Solved

ISO27001 Recommendation & Templates

Posted on 2010-09-10
18
2,771 Views
Last Modified: 2012-05-10
We are a small firm and looking into Compliance with iso27001 in our Windows Environment. i'm in the process of researching isms security.
I have downloaded the checklists and basic templates/policy/procedures from "sans" websites.
I've been thru each Clause/Standard from the checklist and now need help on how to implement these controls by choosing which product s can be used against each cluase.
Is there any draft/template available as which product can be used against each of the clauses?

All response very much appreciated

0
Comment
Question by:PeterMatthews
  • 10
  • 8
18 Comments
 
LVL 11

Expert Comment

by:ProfessorBindokas
ID: 33681153
Hi

Many of the clauses in ISO 27K are management process related.  Do you mean you are looking for a product to automate process compliance, e.g. a workflow system?  In general, there are a few decent open source products, which can be used to automate risk management.  One of the best I have used is chARMe (major pluses - automated risk reporting, aligned with ISO 27001, and free; major minuses - interface takes some getting used to and the English language translation has a few screen errors).  You can download this from: http://www.secopan.de/home/downloads2.html

In terms of compliance with the 133 controls - many of them are process and policy oriented, which means that no particular software product is available.  It's more important to properly understand the requirement, document related ways of working, and ensure that those ways of working are applied in day to day business.  For the technology-related ones in terms of encryption, access control, etc - please respond with which controls in particular you are having problems with and will try to give a few suggestions.
0
 

Author Comment

by:PeterMatthews
ID: 33721469
Hi,
It looks like i'll need help on begining of the iso 27001 clauses, clause 4 and 5. I need to kick start on how to implement and document the beginings. I have read the checklist against each clauses 4&5  and they're refering to documenting using company IIS Intranet. Is there any reference available using 3rd party software to kick start?
while doing further research over the weekend i've seen a article on McAfee site where it has mapping tools (http://mfesite.com/mcafeepci/cust/euser/pcidssmain.jsp#) for pci requirements, this is very useful if someone is compliancing on pci dss. Unfortunaetly i couldn't find any mapping tools for iso27001!!
Ideally this is exactly what i'm looking for where it mentions what product can be used against each clauses.


0
 
LVL 11

Expert Comment

by:ProfessorBindokas
ID: 33722706
Most of the software products that automate ISO 27001 requirements deal with risk assessment/threat analysis and the planning of your controls and countermeasures.  Clauses 4 and 5 deal primarily with the information security management system, i.e., they are administrative in nature.  It definitely is possible to develop workflows to automate process steps and approvals, e.g. in something like SharePoint or EMC eRoom for the development, review and approval of documents.

Taking it clause by clause:
4.2.1 a and b Establishing the ISMS - this is a policy development clause, the deliverables of which are policy documents
4.2.1 c,d,e,f,g - Risk assessments can be easily automated using opensource free of charge products, including chARMe, which I mentioned in my first reply.  Another good risk assessment tool allowing quantification of risks in terms of financial impact is PTA (practical threat analysis), available for download at http://www.ptatechnologies.com/ and an ISO 27001 library for that tool is available for free at http://www.controlpolicy.com/PTA_ISO27001_Library.zip
4.2.1 h,i - Deliverables are documents, no real automation needed here.
4.2.1 j - Easiest to use a template, for example, from the SANS website.  I did ours in an .xlsx file

4.2.2 Implement and operate ISMS
a - use the same tool as in 4.2.1 c
b - implementation of the plan can be tracked in any project management software application, from Microsoft Project to opensource OpenProj.
c - implementation of the controls themselves will require a variety of products and organisational measures.  Some are technological in nature, e.g., anti-virus, firewalls, logging, etc.  Others - e.g., physical security measures require records to prove that it was done.  Records can be documents, invoices, work instructions, etc.
d - requires the setting of KPIs for the implementation of controls and defining how their effectiveness will be checked.  The chARMe tool allows this.
e - training:  no real automation needed, just a simple spreadsheet to track courses delivered
f,g,h - policies, work instructions and records

4.2.3  This is a measurement and analysis requirement.
a - a combination of intrusion detection software and event management/service ticket software
b - requires documentation of internal formal and informal audits
c - measuring the KPIs defined in 4.2.2. d
d - use the same tool as in 4.2.2. d (for example)
e - checklists can be automated using SharePoint forms or simple spreadsheets
f - deliverable is a document
g - deliverables are documents
h - records can be kept in a variety of formats
4.2.4 continual improvement - records are usually just .doc
4.3.1 - any document management system, or simple folders on a fileserver can be used to store the documentation
4.3.2 - any document management system and a registration / tracking form for the documents, e.g., a simple fileserver and a spreadsheet will do
4.3.3 - same as above
5.1 - this is mostly administrative in nature and deliverables will be primarily documents.
5.2.1 - a combination of documents and service tickets/requests.  If you must automate, you can use, for example, a requests management module used in ITIL implementation to track requests for resources and fulfillment.  An example could be Atlassian's Jira
5.2.2 - Training deliverables are mostly documents and training plans.  No real automation needed.

The main tools that I rely on after around 10 years in this field are chARMe, an older, adapted version of COBRA, the OPENKM document management system (http://www.openkm.com/) for keeping track of records/documents/approvals and Jira for workflows.  In terms of individual controls - a variety of tools are used, with no "umbrella" tool over all of them.

Over automation of ISO 27K can be more hassle than it's worth.  I recommend a simple approach, especially if your organisation is not more than 750 people.  Keep it to a few tools for risk assessment, a good document management system and the rest in simple project plans, spreadsheets and documents.
0
 
LVL 11

Expert Comment

by:ProfessorBindokas
ID: 33752764
I notice you haven't revisited this topic in a while, is there any additional information you need?
0
 

Author Comment

by:PeterMatthews
ID: 33762019
Hi,
Thanks for your generous response.
1) I had a quick look at PTA software and it looks so far so good.i had spent some time on it but not seen any recommendation against each clauses. we are very small firm with less than 150 employees, i don't think all the clauses will be applied to us and also some clauses are very hard to understand, it will be ideal to see some recommendation or template / examples given against each cluases, it will at least give me some hints and think in the right direction on what to look for. some example of SOA and countermeasures will also be good idea for first time iso learner.

2) I've looked at the chARMe site and unfortunaetly it seems to be German software. i couldn't see the online demo either. is this software also available in english? i have seen the manual in english but not the software?

I really appreciate all your effort on helping me on this project.
0
 
LVL 11

Accepted Solution

by:
ProfessorBindokas earned 500 total points
ID: 33767419
Hi

Neither PTA nor chARMe give specific recommendations for measures to be taken to mitigate risks, as these kind of recommendations are very specific to each organisation's business environment.  The main differences between the two products is that PTA is oriented to assigning a financial impact to each risk, which helps you to prioritise them.  PTA does work and one of my clients uses it, but I prefer chARMe for ease of use and flexibility.

chARMe allows more control of the process for assigning threats and safeguards to each information asset.  The nice thing about chARMe is that once set up, you can use assets that you have already entered as templates, saving tonnes of work later.

chARMe is available in English.  The software, once downloaded and run, allows you to select the language on the login screen (German, English, Chinese are offered).  I recommend using it as a VMWARE appliance - download it from Secopan's site here:
http://www.secopan.de/downloads/chaRMe.v.0.7.7z   and the English language users guide is here:  http://www.secopan.de/downloads/chaRMe-Dokumentation.en.v.0.5.pdf

Please note that you will need to have the VMPlayer installed to use this.  VMPlayer is a free utility, available here:  http://downloads.vmware.com/d/info/desktop_downloads/vmware_player/3_0

Now, if you need recommendations for which types of threats apply to which types of information assets and the safeguards that should be in place for each asset, you have a few choices.  One option is to buy consulting services or one of the ISO 27001 "toolkits" which are available on the web (just Google toolkits).

But, personally I do not think any of the toolkits are worth the high prices asked for.  There is a wonderful absolutely free resource from the BSI (BSI is the German Federal Office for Information Security) available in ENGLISH at https://www.bsi.bund.de/cln_165/EN/Topics/ITGrundschutz/ITGrundschutzCatalogues/itgrundschutzcatalogues_node.html

This catalogue is a huge free reference source, which contains a threats catalogue and a safeguards catalogue.  Furthermore, it has modules for each major type of asset.  E.g., for a Server Room, it will list possible threats and give you very concrete recommendations for the safeguards to be applied.  This can be used as a checklist for implementation.  

Putting it all together, if you load the contents of the BSI documentation into chARMe, you have a ready-made compliance package for free, which will save thousands of euros as compared to hiring outside consultants.  Unfortunately, entering the threats and safeguards into chARMe has to be done by hand.

0
 
LVL 11

Expert Comment

by:ProfessorBindokas
ID: 33767426
Just as an addendum, the BSI catalogue and methodology mentioned above can be used for ISO 27001, there are no problems with compliance audits if using this method/reference.
0
 

Author Comment

by:PeterMatthews
ID: 33779259
I have gone thru all the information above and must say how valuable all these information are.
These is exactly what i was looking for. You have just saved me  from months of leg work!!! THANKS
I've found BSI and chARME information very useful and looks like it will be my prefered solution buster for my Iso project. I will be cracking on with charme software from next week and fill out gap the analysis from bsi documentations.
From my previous research, some people recommended me using Vs Risk Product (http://www.vigilantsoftware.co.uk/how-can-vsrisk-help.aspx) and Cramm software.
Have you had any experience on them?
Please keep me posting if you find anything will be useful for me / iso27001
Thanks again
0
 
LVL 11

Expert Comment

by:ProfessorBindokas
ID: 33786949
Glad to hear you found the information useful, Peter.  Cramm I have used in the past (back when the standard was still ISO 17799) and I was generally quite happy with it.  I moved away from CRAMM over the years simply because I found the open source software to meet my needs and the needs of my clients without CRAMM's £2950 per copy plus £875 annual license fees.  This helped reduce overall project cost for my clients, which was an important factor.

vsRisk I have not personally used and only know it from reviews (usually good).  The only product I have used from Vigilant is the comprehensive ISMS toolkit, which was included in scope at the request of one client.  Overall the toolkit was quite good value for the +/- £1,900 price tag, but since I've done a fair few implementations, there was nothing really new in it for me personally.  But, for a "do it yourself" project, the toolkit does give some very good materials, which would save time researching.

In fairness, most of the risk analysis tools operate on the same principles, it's usually a question of the amount of information pre-loaded into them, reporting options, how pleasant the user interface is, etc.  

Is CRAMM good?  Definitely (at least the older versions were superb).  Is it worth the price?  Maybe.  It's a matter of taste.  For example, I'm willing to put up with a not so wonderful user interface if I get the functionality I need from an opensource product (like chaRMe).    Same for vsRisk.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 11

Expert Comment

by:ProfessorBindokas
ID: 33786974
You may find this useful:  http://rm-inv.enisa.europa.eu/rm_ra_tools.html

It's from the site of the European Network and Information Security Agency and gives an overview of most of the tools on the market today.  Saves time as compared to just googling.

The site also has quite a bit of other useful information and reference material.  All free.
0
 

Author Comment

by:PeterMatthews
ID: 33806317
I'm also looking for ISMS Documentation help on Writing Procedures/Guidance, Policies etc...
I need to see some examples of what to write and how to begin the documentations....
Is there any opensource of pre-written templates available for all the Iso Controls?
I have searched google and it bringing up with Toolkits from ItGovernance.

PrfessorBindokas:  Is this available on BSI Catalogue you've mentioned previously? (i'm still reading thru this manual, will take some time to complete- I'm very impressed with this guide)
0
 
LVL 11

Expert Comment

by:ProfessorBindokas
ID: 33806345
Hi

BSI's materials (the ITGrundschutz methodology) does not provide guidance or templates for the development of policies / procedures / work instructions.  However, there are some great free resources with templates available on the web:

http://www.iso27001security.com/ - download the free ISO 27001 toolkit from them.  Excellent resource.  Join the forum, too.  There's also a decent Google Group for ISO 27001 that you can join and interact with professionals in the field.

http://www.sans.org/security-resources/policies/ - the SANS project provides samples and templates, some of which are very good
0
 

Author Comment

by:PeterMatthews
ID: 33855804
ProfessorBindokas: I have tried contacting chARMe (secopan.de) several times by email for the Module they have for ISO27002 (Standards & Documentations) but unfortunaetly no response from them.
I'm not sure what benefit will this plugin will have on chARMe software.
Have you used this Module? if yes, please explain briefly?
I have already started working on my project using the chARMe tool and now gathering ISMS Documentations/Policy/Standards etc...
Hope this Module tool help me completing the documention etc....

Thanks
0
 
LVL 11

Expert Comment

by:ProfessorBindokas
ID: 33857612
Hi again, the ISO 27002 plug in simply lists the recommendations for each control item in the Code of Practice and includes it in the Controls section of the chaRMe database.  If you have purchased a copy of ISO 27002 (or 17799 - old name), you can accomplish the same thing by going to the Controls tab in chaRMe, selecting the appropriate ISO 27001 control (which are pre-loaded) and copy:paste the "Implementation Recommendations" from ISO 27002.

The only thing the plug-in does is save you time from having to retype or copy:paste the information from 27002/17799.  There is no real reason to purchase it if you already have the standard and can just either enter this information yourself, or simply refer to the standard when needed (not even entering it into the database).

Since the software is opensource, sometimes they do not respond very quickly (the lads have regular day jobs...)  But, as said, you can enter the same information yourself without any worries.
0
 

Author Comment

by:PeterMatthews
ID: 33863586
Thanks for your reply again.
I have checked the Controls tab and Edit option, unfortunaetly i couldn't see any iso27002 recommendation or informations. I've been thru all the controls tabs and all seems to be empty
I'm curremtly running chARMe version 0.7.1.  I'm not getting any response from secopan either and really stuck on my project. I will appreciate if you could generously send me the iso27002 guide you have so i can persue with my project. You have been very helful to me during this discussion.
please send me the guides to sul8 "at" hotmail.com
Thanks  
0
 

Author Comment

by:PeterMatthews
ID: 33882405
ProfessorBindokas: Please could you help me on ISO27002 recommendation informations?
I have searched net but couldn't find a good site. Any sample guidance will be much appreciated.

Thanks
0
 
LVL 11

Expert Comment

by:ProfessorBindokas
ID: 33882409
Hi, I am swamped with work at the moment, but will try to get something to you today or tomorrow.
0
 

Author Comment

by:PeterMatthews
ID: 34092380
Hi ProfessorBindokas,
I really appreciate for your helps.
I'm awaiting for your help on iso27002
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now