted:No • Exam duration: 90 minutes The Rules and Regulations for EXIN’s examinations apply to this exam. 007
Additional exam literature B. ISO/IEC 27000:2020 Information technology — Security techniques — Information security management systems — Overview and vocabulary Switzerland, ISO/IEC, 2020 www.iso.org C. ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements Switzerland, ISO/IEC, 2022 www.iso.org 008 D. ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls Switzerland, ISO/IEC, 2022 www.iso.org E. ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection — Guidance on managing information security risks Switzerland, ISO/IEC, 2022 www.iso.org
ISO/IEC 27001:2022 overview The ISO/IEC 27001 standard represents the international standard for the establishment of an Information Security Management System (ISMS). The most recent version was published in 2022 by the International Organization for Standardization (ISO) and the International Electrotechnical Committee (IEC). The standard is used world-wide by organizations that would like to implement information security based on a global standard. ISO/IEC 27001 standard ISO 27001:2022 09
ISO/IEC 27001 structure • 7 Support – description of the actions that must be taken to assign adequate and competent resources, create and develop information security awareness, prepare, publish and control the required documented processes, policies and procedures. • 8 Operation – description of detailed actions to assess and treat information security risks, change management and documents (registers to facilitate auditing activities). • 9 Performance evaluation - description of the actions that must be taken to monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system, systematically improving where necessary. • 10 Improvement - description of the actions that must be taken to continuously improve the ISMS based on audit findings, management reviews, customers inputs, among others. • Annex A Controls reference – description of the main information security controls that must be adopted by the organizations. The selected and used controls as well as the non-used ones must be described on the Statement of Applicability (SoA) document. • 0 Introduction – General introduction to the standard and the wider ISO/IEC 27000 series of standards. • 1 Scope – description of an ISMS generic requirements suitable for any size and type of organization. • 2 Normative references – description of other ISO standards that are required to understand this standard. • 3 Terms and definitions – description of the main terms and definitions used by ISO/IEC 27001. • 4 Context of the organization – description of how organizations should look to their own context in order to define a good scope for the ISMS, to manage the stakeholders' expectations and the main items and processes that must be established, implemented, maintained and continually improved in the ISMS. • 5 Leadership - description of the role and responsibilities from Top Management regarding to the ISMS, as well as define the information security main roles. • 6 Planning - description of the actions that must be taken to identify, analyze and plan to treat information risks. A description and definition of the information security objectives must take place as well. 010
ISO 27001 certification path (overview) The ISMS implementation and certification can differ from organization to organization. However, these are the most common steps. Obtain management commitment Information security policy Internal audit Define scope and context of the ISMS Risk assessment Management review Plan the project Implement controls External audit stage one ISMS objectives and overall management system Statement of Applicability (SoA) External audit stage two (certification) 1 2 3 4 5 6 7 8 9 10 11 12 011
0. Introduction
Definition of the subject Information security deals with… 1 The definition, implementation, maintenance, compliance and evaluation of an ISMS 2 Risk management, leading to a coherent set of controls 3 Safeguard the confidentiality, integrity and availability (CIA) of information 4 The (manual and automated) information supply 013
This implies… A management system such as ISO/IEC 27001 A set of controls such as ISO/IEC 27002 A focus on confidentiality, integrity and availability (CIA) 014
1. Information security perspectives
Information security perspectives business perspective of information security customer (end user) perspective on data privacy service provider/supplier responsibilities in security assurance 016
1.1 Business interest of information security
The business perspective Information has become the most critical asset for many organizations. Protecting this asset from loss, tampering, and disclosure is vital. Controls should be put in place at a level that is appropriate to the value of the information or asset. Information is everywhere, even outside the organization’s perimeter. This fact makes protection difficult but also more necessary; information security is not limited only to the IT field. Custodians of information need to show that they are trustworthy; governance and compliance are crucial. International respected standards and best security practices such as the ISO 2700x series help to understand how to deal with the above (also when using suppliers). business perspective of information security 018
The business perspective Laws and regulations force organizations to comply with data protection and intellectual property best practices. Customers and even suppliers demand transparency and compliance. Stories of incidents travel fast. Damage to reputation can be outside your control which makes it essential to focus on prevention. Monitoring, logging, and a proactive organization are key elements. Immediate detection of incidents and incident management are crucial processes. Information security needs to be embedded in the organization. Since information is everywhere, information security and awareness of risks needs everyone’s attention. 019
1.2 Customer (end user) perspective on governance
Customer (end user) perspective on governance Customers demand 24/7 business continuity of operations. Due to the open marketplace customers can take their business elsewhere. Concerns surrounding privacy are still very strong. Although the use of social media, and the selling out of personal privacy as a result, indicate that this is highly contextual. Customers have become very vocal when their privacy is breached. Any security incidents therefore get a lot of media attention. Customers place trust in organizations that are transparent in the way they deal with risks. customer (end user) perspective on governance 021
Customer (end user) perspective on governance In B2B environments the chain of trust requires compliance and governance. Stakeholders are clueless as to what proof they require to decide that information security risks are managed. End users receive almost no training. Information security training is mostly lacking. End users do not perceive security risks in the same way that professionals do. Security is often regarded as an optional add-on instead of an embedded design requirement. 022
1.3 Service provider/supplier responsibilities in security assurance
Providers need to show due diligence regarding information security. The usage of best practice standards prevails. Incident, change, and continuity management are key processes. Information security performance needs to become a part of the service level agreement (SLA) management processes. Active monitoring and vulnerability management need more attention. Transparency is key but difficult to maintain in a shared service environment. service provider/supplier responsibilities in security assurance Service provider/supplier security assurance responsibility 024
Service providers need to understand their customers’ business and requirements. Perimeter security is still important but data security even more so. This requires a different mindset and products/solutions. IT service management and information security need to be implemented using best-practice standards. SMART performance indicators are key. Suppliers are not always transparent about security risks inherent within the solutions they provide. Third-party assessment of the risks is vital. Service provider/supplier security assurance responsibility 025
2. Risk management
Risk management subjects Risk assessment 1 2 3 Selection of mitigating controls/strategies Residual risk 027
2.1. Risk management principles
Risk assessment Risk assessment answers a number of questions What (information) assets should be protected? Why do these assets need to be protected? What are the risks? What are the priorities in dealing with these risks? What are the options to deal with these risks? 029
Steps in risk assessment processes 1 Assets 2 Threats Risks 3 Controls 4 • Determine which assets are in scope of the assessment • Determine who the owners of the assets are • Discuss the threats to these assets with the owners • Decide who the threat agents are • Get expert opinions on vulnerabilities of these assets • Get expert opinions on likelihood that the threats will occur • Get expert opinions on the impact if/when the threats occur • Have a brainstorm with representatives of all stakeholders • Define a formula to calculate the magnitude of risks • Define the risk appetite of the owner(s) • Find options to mitigate unacceptable risk(s) • Implement controls • Understand and mitigate the new risks of the controls • Accept any residual risks and repeat all of the above 030
Risk management generic workflow Assets Owners value wish to minimize Risk to Threats to that increase that exploit leading to Vulnerabilities may be aware of that may that may be possess reduced by Controls to reduce impose Threat agents give rise to wish to abuse and/or may damage 031
Risk management according to ISO/IEC 27001:2022 ISO/IEC 27001 explicitly refers to and aligns with ISO 31000 – Risk management – Principles and guidelines Risk Analysis Risk Evaluation Risk Acceptance Risk Treatment (information security controls) Information Identify sources Estimate risk Risk criteria Compare estimate against criteria Significance of risk Next risk Yes No Risk assessment Risk management 032
Risk assessment – attention points • Produce a Business Impact Analysis first to determine where a risk assessment is required. • Implement a baseline on the risks. However, risk mitigation controls must be implemented only when required. • Discussing risks that have not (yet) occurred needs an open mind. • Analyzing risks can be facilitated by a specialist but requires a multi-disciplinary approach with members of each business function. • There are many tools available, but tools can only assist the process; not perform it! • The risk assessment will provide the direction as to which controls must be implemented to tackle the risks that are being faced by the organization. This is a must when designing an enterprise-wide information security program. • The best way to achieve a good level of effectiveness in security governance is to perform a periodic risk assessment as part of a risk management program. • The organization will not bring the number of risks down to zero. However, stakeholders must be informed regarding to the residual risks and accept them in agreement with the organization’s risk appetite. 033
Business impact analysis (BIA) BIA Only deals with the impact of an event such as the loss of, damage to, or disclosure of information. In business terms, i.e. monetary loss, damage to reputation, legal consequences etc. Enables an organization to pinpoint those processes where security is important. Must be performed in cooperation with the business owner(s). Does not analyze assets, threats, vulnerabilities, probabilities etc.; only the impact of events. Acts as a filter to determine which activities require a risk assessment and which do not. 034
Baseline principle • Implement a limited set of controls for assets that are part of the scope. • Be able to explain and justify why it is sufficient to implement only those specific controls on those assets (tool: business impact analysis). • Do a risk assessment on all the other assets and implement extra controls only where required. • Organizational objectives, operational constraints as well as applicable legislation and regulation always need to be accounted for when implementing risk controls. • Represents the way to start setting the information security controls for the organization. 035
2.2.1 Assessing the risks - Guidance
Determine which assets are in scope of the assessment • Purpose: Determine which assets will be assessed during the next steps. • How: The business impact analysis (BIA) will have made clear what processes result in the highest impact if loss, damage, or disclosure occurs. Assets within these processes are people, systems, applications, operating systems, buildings/rooms, utilities etc. • Guidelines: Draft the list of assets but keep a high level of abstraction and try to group assets where possible. 037
Determine who the owners of these assets are • Purpose: Only the owners can clearly discuss the value of assets. • How: The business impact analysis should, for the most part, have already clarified who the owners are. • Guidelines: Determining the owners of shared assets (such as network, email infrastructure, internet access) can be tricky. When this is the case, the owner will be the manager responsible for (delegated) maintenance of these assets. Asset ownership 038
Discuss the threats to the assets with these owners • Purpose: Determine which threats are applicable to the assets within scope. Only those threats need to be analyzed in the next steps. • How: Standard lists of threats do exist, but whether the list is complete should be discussed with the owner. • Guidelines: Be as complete as possible, do not filter out threats at this point. Try to compile a list of inherent threats, not the threats for which there are residual risks at this moment. For instance, do not exclude the threat of data loss because back-ups are already made. 039
Decide who the threat agents are • Purpose: Knowing your enemy enables you to better determine which vulnerabilities there are and the probability of threats occurring. • How: Discuss who might be interested in attacking your organization and the means these adversaries have to their disposal. • Guidelines: Adversaries can be employees, criminals, hackers (of every kind), competitors, states, terrorists etc. 040
Get expert opinions on vulnerabilities of the assets • Purpose: Enable those present during the risk assessment workshop to have enough detailed information to make informed decisions. • How: Interviews with experts about information security aspects that are relevant to the assets in scope. This can include technical experts and facility managers but also local government, police, fire brigade etc. • Guidelines: The obtained data needs to be judged as to whether there is high, medium, or low vulnerability. Try to be exhaustive. Talk to as many experts as possible within scope and budget. Vulnerability 1 Vulnerability 2 …. 041
Get expert opinions on the likelihood that threats will occur • Purpose: Enable those present during the risk assessment workshop to have enough detailed information to make informed decisions. • How: Interviews with experts about information security aspects relevant to the assets in scope. This can include technical experts and facility managers but also local government, police, fire brigade etc. Also get publicly available information (where available) from incidents in the past both within and outside of the organization. • Guidelines: The obtained data needs to be judged as to whether there is high, medium, or low likelihood and impact. Try to be exhaustive. Talk to as many experts as possible within scope and budget. Probability 1 Probability 2 …. 042
Define the impact for all threats when they occur • Purpose: Enable those present during the risk assessment workshop to have enough detailed information to make informed decisions. • How: For every threat, discuss with experts what the maximum impact would be if/when the threat occurs. • Guidelines: It is difficult to consider the impact on the organization when a threat has never occurred. Consider monetary losses, legal problems, loss of business, advantages it would give a competitor, loss of image etc. If possible, classify all possible losses in monetary terms. 043
Define a formula to calculate risk • Purpose: Bring all information about a threat together in one quantitative or qualitative parameter which will enable deciding whether the risk is above or below the acceptable risk level. • How: • Quantitative: When only numbers are used to calculate the risk. • Qualitative: When using classes of risk, for instance LL (low likelihood, medium impact) or quantify (VL=1, L=2, M=3, H=4, VH=5) and then multiply (L*M = 1*3 = 3) or use a different formula (most accepted risk methodology). • Guidelines: Be careful when quantifying risks not to lose the distinction between for instance L*M=1*3 and M*L=3*1 (both are 3). 044
Define the risk appetite of the owner(s) • Purpose: Determine the level above which a risk is unacceptable (i.e. should be mitigated where possible). • How: For each threat, or all threats in one go, have the process owner decide which level of risk is unacceptable. • Guidelines: Also take an outside view. What would customers/suppliers find acceptable? What would legal entities consider acceptable? 045
Remarks Example: • Imagine two houses next to a chemical factory. An explosion at the factory causes fires in the surroundings. Both houses are equally likely (probability) to catch fire as a result of the explosion in that factory. • But, if one of the houses is made from wood and the other is made from concrete, the wooden house is much more vulnerable if there is a fire. Since vulnerability is difficult to determine, limit the number of classes to (for instance) only high or low vulnerability. Probability Vulnerability ? ? ? ? ? ? ? ? ? ? ? ? The distinction between probability and vulnerability is not always clear. Concrete house Wooden house 046
Remarks Risk assessment needs to be part of the scope of every project. Usually, a simple identification and rating mechanism for the threats and risks specifically related to the project is sufficient. Before doing a risk assessment, an organization will need to reach consensus on classes for probability, vulnerability and impacts. For instance: Probability: high: it can happen any day medium: could happen yearly low: will never happen Vulnerability: high: when it happens there is a big impact low: when it happens there will be minor impact Impact: high: could lead to bankruptcy medium: impacts the bottom line low: no impact 047
2.2.2 Controlling the risks
Risk treatment in ISO/IEC 27001:2022 • Select risk treatment options • Determine the needed controls • Compare the selected controls to ISO/IEC 27001:2022 Annex A • Create a Statement of Applicability (SoA) indicating which controls from Annex A match the controls • Create a plan to treat risks • Obtain the risk owners’ approvals to treat the risks and their acceptance of residual risk 049
Find ways to mitigate unacceptable risk(s) • Purpose: Select the risks for which mitigating controls are required. • How: Decide whether a risk can be avoided, transferred to another party, accepted or whether it needs mitigation. Or maybe the risk is already mitigated by a control. • Guidelines: For example, avoidance of the risk means cancelling the business process in question or moving the organization to an area with a lower/other risk profile. Transferring a risk can be done by insuring against it. Both avoidance and transferring tend to be exceptions. This tends to lead to discussions to decide whether a risk can be accepted or needs mitigation. Sometimes risks are already covered, for example Escrow arrangements to protect software code. 050