ISO/IEC 27001 implementation –

challenges and practical solutions

October 2015
About Presenter

Intars Garbovskis, Information Security Lead

Accenture Latvia
Intars is leading the Accenture Latvia Security Practice and acting as the
Information Security Lead for delivery centers in Latvia, Mauritius, Morocco,
France, the Netherlands.

He is Certified Information Systems Auditor, ISO 27001 Lead Auditor with more
than 10 years of professional IT consulting, project management, information
systems' auditing and ISMS implementation experience. Specialties: ISO 27001
implementation, IT Governance and project management, IS Auditing, Business
Analysis, ISO/IEC 20000, ITIL, CobIT, Business Continuity/Disaster Recovery.

Copyright © 2015 Accenture All rights reserved.

Agenda

• ISO/IEC 27001:2013: Information Security Management System

• Key chellanges
• Effective solutions and tactics
• Why ISO/IEC 27001:2013?

Copyright © 2015 Accenture All rights reserved.

ISO/IEC 27001:2013: Information Security Management System

The standard has been prepared to provide requirements for establishing, implementing,
maintaining and continually improving an information security management system (ISMS).
The main objective of ISMS – preserve the confidentiality, integrity and availablility of
information.

Applicable to all organizations, regardless of type, size or nature.

Structure of the standard:

• 7 mandatory clauses.
• 114 controls spread across 14 domains and 35 control objectives.

Copyright © 2015 Accenture All rights reserved.

Key chellanges

Raise Systematically
Top Ensure
awareness follow
management continual
and build implemented
commitment improvement
security ISMS
and support of ISMS
culture processes

Copyright © 2015 Accenture All rights reserved.

Effective solutions and tactics (1)
Provided the
needed
resources (with
required
competences!) Management
Formally
approved ISMS
assigned
implementation
responsibilities
and maintenance
and authority
plan

Continual and
natural Communication Clearly defined
to ALL ISMS scope,
management interested objectives and
example (role parties benefits
model)

Copyright © 2015 Accenture All rights reserved.

Effective solutions and tactics (2)

Living ISMS
Effective security Evaluation of ISMS
maintenance and
awareness programs* effectiveness
improvement plan

• Set a clear goal, define metrics
and measure the progress
• Involve the right audience
• Choose the relevant topics and
most effective communication
channels
• Plan for long-term culture
• Assign an owner of the ISMS
maintenance and improvement
plan
• Regular reporting to the top
management (use a simple
dashboard)
• Ensure regular follow-ups with
the interested parties to ensure
implemented ISMS processes
are followed, identified risks are
closed, new risks are identified
• Define performance evaluation
metrics that will monitored
• Define when and who will
analyse the metrics
• Use the meseament results to
evaluate effectiveness and make
decisions for continual ISMS
improvement

Source: https://securitycultureframework.net
Copyright © 2015 Accenture All rights reserved.
Why ISO/IEC 27001:2013?

Benefits:

Holistic, structured Demonstrates

and risk-based IS credibility and trust. Increased awareness
management Provides customers Competitive of interested parties. Cost savings through
approach -> and stakeholders advantage in the Improved security reduction in security
Improved IS across with confidence that market. culture within the incidents.
the whole IS is adequately organisation.
organisation. managed.

Copyright © 2015 Accenture All rights reserved.

IT Governance research
ISO 27001 Global Report 2015: Drivers based on survey findings
Drivers
Feel ISO 27001 plays an important role Implementing an ISMS allows an organisation to define and monitor
96% in improving cyber security defence. risk levels internally, thus driving management decisions to balance
expenditure against potential business harm.

Reveal improving information security as the Improving IS across the whole organisation is the single most important
70% biggest driver for implementing benefit. Others include: meeting industry requirements to comply with
ISO 27001. best practice, and gaining a competitive advantage.

Were asked by their clients about their Respondents reveal that ISO 27001 is a regular requirement for
66% ISO 27001 status in the past 12 months. contracts and tendering for new business.

Have full time ISMS Managers employed at This activity is generally delegated to various other roles within the
23% their company. organisation (e.g. IT Managers). 44% admit that the person managing
their ISMS does not have formal ISO 27001 qualifications.

Source: ISO 27001 Global Report 2015 by IT Governance

Copyright © 2015 Accenture All rights reserved.
IT Governance research
ISO 27001 Global Report 2015: Challenges based on survey findings

Challenges

State “obtaining employee buy-in and Engaging staff with the right level of competence and expertise is fundamental
45% raising staff awareness” is one of the to the success and the long-term effectiveness of an ISMS. Increasing IS
biggest challenges in implementing awareness among non-technical staff is essential – employees are the weakest
ISO 27001. link.

The absence of full time staff and formal training for ISMS management may
40% Seek external help for certification. contribute to this result. Large organisations with dedicated ISMS staff still
benefit from external help and advice as implementation can be more
complex.

Find it a challenge “convincing the board Reasons behind this challenge include securing sufficient budget allowance,
20% that information security is a critical gaining permission to employ sufficient resources and having Leadership agree
business issue”. to complete certification.

Source: ISO 27001 Global Report 2015 by IT Governance

Copyright © 2015 Accenture All rights reserved.
Thank you!

Copyright © 2015 Accenture All rights reserved.

Accenture Security Services

Copyright © 2015 Accenture All rights reserved.