Security Management

Question 1

what ISO27K series is about

Answer 1

En serie med informasjonssikkerhets-standarder som kombineres for å oppnå a globally recognised framework for best-practice information security management.

Question 2

Title and purpose of ISO27001 standard

Answer 2

Title: Information Security Management System (ISMS)

purpose: ISO 27001 specifies requirements for establishing,
implementing, maintaining and continually improving an
information security management system (ISMS) within the context of the organization.

While the ISO 27002 (code of practice) defines a set of
security goals and controls, ISO 27001 (ISMS) defines
how to manage the implementation of security controls.
• Organizations can be certified against ISO 27001

Question 3

Title and purpose of ISO27002 standard

Answer 3

Title Code of practice for information security controls

Pupose:
• ISO 27002 provides a checklist of general security controls to be considered implemented/used in organizations
– Contains 14 categories (control objectives) of security controls and each category contains a set of security controls

• Not all controls are relevant to every organisation

• Objective of ISO 27002:
“gives guidelines for information security management practices including the selection,
implementation and management of controls taking into consideration the organization’s information security risk environment(s).”

Question 4

Elements of ISMS (cycle)

Answer 4

Stegene er utført parallelt

1. Planning
2. Risk Assessment
3. Security controls
4. Evaluation
5. Reporting

Question 5

The security management levels

Answer 5

Dette er et hierarki som består av (på bunn) IT security Operations: Drift/admin av informasjonssikkerhet. (I midten) Information Security Management: Ledelse av informasjonssikkerhet
(Internkontroll). Og (på topp) Information Security Governance:
Styring av informasjonssikkerhet