130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • 1. Understanding the Standard
  • 2. Obtaining Management Support
  • 3. Defining the Scope
  • 4. Establishing an Information Security Policy
  • 5. Risk Assessment and Treatment
  • 6. Control Selection and Implementation
  • 7. Documenting the ISMS
  • 8. Training and Awareness
  • 9. Monitoring and Review
  • 10. Continuous Improvement
  • 11. Certification

Was this helpful?

  1. ISO 27001
  2. What is ISO 27001

Implementation

ISO 27001 is an international standard for managing information security. It provides a framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Implementing ISO 27001 involves several key steps and requires commitment from all levels of an organization. Here's a high-level overview of the ISO 27001 implementation process:

1. Understanding the Standard

ISO 27001 specifies the requirements for an ISMS, which includes policies, procedures, and controls designed to manage information security risks. It encompasses legal, physical, and technical controls involved in an organization’s information risk management processes. The standard is part of the ISO/IEC 27000 family, which covers various aspects of information security.

2. Obtaining Management Support

Effective implementation of ISO 27001 starts with securing commitment and support from top management. Information security should be aligned with the organization's business objectives, and leadership must demonstrate their support by providing the necessary resources and fostering a security-conscious culture.

3. Defining the Scope

The scope of the ISMS should be clearly defined, identifying the parts of the organization and the information assets that will be covered. This involves considering internal and external issues, interested parties, and the boundaries of the ISMS. A well-defined scope ensures that the ISMS is tailored to the specific needs and context of the organization.

4. Establishing an Information Security Policy

An information security policy sets the direction and principles for the ISMS. This high-level policy should outline the organization’s approach to managing information security, including objectives and key responsibilities. It must be communicated effectively to all employees and relevant stakeholders.

5. Risk Assessment and Treatment

One of the core components of ISO 27001 is conducting a risk assessment to identify information security risks. This involves:

  • Identifying assets, threats, and vulnerabilities.

  • Assessing the impact and likelihood of risks.

  • Determining the level of acceptable risk.

Based on the risk assessment, a risk treatment plan is developed, specifying how identified risks will be managed. This could involve avoiding, transferring, accepting, or mitigating risks through the implementation of controls.

6. Control Selection and Implementation

Annex A of ISO 27001 provides a comprehensive list of 114 controls categorized into 14 domains. Organizations must select and implement the appropriate controls to mitigate identified risks. The implementation should be guided by the organization’s risk treatment plan and should include technical, physical, and procedural controls.

7. Documenting the ISMS

Documentation is a critical aspect of ISO 27001 compliance. Key documents include:

  • ISMS scope and policy.

  • Risk assessment and treatment methodology.

  • Statement of Applicability (SoA).

  • Risk treatment plan.

  • Procedures for document control, incident response, and business continuity.

Proper documentation ensures that processes are standardized, repeatable, and auditable.

8. Training and Awareness

Employees at all levels must be aware of their responsibilities in maintaining information security. Regular training and awareness programs help to build a security-aware culture and ensure that employees understand and follow the organization’s information security policies and procedures.

9. Monitoring and Review

Continuous monitoring and review are essential for the effectiveness of the ISMS. This involves:

  • Regular internal audits to assess compliance and identify areas for improvement.

  • Monitoring security controls to ensure they are functioning effectively.

  • Reviewing the ISMS performance through management reviews.

10. Continuous Improvement

ISO 27001 emphasizes continual improvement of the ISMS. Organizations must establish mechanisms to identify and address non-conformities and implement corrective actions. This ensures that the ISMS evolves to meet changing threats and business needs.

11. Certification

While certification is not mandatory, obtaining ISO 27001 certification from an accredited certification body can provide assurance to customers, partners, and regulators that the organization meets international standards for information security. The certification process involves a thorough audit of the ISMS by external auditors.

PreviousWhat is ISO 27001NextDocumentation

Last updated 4 months ago

Was this helpful?