Implementation of ISO 27k1
Implementation of ISO 27k1
Implementation of ISO 27k1
(M.P.)
RAJIV GANDHI NATIONAL CYBER LAW CENTRE
A
Dissertation
On
“Implementation of ISO 27001:2013 in Banking Industry”
SUBMITTED IN PARTIAL FULFILLMENT OF THE
REQUIREMENT
FOR THE AWARD OF THE DEGREE
MASTER OF SCIENCE
In
By
Ayushm Dubey
Enrolment no. MS00241
Roll no. 2016 MSCLIS 01
April, 2018
ACKNOWLEDGEMENT
I would first like to thank my supervisor Dr. Astitwa Bhargava under whose supervision this
dissertation has been carried out, the door to Dr. Astitwa Bhargava’s office was always open
whenever I ran into a trouble spot or had a question about my research or writing. He
consistently allowed this dissertation to be my own work, but steered me in the right the
direction whenever he thought I needed it.
I am also highly grateful to Prof. (Dr.) Mukesh Shrivastava, (Acting Director), and also want
to express my sincere thanks and salutation to all the faculty members of The National Law
Institute University, Bhopal for their kind co-operation and interest in the completion of this
study.
My heartily thanks to library staff of National Law Institute University, Bhopal for the kind co-
operation.
I express innermost gratitude towards my parents without whose love, blessings, guidance and
support it would have not been possible for me to complete this work. I am also thankful to my
friends and all those who have helped directly or indirectly in completion of dissertation work.
Ayushm Dubey
i
RGNCLC, NLIU, BHOPAL
CERTIFICATE
This is to certify that the dissertation entitled “Implementation of ISO 27001:2013 in Banking
Industry” has been done by ‘Ayushm Dubey’, Enrolment No. MS-00241, Roll No.2016-
MSCLIS-01 under my supervision in partial fulfilment of the requirement for the award of the
Degree of Master of Science in Cyber Law and Information Security of the National Law
Institute University, Bhopal (M.P.), India.
To the best of my Knowledge, the Dissertation embodies the work of the candidate with
convincing suggestions.
ii
RGNCLC, NLIU, BHOPAL
DECLARATION
I further declare that to the best of my knowledge the dissertation does not contain any part of
any work which has been submitted for the award of any degree either in this University or any
other university without proper citation.
iii
RGNCLC, NLIU, BHOPAL
Table of Contents
ACKNOWLEDGEMENT ............................................................................................................. i
CERTIFICATE ............................................................................................................................. ii
DECLARATION.......................................................................................................................... iii
LIST OF FIGURES ................................................................................................................... viii
LIST OF ABBREVIATIONS ................................................................................................... viii
Chapter.1 – Introduction ............................................................................................................. 1
1.1. Introduction .......................................................................................................................... 2
1.2. Gestalt of ISO 27001:2013................................................................................................... 4
1.3. Information Security and ISO/IEC 27001:2013................................................................... 6
1.3.1. Approach to Information Security ................................................................................. 6
1.4. Need to implement an ISMS ................................................................................................ 7
1.5. Benefits of an ISMS ............................................................................................................. 9
1.5.1. Improved understanding of business aspects................................................................. 9
1.5.2. Reductions in security breaches and/or claims .............................................................. 9
1.5.3. Reductions in adverse publicity..................................................................................... 9
1.5.4. Improved insurance liability rating................................................................................ 9
1.5.5. Identify critical assets via the Business Risk Assessment ............................................. 9
1.5.6. Ensure that “knowledge capital” will be “stored” in a business management system .. 9
1.5.7. Be a confidence factor internally as well as externally ............................................... 10
1.5.8. Systematic approach .................................................................................................... 10
1.5.9. Provide a structure for continuous improvement ........................................................ 10
1.5.10. Enhance the knowledge and importance of security-related issues at the management
level ....................................................................................................................................... 10
1.5.11. Advantages from Certification of ISMS .................................................................... 10
1.6. Review of Literature........................................................................................................... 11
1.6.1. Books/E-Books ............................................................................................................ 11
1.6.2. Research Papers/ Articles/ Journals ............................................................................. 12
1.6.3. Standards ..................................................................................................................... 13
1.7. Statement of Problem ......................................................................................................... 14
1.8. Research Questions ............................................................................................................ 14
1.9. Objectives of the Study ...................................................................................................... 15
iv
RGNCLC, NLIU, BHOPAL
1.10. Research Methodology..................................................................................................... 15
1.11. Research Tools ................................................................................................................. 15
Chapter.2 - Overview of ISO/IEC 27001:2013 ......................................................................... 16
2.1. Understanding ISO/IEC 27001:2013 ................................................................................. 17
2.2. Mandatory Clauses of ISO/IES 27001:2013 ...................................................................... 18
2.3. Domains of ISO/IEC 27001:2013 ...................................................................................... 24
2.3.1. Context of the organization ......................................................................................... 25
2.3.2. Leadership and Commitment....................................................................................... 27
2.3.3. IS Objectives................................................................................................................ 28
2.3.4. IS Policy ...................................................................................................................... 28
2.3.5. Roles, Responsibilities and Competencies .................................................................. 28
2.3.6. Risk Management ........................................................................................................ 29
2.3.7. Performance Monitoring & KPIs ................................................................................ 34
2.3.8. Documentation............................................................................................................. 35
2.3.9. Communication ........................................................................................................... 37
2.3.10. Competence and Awareness ...................................................................................... 38
2.3.11. Supplier Relationships ............................................................................................... 39
2.3.12. Internal Audit ............................................................................................................. 40
2.3.13. Incident Management ................................................................................................ 41
2.3.14. Continuous Improvement .......................................................................................... 41
2.4. Controls of Annexure A of ISO/IEC 27001:2013 .............................................................. 42
2.5. ISO/IEC 27002:2013 .......................................................................................................... 44
2.5.1. ISO 27001 vs. ISO 27002 ............................................................................................ 44
2.6. ISMS in Banking Industry.................................................................................................. 45
2.7. RBI Guidelines for Banks on Cyber Security .................................................................... 48
2.8. Badge on the wall debate ................................................................................................... 49
Chapter.3- Implementation of ISO/IEC 27001:2013 in a Bank ............................................. 51
3.1. Hypothetical Bank Environment ........................................................................................ 52
3.1.1. Focus at Department of IT, ABC Bank ....................................................................... 53
3.1.2. Other Implementations ................................................................................................ 54
3.1.3. Departments of ABC Bank .......................................................................................... 55
3.2. Implementation of ISO/IEC 27001:2013 in ABC Bank .................................................... 56
v
RGNCLC, NLIU, BHOPAL
3.2.1. Scope: .......................................................................................................................... 56
3.2.2. Purpose: ....................................................................................................................... 57
3.2.3. Context of the ABC Bank:........................................................................................... 57
3.2.4. Asset Inventory: ........................................................................................................... 57
3.2.5. Risk Assessment & Treatment Methodology: ............................................................. 60
3.2.6. Risk Matrix .................................................................................................................. 61
3.2.7. Risk Assessment .......................................................................................................... 62
3.2.8. SOA ............................................................................................................................. 69
3.2.9. Information Security Policies of ABC Bank: .............................................................. 72
3.2.10. Risk Treatment .......................................................................................................... 73
3.2.11. Monitoring and evaluation......................................................................................... 74
3.2.12. Internal Audit ............................................................................................................. 74
Chapter.4- ISO/IEC 27001: 2013 Implementation Issues and Challenges. ........................... 75
4.1. Expectations with ISMS (ISO/IEC 27001:2013) Implementation. .................................... 76
4.1.1. Risks and losses will be minimized ............................................................................. 76
4.1.2. Compliance to rules, legislation, company standards and practices............................ 76
4.1.3. Improved safety ........................................................................................................... 76
4.1.4. Reliable operations ...................................................................................................... 76
4.1.5. Business continuity ...................................................................................................... 77
4.2. ISMS Implementation Issues & Challenges ...................................................................... 77
4.2.1. Fear / Resistance to change ......................................................................................... 77
4.2.2. Increased cost .............................................................................................................. 78
4.2.3. Inadequate knowledge as to approach ......................................................................... 78
4.2.4. Seemingly huge task .................................................................................................... 78
Chapter.5 - Conclusion and Suggestions .................................................................................. 79
5.1. Conclusion.......................................................................................................................... 80
5.2. Suggestions......................................................................................................................... 81
5.2.1. Parallel design of ISMS and Information System ....................................................... 81
5.2.2. Dedicated Clause for Securing the Sensitive Personal Information ............................ 81
5.2.3. Critical Success Factors ............................................................................................... 81
5.2.4. Complete PDCA Cycle ................................................................................................ 81
BIBLIOGRAPHY ....................................................................................................................... 82
vi
RGNCLC, NLIU, BHOPAL
ANNEXURE ................................................................................................................................ 85
A.1. Information Security Organization Policy for ABC Bank ................................................ 86
A.1.1. Purpose ....................................................................................................................... 88
A.1.2. Scope........................................................................................................................... 88
A.1.3.Policy Maintenance ..................................................................................................... 88
A.1.4.Definitions ................................................................................................................... 89
A.1.5.Policy Assumptions ..................................................................................................... 89
A.1.6.Policy Statements......................................................................................................... 89
A.1.7.Mission and Vision ...................................................................................................... 89
A.1.8.Organization of Information Security .......................................................................... 90
A.1.9.Related Information Security Policies ......................................................................... 92
A.1.10.Compliance Monitoring ............................................................................................. 92
A.1.11.Custodians.................................................................................................................. 92
vii
RGNCLC, NLIU, BHOPAL
LIST OF FIGURES
LIST OF ABBREVIATIONS
viii
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Chapter.1 – Introduction
Page | 1
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Chapter.1 - Introduction
Introduction
Gestalt of ISO/IEC 27001:2013
Information Security and ISO/IEC 27001:2013
Need to implement an ISMS
Benefits of an ISMS
Review of Literature
Statement of Problem
Research Questions
Research Objectives
Research Methodology
Research Tools
1.1. Introduction
Nowadays, almost every organization is dealing with information technology (IT) whether it is
educational, commercial, banking or non-profit organization. So to manage and secure the
information and the technology is the most important thing for an organization. To perform the
management and provide the protection to the information ISO 27001:2013 is very vital standard
it not only deals with these but also provides many benefits to an organization like- creating trust
among stakeholders1, maintaining confidential information secure, provides confidence to
customers and stakeholders, enables an organization to securely the exchange of information,
fulfils the requirement of meeting obligations, provides flexibility to comply other regulations,
establish market reputation and takes an organization one step ahead in competition, increases
the client satisfaction that leads to loyalty of the clients.
In India the Regulating and Governing body of Banking Industries Reserve Bank of India (RBI)
announced the creation of a Working Group on Information Security, Electronic Banking,
Technology Risk Management and Tackling Cyber Fraud in April, 2010. The Group was set up
under the Chairmanship of the Executive Director Shri.G.Gopalakrishna. The Group delved into
various issues arising out of the use of Information Technology in banks and made its
1
A stakeholder means person or organization that can affect, be affected by, or perceive themselves to be affected
by a decision or activity. Defined in Clause 2.13 of ISO/IEC 31000:2009.
Page | 2
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
recommendations in nine broad areas. These areas are IT Governance, Information Security, IS
Audit, IT Operations, IT Services Outsourcing, Cyber Fraud, Business Continuity Planning,
Customer Awareness programs and Legal issues. In the report given by the Working Group it is
mentioned that “the Commercial banks should implement ISO 27001 based Information Security
Management System (ISMS) best practices to protecting their critical functions. Additionally,
other reputed security/IT control frameworks may also be considered by banks”.2This can be
considered as one of the direction by the regulating authority for implementing ISMS to all
banks of India.
ISO (International Organization for Standardization) and IEC (International Electro technical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest.
Other international organizations, governmental and non-governmental, in liaison with ISO and
IEC, also take part in the work. In the field of information technology, ISO and IEC have
established a joint technical committee, ISO/IEC JTC 1.
The information security management system maintains the confidentiality5, integrity6 and
availability7 of information by applying a risk management process8 and provides trust to the
2
Available at https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/WREB210111_ES.pdf Accessed on
01/11/2017.
3.
The International Organization for Standardization is an international standard-setting body composed of
representatives from various national standards organizations Available at https://www.iso.org/ Accessed On
01/11/2017.
4.
The International Electro technical Commission (IEC) is a not-for-profit, quasi-governmental organization,
founded in 1906. The International Electro technical Commission is the leading global organization that publishes
consensus-based International Standards and manages conformity assessment systems for electric and electronic
products, systems and services, collectively known as electro technology. Available at
http://www.iec.ch/about/activities/?ref=menu Accessed on 1/11/2017.
5
Confidentiality is a property that information is not made available or disclosed to unauthorized individuals,
entities or processes. Defined in Clause 2.12 of ISO/IEC 27000:2016.
6
Integrity is the property of accuracy and completeness. Defined in Clause 2.40 of ISO/IEC 27000:2016.
7
Availability means Property of being accessible and usable upon demand by an authorized entity. Defined in
Clause 2.9 of ISO/IEC 27000:2016.
8
Risk management is defined as “Coordinated activities to direct and control an organization with regard to risk.”
Defined in Clause 2.2 of ISO/IEC 31000:2009.
Page | 3
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
interested parties that risks are adequately managed. It is important that the information security
management should be integrated with the organization’s processes and overall management
structure and that information security is considered in the design of processes, information
systems, and controls. It is expected that an information security management system
implementation should be based on the needs of the organization. This International Standard
can be used by internal and external parties to assess the organization’s ability to meet the
organization’s own information security requirements.
The research report will explain the effective implementation of ISO 27001:2013 in Banking
organization by following all the requirements and appropriate controls of ISO 27001:2013 to
establish a holistic information security management system in banking industry and the report
will give the light into the drawback of the standard which encourages a Banking organization to
follow other similar Information Security standard to deal with those lacunas. The report will
provide the solution of drawback and provide the assistance in implementation of the ISO
27001:2013 in banking organization.
I. Context Establishment
II. Leadership
III. Planning
IV. Support
V. Operations
VI. Performance Evaluation
VII. Improvement
I. Context Establishment: This clause defines understanding the organization and its context
before establishing its information security management system (ISMS). It talks about
identifying the issues that are relevant to an organization's purpose and to consider the influences
these issues that could have bearing on the outcomes and objectives that its ISMS needs to
Page | 4
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
achieve. First an organization need to understand it’s approach to governance9, its capabilities, its
contracts, its culture, , its stakeholders, its environmental conditions, its interested parties10and its
legal obligations before developing its ISMS. So that when they design ISMS it should be able to
tackle all these influence. After considering all these issues Scope of ISMS is established and
then begins development of ISMS.
II. Leadership: This Clause suggests organization's top management to provide leadership and
commitment for its ISMS by showing the support for it, top management should make sure that
every people of the organization understands the importance of the ISMS, by assigning
responsibility and authority for it, and by establishing an information security policy.
III. Planning: Planning clause used to identify the risks11 and opportunities that could influence
the effectiveness of an organization's ISMS or disrupt its operation and then to figure out what
they need to do to address these risks and opportunities. It also suggest to assess the
organization’s information security risks, to select risk treatment12 options, to choose the
information security13 controls14 that are needed to implement these options, and to formulate a
risk treatment plan. Finally, it asks organization to establish information security objectives 15 at
all relevant levels and for all relevant functions within the organization and to develop plans to
achieve these objectives.
IV. Support: It states that the complying organization should support its ISMS by providing
resources. It tells to ensure the competence16 of the people who have an impact on organization's
security and to ensure that they are aware of their responsibilities. It then suggests figuring out
how extensive and detailed organization’s ISMS documents and records need to be. An
organization need to include all necessary documents and records and to manage and control
their creation and modification.
V. Operations: This clause Suggests to establish the processes that organization needs in order
to meet its information security requirements, to carry out the actions needed to address its
information security risks and opportunities, and to implement the plans needed to achieve its
information security objectives. Regular information security risk assessments17 should be
9
Governance means “A system by which an organization’s information security activities are directed and
controlled”. Defined in Clause 2.28 of ISO/IEC 27000:2016.
10
Interested party is defined as “A person or organization that can affect, be affected by, or perceive themselves to
be affected by a decision or activity”. Defined in Clause 2.41 of ISO/IEC 27000:2016.
11
Risk is defined as “effect of uncertainty on objectives”. Defined in Clause 2.1 of ISO/IEC 31000:2009.
12
Risk treatment is defined as “Process to modify risk” or “Avoiding the risk by deciding not to start or continue
with the activity that gives rise to the risk”. Defined in Clause 2.25 of ISO/IEC 31000:2009.
13
Information Security is defined as Preservation of Confidentiality, Integrity, and Availability of information.
Defined in Clause 2.33 of ISO/IEC 27000:2016.
14
Control is defined as “Measure that is modifying risk”. Defined in Clause 2.16 of ISO/IEC 27000:2016.
15
Objective is defined as “Result to be achieved”. Defined in clause 2.56 of ISO/IEC 27000:2016.
16
Competence is defined as “Ability to apply knowledge and skills to achieve intended results”. Defined in Clause
2.11 of ISO/IEC 27000:2016.
17
Risk assessment is defined as “Overall process risk identification, risk analysis and risk evaluation”. Defined in
ISO/IEC 27005:2011.
Page | 5
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
performed, to prioritize the risks, and to maintain a record of risk assessment results. Finally,
organization needs to implement information security risk treatment plans and to maintain a
record of risk treatment results.
The decision to develop an ISMS should be strategic business decision. It should be debated,
agreed and driven by the organization’s board of directors or equivalent top management group.
The design and implementation of ISMS should be directly influenced by the organization’s
need and objectives, security requirements, the process employed and the size and structure of
the organization.
18
Monitoring is defined as “To determine the status of a system, a process or an activity”. Defined in Clause 2.52 of
ISO/IEC 27000:2016.
19
Measure is defined as “Variable to which a value is assigned as the result of measurement”. Defined in Clause
2.47 of ISO/IEC 27000:2016.
20
Audit is defined as “A systematic, independent and documented process for obtaining audit evidence and
evaluating it objectively to determine the extent to which audit criteria are fulfilled”. Defined in Clause 2.5 of
ISO/IEC 27000:2016.
21
Non-Conformity is defined as “non-fulfillment of a requirement”. Defined in Clause 2.53 of ISO/IEC
27000:2016.
22
Corrective action is defined as “Action to eliminate the cause of non-conformity and to prevent recurrence”.
Defined in Clause 2.19 of ISO/IEC 27000:2016.
Page | 6
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
ISO 27001:2013 is not a one size fits all solution to an organizations information security
management needs. It should not interfere with the growth and development of the business.
According to ISO 27001:2013:
The ISMS will be scaled in accordance with the needs of the organization.
A simple situation requires a simple ISMS solution;
The ISMS is expected to change over time;
The standard is meant to be useful model for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving an ISMS.
It is a model that can be applied anywhere in the world, and understood anywhere in the world. It
is also technology neutral and can be implemented in any hardware or software environment.
CUSTOMER
CONFIDENCE
INTERNAL COMPLAINCE
EFFECTIVENES
S
ISMS &
REGULATION
EXTERNAL
SECURITY
RISKS
There are broadly four reasons for an organization to implement an ISMS, these are:
Page | 7
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Internal effectiveness: The desire to manage information or more effectively within the
organization.
While all four reasons for adopting the ISMS are good ones, it must be remembered that having
an ISO 27001 complaint ISMS will not automatically “in itself” confer immunity from legal
obligations. The organization will have to ensure that it understands the range of legislation and
regulation with it must comply, ensure that these requirements are reflected in the ISMS as it is
developed and implemented, and then ensure that the ISMS works as designed. In the above
section the reasons for implementing ISMS in an organization now let us see the reasons for
implementing ISMS accordance with ISO 27001:2013, these are:
Enables an organization’s ability to quickly detect and isolate any security breach30
24
HIPPA is USA based act which stand as The Health Insurance Portability and Accountability Act established a
national standard to be used in all doctors' offices, hospitals and other businesses where personal medical
information is stored. It is a Regulation designed to protect personal information and data collected and stored in
medical records. Available at www.businessdictionary.com/definition/HIPPA-privacy-rule.html. Accessed on
25/02/2018
25
The Federal Information Security Management Act (FISMA) is United States legislation that defines a
comprehensive framework to protect government information, operations and assets against natural or man-made
threats. FISMA was signed into law part of the Electronic Government Act of 2002. Available at
searchsecurity.techtarget.com/definition/Federal-Information-Security-Management-Act. Accessed on 25/02/2018
26
The Gramm-Leach-Bliley Act (GLB Act or GLBA) is also known as the Financial Modernization Act of 1999. It is
a United States federal law that requires financial institutions to explain how they share and protect their
customers’ private information. To be GLBA compliant, financial institutions must communicate to their customers
how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their
personal data not be shared with third parties, and apply specific protections to customers’ private data in
accordance with a written information security plan created by the institution. Available at
https://digitalguardian.com/blog/what-glba-compliance-understanding-data-protection-requirements-gramm-leach-
bliley-act. Accessed on 25/02/2018.
27
Available at Edward Humphrise (2016). Implementing the ISO/IEC 27001 ISMS Standard. 2nd ed. UK: Artech
House. 10-85. ISBN 13:978-1-60807-930-8.
28
In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) to protect shareholders and the general
public from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate
disclosures. The act sets deadlines for compliance and publishes rules on requirements. Congressmen Paul Sarbanes
and Michael Oxley drafted the act with the goal of improving corporate governance and accountability, in light of
the financial scandals that occurred at Enron, WorldCom, and Tyco, among others. Available at
https://digitalguardian.com/blog/what-sox-compliance. Accessed on 25/02/2018
29
SSAE 16, also called Statement on Standards for Attestation Engagements 16, is a regulation created by
the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) for
redefining and updating how service companies report on compliance controls. Available at
searchcloudsecurity.techtarget.com/definition/SSAE-16. Accessed on 25/02/2018
Page | 8
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
1.5.6. Ensure that “knowledge capital” will be “stored” in a business management system
Since one of the focuses of ISMS is on the concept of availability, it encourages organizations to
develop a knowledge database where they would be able to tap on the needed expertise in
situations where certain personnel or system are deemed to be unavailable.
30
A security breach is any incident that results in unauthorized access of data, applications, services, networks
and/or devices by bypassing their underlying security mechanisms. A security breach is also known as
a security violation. Available at https://www.techopedia.com/definition/29060/security-breach. Accessed on
25/02/2018
Page | 9
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
• Provide evidence and assurance that an organization has complied with the standards
requirement.
Page | 10
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
1.6.1. Books/E-Books
Shon Harris, All in One CISSP Exam Guide, McGraw-Hill Companies Publications,
Eighth Edition 2016, ISBN 978-0-07-178173-2
This book provides the guidance for Certified Information System Security Professional
so it covers almost all domains of Information Security, for this research researcher
preferred the Chapter 2 of this book titled “Information Security Governance and Risk
Management” in this chapter the author elaborates all the regulatory frameworks for
information security and what are the major points of concern while implementing such
standard in an organization.
Alan Calder, Implementing Information Security Based on ISO 27001/ ISO 27002-
A management Guide, Van Haren Publishing, Second Edition, 2009, ISBN 978- 90
8753- 540- 7.
This Management Guide provides the overview of two International Information Security
Standard ISO 27001/ ISO 27002. This standard provides a basis for implementing
Information Security controls to meet an organizations own business requirements as
well as a set of controls for business relationship with other parties. This guide provide an
Introduction and overview to both the standards, background to the current version of
standards and Links to other standards such as ISO 9001, BS25999 and ISO 20000 links
to frameworks such as COBIT and ITIL above all this handy book describes how ISO
27001 and ISO 27002 interact to guide organization in the development of best practices
for Information Security Management System.
Page | 11
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
handbook presents a readable overview to the political, regulatory, technical, people and
process considerations in complying with an ever more demanding regulatory
environment and achievement of good corporate governance. Offering an international
overview, this book features contributions from sixty four industry experts from fifteen
countries.
Page | 12
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
1.6.3. Standards
ISO/IEC 27000:2016 Information Technology- Security Techniques- Information
Security Management Systems- Overview and Vocabulary.
It is a widely accepted international standard used for developing the understanding for
Information Security Management System (ISMS) and it is basically provides the
definition, overview and importance of an ISMS. For implementing ISO/IEC 27001:2013
in any organisation firstly we need to understand its terms and definitions and as stated in
clause 3 of the standard “For the purposes of this document (ISO/IEC 27701:2013), the
terms and definitions given in ISO/IEC 27000 apply” the latest version of ISO/IEC 27000
is 27000:2016. This standard helps researcher to understand definitions of basic terms
like Audit, Availability, Confidentiality, Integrity etc. and for further research I will refer
this standard for defining any terms and for getting the key concepts of an ISMS.
Page | 13
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
The document provides best practice recommendations and guidance for organizations
selecting and implementing information security controls within the process of initiating,
implementing and maintaining an Information Security Management System (ISMS).
ISO/IEC 27002 applies to all types and sizes of organizations, including public and
private sectors, commercial and non-profit that collect, process, store and transmit
information in many forms including electronic, physical and verbal. This standard
should be used as a reference for the consideration of controls within the process of
implementing an Information Security Management System based on ISO/IEC 27001, it
implements commonly accepted information security controls, and develops the
organization’s own information security management guidelines.
Page | 14
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 15
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 16
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
31
ISO/IEC 27001:2005 is an older version of ISO/IEC 27001:2013 which is now withdrawn by ISO.
32
Available at https://www.bsigroup.com/en-IN/ISOIEC-27001-Information-Security/Introduction-to-ISOIEC-
27001. Accessed on 24/02/2018
Page | 17
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
its unique information security risks and requirements, the needs and expectations of interested
parties. It will also be influenced by its inherent complexity and its corporate context.33
The 2005 version of the standard heavily employed the PDCA, Plan-Do-Check-Act model to
structure the processes, and reflect the principles set out in the OECG guidelines. However, the
latest, 2013 version, places more emphasis on measuring and evaluating how well an
organisation's ISMS is performing. A section on outsourcing was also added with this release,
and additional attention was paid to the organisational context of information security.35
33
Available at http://www.praxiom.com/iso-27001-intro.html. Accessed on 24/02/2017
34
Id
35
Available at https://dqsus.com/certification/iso-27001. Accessed on 24/02/2018.
36
Organization is defined as “Person or group of people that has its own functions with responsibilities, authorities
and relationships to achieve its objective”. Available at Clause 2.57 of ISO/IEC 27000:2016.
Page | 18
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
contractual obligations, are applicable, and consequently, if any of these should become
compliance obligations.
5. Leadership
5.1 Leadership and commitment
Top management39 and line managers with relevant roles in the organization must demonstrate
genuine effort to engage people in the support of the ISMS. This clause provides many items of
top management commitment with enhanced levels of leadership, involvement, and cooperation
in the operation of the ISMS, by ensuring aspects like:
Information security policy and objectives’ alignment with each other, and with the
strategic policies and overall direction of the business;
Information security activities’ integration with other business systems where applicable;
Provision for resources so the ISMS can be operated efficiently;
Understanding of the importance of information security management and compliance
with ISMS requirements;
Achievement of ISMS objectives;
Definition of information security responsibilities to people within the ISMS, and their
correct support, training, and guidance to complete their tasks effectively;
Support of the ISMS during all its life cycle, considering a PDCA approach and continual
improvement.40
5.2 Policy
Top management has the responsibility to establish an information security policy, which is
aligned with the organization’s purposes and provides a framework for setting information
security objectives, including a commitment to fulfill applicable requirements and the continual
37
Documented Information is defined as “Information required be controlling and maintaining by an organization
and the medium on which it is contained”. Available at Clause 2.23 of ISO/IEC 27000:2016.
38
Available at https://advisera.com/27001academy/knowledgebase-category/iso-27001-implementation. Accessed
on 24/02/2018
39
Top Management is defined as “Person or group of people who directs and controls an organization at the highest
level”. Available at Clause no. 2.84 of ISO/IEC 27000:2016.
40
Available at https://advisera.com/27001academy/knowledgebase-category/iso-27001-implementation. Accessed
on 24/02/2018
Page | 19
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
improvement41 of the ISMS. The information security policy must be maintained as documented
information, be communicated within the organization, and be available to all interested parties.
6. Planning
6.1 Actions to address risks and opportunities
6.1.1 General
This clause seeks to cover the “preventive action”43 stated in ISO 27001:2013. The organization
must plan actions to handle risks and opportunities relevant to the context of the organization
(section 4.1) and the needs and expectations of interested parties (section 4.2), as a way to ensure
that the ISMS can achieve its intended outcomes and results, prevent or mitigate undesired
consequences, and continually improve. These actions must consider their integration with ISMS
activities, as well as how effectiveness should be evaluated.
41
Continual Improvement is defined as “Recurring activity to enhanced performance”. Defined in Clause 2.15 of
ISO/IEC 27000:2016.
42
Available at http://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001.
Accessed on 24/02/2018
43
Preventive action is performed to eliminate potential event that can create nonconformity. While talking about
preventive action, we must remember that the nonconformity has not taken place yet and it is a preventive action of
identifying and eliminating the cause of nonconformity.
44
Risk Acceptance is defined as “Informed decision to take a particular Risk”. Defined in Clause no. 2.69 of
ISO/IEC 27000:2016
45
Risk Assessment is defined as “Overall process of risk identification, risk analysis and risk evaluation” Defined in
Clause no. 2.71 of ISO/IEC 27000:2016
Page | 20
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
The objectives must be updated when deemed necessary. They must be thought of in terms of
what needs to be done, when it needs to be done by, what resources are required to achieve them,
who is responsible for the objectives, and how results are to be evaluated, to ensure that
objectives are being achieved and can be updated when circumstances require. Again, it is
mandatory that documented information is kept outlining the information security objectives.
7. Support
7.1 Resources
In this clause, the standard states that resources required by the ISMS to achieve the stated
objectives and show continual improvement must be defined and made available by the
organization.
7.2 Competence
The competence46 of people given responsibility for the ISMS who work under the
organization’s control must meet the terms of the ISO 27001:2013 standard, to ensure that their
performance47 does not negatively affect the ISMS. Competence can be demonstrated by
experience, training, and/or education regarding the assumed tasks. When the competence is not
enough, training must be identified and delivered, as well as measured to ensure that the required
level of competence was achieved. This is also another aspect of the standard that must be kept
as documented information for the ISMS.
7.3 Awareness
Awareness is closely related to competence in the standard. People who work under the
organization’s control must be made aware of the information security policy and its contents,
what their personal performance means to the ISMS and its objectives, and what the implications
of nonconformities may be to the ISMS.
7.4 Communication
Internal and external communication deemed relevant to the ISMS must be determined, as well
as the processes by which they must be affected, considering what needs to be communicated, by
whom, when it should be done, and who needs to receive the communication.
46
Competence is defined as “Ability to apply knowledge and skills to achieve intended results”. Available at Clause
No. 2.11 of ISO/IEC 27000:2016.
47
Performance is defined as “Management of activities, processes, products (including services), systems or
organizations. Available at Note 2 of Clause no. 2.59 of ISO 27000:2016.
Page | 21
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
This change was designed to facilitate the management of documents and records required by the
standard, as well as those viewed as critical by the organization to the ISMS and its operation. It
should also be noted that the amount and coverage of documented information that an
organization requires will differ, according to its size, activities, products, services, complexity
of processes and their interrelations, and people’s competence.
8. Operation
8.1 Operational planning and control
To ensure that risks50 and opportunities are treated properly (clause 6.1), security objectives are
achieved (clause 6.2), and information security requirements are met, an ISMS must plan,
implement, and control its processes, as well as identify and control any relevant outsourced51
processes, and retain documented information deemed as necessary to provide confidence that
the process are being performed and achieving their results as planned. Being focused on
keeping the information secure, the ISMS also should consider in its planning and control the
monitoring of planned changes, and impact analysis of unexpected changes, to be able to take
actions to mitigate adverse effects if necessary.52
48
Review is defined as “activity undertaken to determine the suitability, adequacy and effectiveness of the subject
matter to achieve established objectives”. Available at Clause 2.65 of ISO/IEC 27000:2016.
49
Control is defined as “Measure that is modifying risk”. Available at Clause No. 2.68 of ISO/IEC 27000:2016.
50
Risk is defined as “Effect of uncertainty on objectives”. Available at Clause 2.68 of ISO/IEC 27000:2016.
51
Outsource is defined as “Make an arrangement where an external organization performs part of an organization’s
function or process”. Available at Clause 2.58 of ISO/IEC 27000:2016.
52
Available at http://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001.
Accessed on 25/02/2018
Page | 22
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
9. Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
The organization not only has to establish and evaluate performance metrics regarding the
effectiveness and efficiency of processes, procedures, and functions that protect information, but
should also consider metrics for the ISMS performance, regarding compliance with the standard,
preventive actions in response to adverse trends, and the degree by which the information
security policy, objectives, and goals are being achieved.
The methods established should take into consideration what needs to be monitored and
measured, how to ensure the accuracy of results, and at what frequency to perform the
monitoring, measurement, analysis, and evaluation of ISMS data and results. It should also be
noted that performance results should be properly retained as evidence of compliance and as a
source to facilitate subsequent corrective actions.
Auditors should be independent and have no conflict of interest over the audit subject. Auditors
also must report the audit results to relevant management, and ensure that non-conformities are
subject to the responsible managers, who in turn must ensure that any corrective measures
needed are implemented in a timely manner. Finally, the auditor must also verify the
effectiveness of corrective actions taken.
53
Risk Assessment is defined as “Overall process of risk identification, risk analysis and risk evaluation”. Available
at Clause no. 2.71 of ISO/IEC 27000:2016.
54
Risk Treatment is defined as “Process to modify Risk”. Available at Clause no. 2.79 of ISO/IEC 27000:2016.
Page | 23
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
The status of actions defined in previous reviews, significant internal and external factors that
may impact the ISMS, information security performance, and opportunities for improvement
should be reviewed by top management, so relevant adjustments and improvement opportunities
can be implemented.
The management review is the most relevant function to the continuity of an ISMS, because of
the top management’s direct involvement, and all details and data from the management review
must be documented and recorded to ensure that the ISMS can follow the specific requirements
and general strategic direction for the organization detailed there.
10. Improvement
10.1 Nonconformity and corrective action
Outputs from management reviews, internal audits, and compliance and performance evaluation
should all be used to form the basis for nonconformities and corrective actions55. Once identified,
a nonconformity or corrective action should trigger, if considered relevant, proper and systematic
responses to mitigate its consequences and eliminate root causes, by updating processes and
procedures, to avoid recurrence. The effectiveness of actions taken must be evaluated and
documented, along with the originally reported information about the nonconformity / corrective
action and the results achieved.
9. Communication
10. Competence and Awareness
11. Supplier Relationships
12. Internal Audit
13. Incident Management
14. Continuous Improvement
Page | 25
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
covered or only partially covered by the ISMS. To avoid any unpleasant and unintended
surprises, the scope document and/or a precise description of the scope should be
requested in addition to the certificate.
Another important document regarding the scope of an ISMS is the statement of
applicability (SoA) required by the standard. The SoA includes explanations of the decis-
ions to implement the controls in Annex A – i.e., whether the control in question is used
within the ISMS or not, including an appropriate justification.
A rough outline of the scope is usually provided in the information security policy.
Unlike the scope document, the security policy and the SoA are generally categorized as
internal documents and should not be passed on to external parties. However, as
previously mentioned, close attention must be paid to the precise definition of the scope
and the content of the SoA in the context of service provider relationships and, if
applicable, service provider audits.58
Situation Analysis
The purpose of the situation analysis is to place the ISMS into the overall environment based on
its scope. In addition to the organizational and technical relations relevant to the ISMS, it should
also include conditions that are typical for the respective industry or location. This must include
the internal context, such as other management systems (ISO 9001:2015, ISO 22301:2012, etc.),
as well as how it relates to other important departments such as risk management, human
resources, data protection, audit and legal - if this is not already part of the existing scope. It
must also include the external context, such as important suppliers and service providers,
strategic partners, and any other relevant organizations.
Requirement Analysis
The persons in charge of the ISMS need to have a clear overview of the existing stakeholders,
and their requirements for the organization and the management system. The requirements of
interested parties may include legal and official provisions (for example the German Federal
Data Protection Act BDSG, the German Act against Unfair Competition UWG, the German
Telemedia Act TMG, regulatory authorities, etc.) as well as contractual obligations. The or-
ganization itself (or an organization on a higher hierarchical level) might also have decision-
making and/or policy-making authority, which must be taken into account.59
Documentation requirements
The following minimum documentation requirements apply according to ISO/IEC 27001:2013:
scope of the ISMS (Clause 4.3)
statement of applicability (Clause 6.1.3 d)
overview of all relevant legal, regulatory, and contractual requirements that have an
impact on the information security strategy and the ISMS (A.18.1)
Additionally, the following documents have proven useful in practice:
Overview of all stakeholders relevant to the specific scope of the ISMS
58
Available at Gerhard Funk. (2016). A practical guideline for implementing an ISMS in accordance with the
international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013. Germany Chapter. At
page 13.
59
Id.
Page | 26
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
The standard correctly and explicitly requires top management to take full and verifiable
responsibility for information security within the organization. In addition, the importance of an
effective ISMS and compliance with its requirements must be communicated to the affected
employees. This is generally achieved by means of the information security policy.
under the headline ‘IT governance’ and in relation to management’s responsibility for
strategy, particularly in areas subject to regulation, the supervisory authorities and boards
are requesting verifiable proof of responsibility in an increasing manner
Documentation requirements
The following minimum documentation requirements apply according to ISO/IEC
27001:2013:
Clause 9.3 ‘Management Review’ requires documentation of the fact that top
management monitors the ISMS, including the decisions regarding changes and improve-
ments to the ISMS. They can be included in the risk treatment plan in the form of
measures.
Results of a management review, such as decisions on options for continuous
improvement, must be retained as documented information.
Note: There are several documentation options in the context of management responsibility. The
examples above are suggestions for possible types of recording that contribute to making
reporting and decision-making processes more transparent. Each organization must determine
the type and frequency of documentation that works best.
60
Available at Julia Hermann (CISSP, CISM). (2016). A practical guideline for implementing an ISMS in
accordance with the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013.
Germany Chapter. Page 16
Page | 27
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
2.3.3. IS Objectives
The ISMS as a whole contributes to protecting and maintaining confidentiality, integrity, and
availability of the respective business processes and the information contained therein. The
company objectives laid out by company management and the IT objectives derived from the
company objectives serve as the basis for designing/determining the information security
objectives and the resulting controls.
Documentation requirements
The following minimum documentation requirements apply according to ISO/IEC 27001:2013:
Documentation of the IS objectives must be made available.
2.3.4. IS Policy
The (top) managers responsible for the organization are required to set out an information
security policy (IS policy) that documents the organization’s strategic decision to implement an
ISMS, informs the target group about the obligation to comply with information security
requirements as well as the self-commitment to continuously improve the ISMS. The policy must
suit the organization’s purpose and include the principles and objectives that the ISMS seeks to
achieve, as well as the organization’s general information security objectives.
Documentation requirements
The following minimum documentation requirements apply according to ISO/IEC 27001:2013:
Information security policy (see Clause 5.2 e)
Additionally, the following documents have proven useful in practice:
Subject-specific information security policies and guidelines (see Annex A.5.1)
Associated documents and organizational charts, e.g., explaining the organizational
structure in the context of information security (if not included in the policy) 62
61
Available at Giesecke & Devrient GmbH, Angelika Holl (CISA, CISM). (2015). A practical guideline for
implementing an ISMS in accordance with the international standard ISO/IEC 27001:2013. Implementation
Guideline ISO/IEC 27001:2013. UK Chapter. Page 11
62
Id
Page | 28
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
However, it must be ensured that roles are clearly structured and defined, and that potential
conflicts of interest are avoided.
Documentation requirements
The following minimum documentation requirements apply according to ISO/IEC 27001:2013:
Proof of qualifications (Clause 7.2 d)
Additionally, the following documents have proven useful in practice:
Descriptions of roles/job descriptions
Design of strategic and operational partnership between Process Owner and CISO63
63
Available at Nikolay Jeliazkov (CISA, CISM), Union Investment. (2015). A practical guideline for implementing
an ISMS in accordance with the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC
27001:2013. UK Chapter. Page 13.
Page | 29
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
64
Brainstorming is the name given to a situation when a group of people meet to generate new ideas around a
specific area of interest. Using rules which remove inhibitions, people are able to think more freely and move into
new areas of thought and so create numerous new ideas and solutions. The participants shout out ideas as they occur
to them and then build on the ideas raised by others. All the ideas are noted down and are not criticized. Only when
the brainstorming session is over are the ideas evaluated. Available at
http://www.brainstorming.co.uk/tutorials/whatisbrainstorming.html. Accessed on 01/03/2018
65
A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and
gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk
assessment. Operations may also be interrupted by the failure of a supplier of goods or services or delayed
deliveries. There are many possible scenarios which should be considered. Available at
https://www.ready.gov/business-impact-analysis. Accessed on 01/03/2018
66
The Delphi method was originally developed in the early 1950s at the RAND Corporation by Olaf Helmer and
Norman Dalkey In Delphi decision groups, a series of questionnaires, surveys, etc. are sent to selected respondents
(the Delphi group) through a facilitator who oversees responses of their panel of experts. The group does not meet
face-to-face. All communication is normally in writing (letters or email). Members of the groups are selected
because they are experts or they have relevant information. The responses are collected and analyzed to determine
conflicting viewpoints on each point. The process continues in order to work towards synthesis and building
consensus. Available at http://www.nwlink.com/~donclark/perform/delphi_process.html. Accessed on 01/03/2018
Page | 30
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
organization from having to invest the same level of funding and resources in handling all
identified and analyzed risks.
Risk acceptance criteria can be defined in terms of acceptance levels based on the
qualitative and/or quantitative potential for damage (e.g., non-compliance, financial
harm, damage to reputation, etc.).
Risk acceptance criteria can encompass multiple threshold values. Each threshold level
can be tied to a specific level of the hierarchy/management so that the acceptance of risks
above a certain level can only be handled by the managers appointed within this level.
For purposes of improved comparability and reproducibility, qualitative damage levels
can be converted to (financial) values. These values can generally only be approximate,
however.
For small and medium-sized companies in particular, it may be recommendable to start
the risk assessment process with a simplified model and then enhance it step by step. For
example, in the first step, risks can be compiled and initially evaluated without a
completely fleshed-out model and in cooperation with the experts in the IT
department(s). Risk acceptance criteria can be derived from the results step by step and
then translated into formal criteria at a later point, upon approval from company
management.
Risk acceptance criteria should be defined with care and foresight to ensure that they are
in line with the company’s attitude toward risk17 (neither too high nor too low) and that
they safeguard the efficiency and effectiveness of the ISMS by allowing risks to be
comprehensively identified and consistently treated in accordance with how they have
been assessed (not all risks can be given top priority).
In practice, it would be impossible to implement a risk management system that is
completely comprehensive, that detects and analyzes in detail all information security
risks in all areas of the company at all times – the same way that it would be impossible
and impractical to operate all IT systems with the same level of security. An ‘ap-
propriately high’ level of security for certain components and processes simultaneously
means an ‘appropriately low’ level of security for other components and processes. The
trick is drawing this distinction; it requires sufficient experience and the proper methods
and assessment criteria.
Once the risk assessment method has been defined, the steps of the risk management process
follow in order:
Audits
Audits show that the relevant departments are not properly implementing security standards or
existing best practices, or that the relevant systems are not in line with these standards/practices.
Naturally, a prerequisite is that audits have been conducted in the first place and that the audit
process includes a clear approach to dealing with the findings of the audit (documentation of
findings, handover of findings to the audited department, etc.).
Page | 31
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Risk analysis
Explicit risk analysis and assessments can be specifically conducted for business-critical
processes, applications, and systems; these analyses and assessments can be used to make clear
statements regarding the risk situation and risk exposure of the affected processes, applications,
and systems. In the context of project management, risk analysis (each with an appropriate
scope) should be mandatory.
Operations
Depending on the risk management process selected, insight gained during ‘normal’ operations
may bring to light previously unidentified risks that should/must be (swiftly) reported to the risk
management team upon assessment by the employees/team of experts responsible for the subject.
Security incidents
Security incidents (however they are defined) can allow for the identification of previously
unknown risks on the one hand; the incident makes these risks ‘visible,’ so to speak. On the other
hand, risks that are already known but have not been sufficiently dealt with, or risks that were
accepted up to this point, may materialize (e.g., because of active exploitation of a known
vulnerability by an attacker or the failure of a system due to insufficient technical
dimensioning).67
67
Available at Boban Krsic (CISA, CISM, CISSP, CRISC). (2017). A practical guideline for implementing an ISMS
in accordance with the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013.
US Chapter. Page 13.
Page | 32
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Risk treatment measures can be drawn from practically any source, but they must be in
line with Appendix A of the standard and the SoA of the ISMS.
Risks must be assigned to the appropriate risk owner. Without dedicated owners, it will
be difficult to make a ‘correct’ assessment or ensure successful long-term treatment of
identified risks.
The risk owner is generally the authority that bears responsibility for the financial impact
of the risk if it materializes. In many cases, this is the process owner, but it might also be
upper management, depending on the impact and risk assessment.
Even if the risks are caused by IT systems, for example, the affected business areas
ultimately suffer the effects. So, even though the respective21 IT department is respon-
sible for the treatment of (IT) risks, the departments that are affected by the risk and that
make decisions regarding the allocation of resources are still the risk owners and are still
fully accountable.
The risk identification process and the process of identifying the associated risk owner
can be carried out separately/at different times.
68
Available at ISO/IEC 27005:2011.
Page | 33
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Documentation requirements
The following minimum documentation requirements apply according to ISO/IEC 27001:2013:
Risk assessment process (Clause 6.1.2)
Risk treatment process (Clause 6.1.3)
Records and results of risk assessments/risk analyses (Clause 8.2)
Records and results of risk treatments (Clause 8.3)
Additionally, the following documents have proven useful in practice:
Records and results of risk assessments and risk analyses69
This means assessing the current situation compared to the desired situation as laid out in the
provisions and to intervene in a corrective capacity as required. These performance indicators are
aggregated in terms of the company objectives to be achieved, legal regulations, and protection
requirements. The aggregated performance indicators are known as key performance indicators
(KPIs).
KPIs are both important and beneficial because they make it possible to make general statements
about the security system. They provide management with a transparent, comprehensible basis
69
Available at Boban Krsic (CISA, CISM, CISSP, CRISC). (2017). A practical guideline for implementing an ISMS
in accordance with the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013.
US Chapter. Page 13.
Page | 34
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
for making well-founded decisions governing information security. KPIs can uncover indicators
of (new) risks and/or changes within the risk landscape, as well as non-conformities in terms of
the implementation of security provisions and guidelines.
Asset ownership Number of information assets that are assigned to an owner in relation
to the total number of information assets as a percentage
Documentation requirements
The following minimum documentation requirements apply according to ISO/IEC 27001:2013:
Documentation of the measurement structure for all KPIs.
This answers the following questions:
How are the metrics defined in detail?
What was measured and evaluated?
Which methods were used for measurement, analysis, and evaluation, and do they
lead to reproducible results?
When were measurements conducted, and by whom?
When were analyses and evaluations conducted, and by whom?
Results of measurements and the derived management reports for escalation
Additionally, the following documents have proven useful in practice:
All records and evidence that prove effectiveness.
2.3.8. Documentation
In the context of documentation, a primary requirement is that the following aspects are
regulated (at least) for ISMS documentation within the management system:
Page | 35
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
The content and degree of detail that the standard requires in documents depends in part on the
selected scope of the ISMS, the size of the organization, the technologies utilized, and the
organizational structure; for this reason, these factors differ from organization to organization.
The number and type of documents can also vary. From a practical perspective, it can be a good
idea for a given organization to create a set of (numerous) individual documents and maintain
them granularly. For other organizations, on the other hand, it may make more sense to use a
central storage medium that can be accessed from anywhere in the organization. In practice, this
can mean using a wiki or another online system as the basis for documentation.
If no specific documents are required, the standard ISO/IEC 27001:2013 uses the term
‘documented information’ in connection with documentation and records. In this case, it is left
up to the company to decide what types of documents should be used to manage this
information; the term ‘document’ can comprise any number of formats.
The documentation required within the ISMS must be continuously monitored to ensure the
following:
Availability and suitability for the intended use, regardless of time and location
Appropriate protection, e.g., from loss of confidentiality, improper use, or unauthorized
manipulation/loss of integrity.70
Documentation requirements
The following minimum documentation requirements always apply according to ISO/IEC
27001:2013 (Clauses 4-10):
Scope of the ISMS (Clause 4.3)
Information security policy (Clause 5.2 e)
Description of the risk assessment process (Clause 6.1.2)
Description of the risk treatment process (Clause 6.1.3)
Statement of applicability (Clause 6.1.3 d)
Information security risk treatment plan (Clause 6.1.3 e)
Information security objectives (Clause 6.2)
Evidence of competence (Clause 7.2 d)
Proof of proper execution of the ISMS processes (Clause 8.1)
Results of the information security risk assessment, (Clause 8.2)
Results of the information security treatment (Clause 8.3)
Evidence of the monitoring and measurement results of the ISMS (Clause 9.1)
70
Available at BridgingIT GmbH, Jan Oetting (CISA, CISSP). A practical guideline for implementing an ISMS in
accordance with the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013.
US Chapter. Page 13.
Page | 36
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Evidence of the audit program(s) and the audit results (Clause 9.2)
Evidence of the results of management reviews (Clause 9.3)
Evidence of the nature of the nonconformities and any subsequent actions taken (Clause
10.1 f)
Evidence of the results of any corrective action (Clause 10.1 g)
Moreover, the organization must determine for itself which documentation and records are
necessary in addition to those required by the standard to ‘establish sufficient trust that the
processes will be carried out as planned’ (see Clause 8.1). Added to that are the documents and
records from Annex A, if these measures are applicable in accordance with the statement of
applicability.
2.3.9. Communication
When operating an ISMS, cooperation with other organizations and departments is required
(suppliers, human resources department, legal department, audit, etc.). The primary task of the
‘Communication’ component is determining and describing the requirements for internal and
external communication. External communication here refers to communication with (external)
stakeholders and other organizations. Internal communication refers to the need for communica-
tion within the management system and within the organization – e.g., with internal stakeholders
such as the board of directors, executives, and employees.
71
Available at BridgingIT GmbH, Jan Oetting (CISA, CISSP). A practical guideline for implementing an ISMS in
accordance with the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013.
US Chapter. Page 13.
Page | 37
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Documentation requirements
ISO/IEC 27001:2013 does not include any specific documentation requirements for the ISMS in
the context of communication.
Additionally, the following documents have proven useful in practice:
Procedures for internal and external communication
Communication matrix
Communication plan72
Obviously, making employees and executives aware of the issue isn’t a magic bullet when it
comes to preventing information security-related issues. There is no empirical evidence that the
number of security incidents decreases because of awareness campaigns. In fact, the opposite is
usually true, because employees tend to report security incidents more frequently as their
awareness increases (regardless of whether those numbers include some false reports). In that
sense, it is not necessarily a bad thing if the number of security incidents reported goes up. One
thing is clear, however: If an employee or manager is not very aware of the applicable security
regulations and processes or the specific risks that they face daily, it will be even more difficult
72
Available at Andrea Rupprich (CISA, CISM). A practical guideline for implementing an ISMS in accordance with
the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013. Canada Chapter.
Page 13.
Page | 38
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
to achieve the desired level of security within the company and to ensure transparent com-
munication of the issue.
Creating a robust and balanced level of risk awareness within a company is consequently an
essential component of a functional ISMS that generates value for an organization by identifying
threats at an early stage, preventing security incidents, and eliminating the labor that would have
been required to deal with these materialized threats.
However, security awareness isn’t something that is created out of thin air; it requires active
support and effort on the company’s part (in the form of awareness campaigns), and it must
address the following points (see Clause 7.3):
It must be ensured that the intended audience for the guidelines (employees, executives,
external partners) is aware of the information security policy and the relevant information
security guidelines.
Each individual employee’s contribution to the effectiveness of the information security
guidelines within the scope of the ISMS must stem from materials that are used in the
context of an awareness campaign and that can be proven through testing, if necessary.
Consequences of and possible sanctions for non-compliance with security provisions
must stem from materials that are used in the context of an awareness campaign
Documentation requirements
The following minimum documentation requirements apply according to ISO/IEC 27001:2013:
Proof of employee competence within the scope of the ISMS (Clause 7.2)
73
Available at Andrea Rupprich (CISA, CISM). A practical guideline for implementing an ISMS in accordance with
the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013. US Chapter. Page
20.
Page | 39
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Highly publicized incidents from recent years are proof of this fact; in these cases, security flaws
at service providers led to data theft or other security incidents at well-known companies.
Documentation requirements
The following minimum documentation requirements apply according to ISO/IEC 27001:2013:
Determining the scope, taking into account dependencies of external partners and service
providers (Clause 4.3)
The audit program is intended to ensure that all the business processes covered by the ISMS (in
accordance with the scope) are audited at least once every three years in terms of the applicable
provisions and guidelines on information security and in terms of conformity with the ISMS.
Evidence of the audit must be provided. For purposes of the standard, the term ‘internal audits’
does not refer to internal audits in the narrow sense, although this department may be the one to
actually conduct internal audits. In practice, the internal ISMS audits are a primary task of the
ISMS officer/CISO, who in cooperation with an internal audit team or external support, if
necessary – plans and manages audits.
74
Available at Dr. Tim Sattler (CISA, CISM, CRISC, CGEIT, CISSP). A practical guideline for implementing an
ISMS in accordance with the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC
27001:2013. Japan Chapter. Page 15.
Page | 40
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Documentation requirements
The following minimum documentation requirements apply according to ISO/IEC 27001:2013:
Documentation of the audit program(s) (Clause 9.2 g)
Documentation of audit results (Clause 9.2 g)
Documentation requirements
According to ISO/IEC 27001:2013, no minimum documentation requirements apply.
Additionally, the following documents have proven useful in practice:
Incident response plan (IRP), including up-to-date (!) contact lists and escalation plans
Rules of conduct if security-related irregularities occur
Process descriptions and procedures for securing evidence
IS incident reports75
Consequently, an organization that wants to operate a standard which compliant with ISMS must
define organizational measures that form the basis for implementing the CIP in a targeted,
scheduled way. The implementation of these measures and the subsequent results must be
monitored and appropriately documented. The organization must also prove that it has
implemented measures to ensure that any flaws detected will not reoccur.
Documentation requirements
The following minimum documentation requirements apply according to ISO/IEC 27001:2013:
75
Available at Hubert Burda Media, Holger Schrader (CISM, CRISC). A practical guideline for implementing an
ISMS in accordance with the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC
27001:2013. Japan Chapter. Page 16.
Page | 41
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
The content of this section will follow the same order and numbering of the following controls
required to certify an ISMS against ISO 27001:2013 as they mentioned in standard:
A.5. Information security policies
The controls in this section aim to provide direction and support to the ISMS by the
implementation, communication, and controlled review of information security policies.
76
The SOA is use to identify the controls which are selected to address the risks that were identified in the risk
assessment process, explains why those controls have been selected, and it also states whether or not they have been
implemented, and explains why any Annex A controls have been omitted. Available at
https://www.vigilantsoftware.co.uk/blog/the-statement-of-applicability-in-iso-270012013. Accessed on 25/02/2018
77
Information Security is defined as “Preservation of Confidentiality, Integrity and availability of information”.
Available at Clause no. 2.33 of ISO/IEC 27000:2016.
78
Teleworking refer to working from home using telecommunications equipment or to the use of mobile
telecommunications technology to be able to work from restaurants, coffee shops or other public locations.
Available at https://www.techopedia.com/definition/2120/teleworking. Accessed on 25/02/2018
Page | 42
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
A.10. Cryptography
The controls in this section aim to provide the basis for proper use of cryptographic control or
solutions to protect the confidentiality, authenticity, and/or integrity of information.
A.18. Compliance
The controls in this section aim to provide a framework to prevent legal, statutory, regulatory,
and contractual breaches, and to ensure independent confirmation that information security is
implemented and is effective according to the defined policies, procedures, and requirements of
the ISO 27001 standard.82
In each section of the ISO/IEC 27002 standard, there is a security control category that contains:
82
Available at http://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001.
Accessed on 25/02/2018
83
Available at Eric Lachapelle, Mustafe Bislimi. (2016). Whitepaper on ISO 27002:2013. PECB.
http://zih.hr/sites/zih.hr/files/cr-collections/3/iso27002.pdf. Accessed on 25/02/2018
Page | 44
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
case of ISO 27001, it defines the information security management system (ISMS) –
therefore, certification against ISO 27001 is possible.
This management system means that information security must be planned, implemented,
monitored, reviewed, and improved. It means that management has its distinct responsibilities,
that objectives must be set, measured and reviewed, that internal audits must be carried out and
so on. All those elements are defined in ISO 27001, but not in ISO 27002. The controls in ISO
27002 are named the same as in Annex A of ISO 27001 – for instance, in ISO 27002 control
6.1.6 is named Contact with authorities, while in ISO 27001 it is A.6.1.6 Contact with
authorities. But, the difference is in the level of detail – on average, ISO 27002 explains one
control on one whole page, while ISO 27001 dedicates only one sentence to each control.
Finally, the difference is that ISO 27002 does not make a distinction between controls applicable
to a particular organization, and those which are not. On the other hand, ISO 27001 prescribes a
risk assessment to be performed in order to identify for each control whether it is required to
decrease the risks, and if it is, to which extent it should be applied.
Why is it that those two standards exist separately, why haven’t they been merged, bringing
together the positive sides of both standards? The answer is usability if it was a single standard, it
would be too complex and too large for practical use.
Every standard from the ISO 27000 series is designed with a certain focus if we want to build the
foundations of information security in our organization, and devise its framework, we should use
ISO/IEC 27001:2013; if we want to implement controls, we should use ISO 27002, if we want to
carry out risk assessment and risk treatment, we should use ISO 27005 etc.
To conclude, one could say that without the details provided in ISO 27002, controls defined in
Annex A of ISO 27001 could not be implemented; however, without the management framework
from ISO 27001, ISO 27002 would remain just an isolated effort of a few information security
enthusiasts, with no acceptance from the top management and therefore with no real impact on
the organization.
Modern banking organizations are connecting internal human resources, material resources and
work processes with management strategies and sets objectives for enhancing the effectiveness
of their business and inputting lots of resources to develop and operate information systems to
84
Available at http://cnii.cybersecurity.my/main/resources/ISMS.pdf Accessed on 23/02/2018.
Page | 45
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
support the foregoing process. The organizations bring efficiency of work by sharing information
through proper function of information system.85
R – Risk perspective - Protection requirements and risk exposure of Bank’s assets and
IT systems.
85
Available at https://www.sciencedirect.com/science/article/pii/S0895717712002014. Accessed on 23/02/2018.
86
Authenticity is assurance that a message, transaction, or other exchange of information is from the source it claims
to be from. Authenticity involves proof of identity. Available at https://www.brighthub.com/computing/smb-
security/articles/31234.aspx Accessed on 23/02/2018.
87
Nonrepudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the
authenticity of their signature on a document or the sending of a message that they originated. Available at
https://searchsecurity.techtarget.com/definition/nonrepudiation Accessed on 23/02/2018.
88
COSO-ERM framework stand as The Committee of Sponsoring Organizations of the Tread way Commission -
Enterprise Risk Management which provides guidance to enable cyber and information security professionals to
communicate risks and threats in language that stakeholders can understand and take action on. Available at
https://www.csoonline.com/article/3227050/risk-management/aligning-cybersecurity-strategy-and-performance-
with-updated-coso-erm-guidance.html. Accessed on 24/02/2018.
89
COBIT is stand as Control Objectives for Information and related Technologies it is Framework which provides
guidelines for developing, implementing, monitoring and improving information technology (IT) governance and
management practices.
90
Available at https://www.isaca.org/Journal/archives/2011/Volume-4/Pages/Planning-for-and-Implementing-
ISO27001.aspx Accessed on 24/02/2018.
Page | 46
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Technical and organizational measures (herein after referred as TOMs) to achieve and maintain
smooth and consistent information processing must be effective in order to achieve the required
level of protection; they must also be efficient. ISO/IEC 27001:2013, and the TOMs
comprehensively and systematically laid out therein (various versions and quality levels of which
are part of operating any ISMS), support the process of achieving the objectives initially laid out
in terms of all three perspectives:
Bank Management
Bank's Legal & Contractual
Bank's Objective Bank's Risk
Procedures
The governance perspective refers to the control aspects of the ISMS, such as the close
involvement of top management, consistent business and information security objectives,
an effective and target group-oriented communication strategy, and appropriate policies
and organizational structures.
The risk perspective, which serves as a basis for transparent decision-making and
prioritization of technical and organizational measures, is one of the key aspects of an
ISMS in accordance with ISO/IEC 27001:2013. It is represented by IS risk management
and includes standards and methods for identifying, analyzing, and assessing risks in the
context of information security – meaning risks that present a potential threat to the
confidentiality, integrity, availability, authenticity and/or Non-repudiation of IT systems
and information and, ultimately, the business processes that depend on them.
91
Available at Gerhard Funk. (2016). A practical guideline for implementing an ISMS in accordance with the
international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013. Germany Chapter (1).
Page | 47
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
In April 2010, RBI announced the creation of a Working Group on Information Security,
Electronic Banking, Technology Risk Management and Tackling Cyber Fraud in. The Group
was set up under the Chairmanship of the Executive Director Shri.G.Gopalakrishna. The
Group delved into various issues arising out of the use of Information Technology in banks and
made its recommendations in nine broad areas. These areas are IT Governance, Information
Security, IS Audit, IT Operations, IT Services Outsourcing, Cyber Fraud, Business Continuity
Planning, Customer Awareness programmes and Legal issues.92
The mentioned group had submitted its report to the RBI in which under the head of “Major
Recommendations of the Working Group On Information Security” it is stated that:
Commercial banks should implement ISO 27001 based Information Security Management
System (ISMS) best practices for their critical functions. Additionally, other reputed security/IT
control frameworks may also be considered by banks.93
The guidelines issued by Reserve Bank of India on Risks and Controls in Computers and
Telecommunications vide circular DBS.CO.ITC.BC.10/31.09.001/97-9826 will apply mutatis
mutandis (the necessary changes having been made) to the mobile, internet banking. The
guidelines issued by RBI on know your customer (KYC), anti-money laundering (AML) and
combating the financing of terrorism (CFT) from time to time will also be incorporated into
mobile-based banking services. The guidelines suggest banks towards implementing a system of
document-based registration with mandatory physical presence of their customers before
commencing mobile-banking service. With a view to simplify the procedure of registration for
Mobile Banking, Reserve Bank of India has advised National Payment Corporation of India
(NPCI) to develop the mobile banking registration service/option on National Financial Switch
(NFS). NPCI‘s aim is to create infrastructure of large dimension and operate on high volumes
resulting in payment services at a fraction of the present cost structure.
92
Available at https://www.rbi.org.in/scripts/PublicationReportDetails.aspx?ID=610&UrlPage= . Accessed on
25/02/2018
93
Id
Page | 48
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
In cases where the customer files a complaint with the bank disputing a transaction, it will be the
responsibility of the service-providing bank to address the customer grievance. Banks should
formulate charge-back procedures for addressing such customer grievances. The grievance-
handling procedure including the compensation policy should be disclosed. Customer’s
complaints/grievances arising out of mobile-banking facility will be covered under the Banking
Ombudsman Scheme.94
Develop and implement an ISMS to meet the requirements of the standard and have it
certified;
Develop and implement the ISMS but do not seek certification.
The argument in favour of certification is, this route enables the other organizations (customers,
partners and suppliers) to obtain without having to carry out their own audit, a level of
reassurance about the effectiveness and completeness of the ISMS. It can also be presented as
evidence of compliance with many aspects of information related regulation. The argument in
against is that a “badge on the wall” is not necessary to prove to the organization that its ISMS is
adequate or that is doing a good job of preserving information security.
ISO/IEC 27001:2013 is drafted as is all guidance on implementation, on the assumption that the
organization implementing an ISMS in accordance with ISO/IEC 27001:2013 will seek
certification. ISO/IEC 27002:201395 provides guidance for the organizations that simply wish to
develop an ISMS that uses best practice controls. Any organization that claims that it has an
ISO/IEC 27001:2013 complaint ISMS but which has not subjected itself to certification should
under the risk assessment requirement of the standard be treated like any other organization that
does not have an adequate ISMS until it proven otherwise.
Four broad reasons were identified in previous section for implementing an ISO/IEC 27001:2013
conforming ISMS. While two of them (customer confidence and regulatory best practice
demonstration) can only achieve through certification, the other two could perhaps be achieved
without. However, as most people recognize, independent third party verification has reliable
track record in helping organizations make a success of almost any initiative. Third party
Certification is absolute necessity for any ISO/IEC 27001:2013 ISMS, it not only provides the
94
The Banking Ombudsman Scheme enables an expeditious and inexpensive forum to bank customers for
resolution of complaints relating to certain services rendered by banks. The Banking Ombudsman Scheme is
introduced under Section 35 A of the Banking Regulation Act, 1949 by RBI with effect from 1995. Available at
https://www.rbi.org.in/Scripts/FAQView.aspx?Id=24, accessed on 25/02/2018.
95
The Information Security standard ISO/IEC 27002:2013 is the “Code of Practice for Information Security
Controls”. First it was published by the International Organization for Standardization (ISO) and by the International
Electro Technical Commission (IEC) in December 2000 as ISO 17799. Today, ISO/IEC 27002 is part of the
ISO27XXX series. Available at http://zih.hr/sites/zih.hr/files/cr-collections/3/iso27002.pdf. Accessed on 25/02/2018
Page | 49
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
management and the business in initial, as well as on-going, target on which to aim, but it also
ensures that the standard is properly understood and effectively implemented.96
ISO 27001:2013 provides organizations with guidance on how to manage information security
risks, with the ultimate goal being to preserve the confidentiality, integrity, and availability of
information by applying a risk management process and give confidence to interested parties
those risks are adequately managed. And, by implementing all the clauses of the standard and
truly understanding their impacts, any organization can achieve many other benefits.
Certification and compliance can bring reputational, motivational, and financial benefits to the
organization through customers that have greater confidence that organization can protect their
information at agreed security levels, along with improvements in its supply chain security. All
of these elements are closely related to the organization’s ability to deliver satisfaction to its
customers, and fulfill the expectations and wishes of stakeholders, while protecting the
organization’s capacity for doing business in the long run.
96
Available at Alan Calder, Implementing Information Security Based on ISO 27001/ ISO 27002- A management
Guide, Van Haren Publishing, Second Edition, 2009, ISBN 978- 90 8753- 540- 7. At page 8.
Page | 50
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 51
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
In this chapter we will perform the implementation of ISMS in accordance with ISO/IEC
27001:2013 in Indian Banking Industry for which firstly we have to understand the components
of ISMS, after wards the researcher will elaborate the working culture in Banking environment,
which will then followed by the core processes of ISMS implementation like establishing the
context of the organization, drawing the scope of the ISMS for a bank, objective of ISMS, needs
of stakeholders, assets of a Banking organization, Statement of applicability report of the applied
controls.
ABC bank having its most of the operations online now is using the internet for more than a
decade and security is the key building block upon which the bank depends. Information security
is valued at high level creating operational, financial backing and making it a significant asset to
the organization.
Mr. RST, Manager- IT explains, “Financial business can’t sustain without security checks. 24x7
monitoring is needed to safeguard the information. If we fail to comply with the security
guidelines we can face heavy fines and severe damage to our reputation”. According to him, the
business integrity, confidentiality and availability of information need to be preserved for giving
reliable banking services to its customers. For this, he and his colleague Mr. XYZ, Senior
Manager, IT mainly insisted on risk analysis, regular updating the applications and processes,
access checks and business continuity. Above all, they also added that ABC Bank is in the initial
process of achieving ISO/IEC 27001 information security certification that offers a
comprehensive approach to the information security. Mr. RST continues, “This certification will
assure the customers of our quality of service in security.”
Page | 52
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Apart from that, Information Security issues are discussed and new strategies are devised in the
quarterly board meetings. The status of new initiatives (i.e., implementation of ISMS in
accordance with ISO/IEC 27001:2013) taken in the past, security incidents, audit reports and
logging reports are being reviewed and analyzed in these meetings. Moreover, the top
management is also accountable for approval of new projects based on the cost benefit analysis
document produces by the cost benefit analysis (CBA) team and risk analysts. CISO directly
heads the Information Security team, Risk Management team and Network team.
Information Security team is responsible for continuous monitoring the logs of the tasks
performed at different machines and assigning access rights to the employees. Log monitoring is
documented monthly or sometimes quarterly in the form of reports and is submitted to the CISO
for further review. Moreover, Information Security team manages login credentials of the
employees and other users. They assign a new domain login identity for each employee which is
different for each employee. An employee’s work is identified by the logs associated with his/her
domain login. Also, Information Security team ensures that all the USB ports of the employees
systems are disabled and they are not able to install any software not even from the internet.
Such restrictions are lifted and administrative rights are provided to the employees but for a
certain period of time and upon approval from Deputy General Manager. Information Security
team also arranges different training programmes for the employees. Mostly, the trainings are
given by the third party trainers and its staff colleges located in different part of the country. Any
policy updates, notices or circulars are distributed among the employees via group emails and
updating the bank’s portal. If some updating requires personal communication or trainings, then
these trainings are mainly provided to the “Zonal Officers” which communicate the same to the
respective employees of their branches. Generally, policy is updated annually by the experts in
month of April, at the start of the every financial year.
On the other hand, Risk Management (RM) team performs risk analysis against the cost involved
for the newly proposed projects. Also, if some security incident is reported, RM team analyses
the criticality of the incident and performs root cause analysis (RCA) of the incident. If it is
found that the incident is highly critical or something erroneous has been done intentionally by
some employee, strict actions (sometimes termination from services) are taken against the
offender. Whenever an employee is terminated or leaves the organization, it is immediately
intimated to the IS team so that his/her login credentials can be deleted instantly.
Network team plays a crucial role in preserving Information Security over the internet and
business continuity through disaster recovery and high availability multiprocessors. This team
monitors business support network fluctuations and provide the maintenance as per the needs. In
Page | 53
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
case of emergencies such as floods, famines or any other hazards that affect server availability,
the network load is shifted to Disaster Recovery (DR) server set up at a different location in
India itself. Disaster Recovery servers are the clones of primary servers. If any update is made on
primary server it is available to the secondary (DR) server within few minutes. Moreover, the
team ensures that antivirus and system updates are installed periodically throughout the
organization systems. Network team also maintains multilayered hardware and software
firewalls which prevent unauthorized accesses, misuse, modification and implements denial to
the irrelevant or malicious webpages.
analysis for the same and has helped the bank to potentially improve its security
processes. As a part of the progression, the operations, processes and different standards
of the organization have been documented in the recent past. ABC Bank has finally
reached the concluding stage of this accreditation and will soon be known for its quality
of security.
vii. HR Processes— Human Resource team has also played a significant role in maintaining
the IS standards in ABC Bank. While recruiting a new staff, including contractors,
temporary staff and cleaning staff, the HR team is responsible for arranging police
verification of these people against any criminal act. Also, when an employee resigns
from the bank, he is closely monitored for a notice period of 3-months as he may not be
involved in some misconduct while leaving the bank. HR officials also ensure that all the
credentials are deleted and all the assets including the access rights assigned to the
employee are taken back on last day his/her service.
The bank has since planned and prepared for the Information Security Management System
implementation, it has to achieve its goals of having an effective Information Security
Management System and reaching into the level of being certified to ISO/IEC 27001. As for the
future, further focus of ABC Bank is to update its processes periodically and manage the
insider’s threat which is still a major issue for the whole banking industry as observation and
control of human mind is much more complicated. Another concern of the ABC Bank security
team is to control and manage the tailgating issue. It is sometimes authorized and sometimes
unauthorized depending on the circumstances but it is a serious subject as managing access for
visitors is a complex task. The bank has a proper control mechanism for controlling such
problems for the employees and the 3rd party staff but visitors are often accompanied by some of
the staff member possessing the access cards to the working space. It is officially a legal
tailgating case but may be a potential threat to the organization’s security. The bank is looking
forward to overcome this problem and come up with a resolution in the near future enhancing the
security control mechanism through the implementation of Information Security Management
System in all over its departments and organization.
i. Withdrawal and deposit department this department is responsible for the operations of cash
for the customers of the ABC Bank. The department handles the operation like if any customer
wants to withdrawal any amount from its respective account then he should get contact with
the respective window which has been especially dedicated for the operation of withdrawing
the cash. There will be another window beside the window of withdrawal which is responsible
for the deposit of money from customer.
By studying the operation of the above department we can get that how much sensitive
informations like:
The name of the customer.
Page | 55
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
ii. Loan Department this department is responsible for all the operations related to loans like
sanction of loan and recovery of any loan and to transfer loan to the Non-Performing Asset for
ABC Bank. The Loan Department has the various sensitive personal information like:
Permanent Account Number of Customer.
Loan account Number of the Customer.
The log in credential of the employee.
The cheques given by the Customer for paying their respective EMI of the Loan.
iii. Information Technology Department the IT department of the ABC Bank is responsible for
all its IT related operations basically the main function of IT department is to enable the
uninterrupted functions of all those services of ABC Bank which are totally dependent upon the
IT like the Cash withdrawal and deposit department the all operation of mentioned department
is depend upon the IT i.e., the computer and the active network connection through which the
ABC Bank has provide its services of instant withdrawal and deposit to their customer.
The IT Department has constituted an Information Security team which is being headed by the
Chief Information Security Officer of the ABC Bank. The IT is used carry out the transaction by
using the personal sensitive data or information.
The programme specifically covers all Information and Information Systems (IS) environments
operated by ABC Bank or contracted to a third party by ABC Bank. The term “IS environment”
defines the total environment and includes, but is not limited to, all documentation, physical and
logical controls, personnel, hardware (e.g. Mainframe, distributed, desktop, network devices, and
wireless devices), software, and data/information.
Page | 56
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
3.2.3. Context of the ABC Bank: ABC Bank is an India based Private Sector Bank which has
its Head Office at Bhopal (M.P.) India. The main operations of the bank is same as all other
Banks the difference is that the ABC Bank is perform major percent of its operations with the
help of IT i.e., use of computer, network and all other software and Enterprise Resource
Management software to transmit its operations and informations related to its operations among
its branches and employees.
Internal Context: Board Members, CISO, Information Security Team, Network Team
and all other employees of the ABC Bank including its premises
External Context: Legal Regulations and Compliances, Vendors,
Page | 57
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 58
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 59
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 60
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 61
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 62
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 63
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 64
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 65
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 66
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 67
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
97
Available at https://advisera.com/27001academy/free-downloads/ , Accessed on 12/03/2018.
Page | 68
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
3.2.8. SOA
The SOA is use to identify the controls which are selected to address the risks that were identified in the
risk assessment process, explains why those controls have been selected, and it also states whether or not
they have been implemented, and explains why any Annex A controls have been omitted. So, Here we
will demonstrate which controls of ISO/IEC 27001:2013 has been implemented in ABC Bank and if any
Control has been omitted then what is the reason of omitting that particular control will also state in an
appropriate manner.
Page | 69
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 70
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 71
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 72
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 73
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 74
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 75
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 76
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Zuccato98 claimed that security management approaches that depend only on risk analysis, such
as ISO 27001, are not convenient for e-Business, since they only depend on the value of asset,
threats, and the probability of exploiting vulnerabilities by the threats. However, this is not
completely true. Risk analysis may consider other sources for eliciting security requirements and
threats. For instance, company reputation can be considered as asset to be protected, involving
customers in the risk analysis and considering market forces.
Furthermore, the standard is intended to all size of organizations.99 From a practical rather than
financial point of view, it might be more convenient and easy for SMEs to adopt this standard. In
a small company, it is easier to manage ISMS, since you have a small number of assets to be
considered. However, cost and lack of awareness of the standard contents act as a main barrier
for adopting the standard.100
There are various challenges that await ISMS implementers. Among them that Researcher have
observed during the implementation are:
98
Available at Zuccato, A. (2006) Holistic Security Management Framework Applied in Electronic Commerce.
Computers & Security, 26, 256-265.
99
Available at ISO/IEC 27001:2005 Information Technology, Security Techniques, Information Security
Management Systems, Requirements. http://www.iso.org/iso/catalogue_detail?csnumber=42103.
100
Available at DTI Information Security Breaches Survey (2006) Technical Report. UK Department of Trade and
Industry.
Page | 77
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 78
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 79
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Conclusion
Suggestions
5.1. Conclusion
ISO/IEC 27001:2013 is an information security standard that was published on the
25thSeptember 2013. It supersedes ISO/IEC 27001:2005. To be compliant with ISO 27001:2013
some requirements have to be fulfilled by the organization. Those requirements can be found in
seven clauses of ISO 27001:2013 and these are – Context, Leadership, Planning, Support,
Operation, Evaluation, and Improvement. It is hard to ignore the fact that all the organizations
involved in the running of the ISMS programme have benefited tremendously from it. Not only
the participating organizations have learnt a valuable methodology to secure and manage their
information systematically, but the organizations have managed to form a forum to discuss the
issues and problems they are facing with ISMS implementation. The programme coordinators,
consultants, trainers and auditors have gained valuable experience as well.
ISO 27001:2013 provides organizations with guidance on how to manage information security
risks, with the ultimate goal being to preserve the confidentiality, integrity, and availability of
information by applying a risk management process and give confidence to interested parties and
customers those risks are adequately managed. And, by implementing all the clauses of the
standard and truly understanding their impacts, any organization can achieve many other
benefits. Certification and compliance can bring reputational, motivational, and financial
benefits to organizations through customers that have greater confidence that organization can
protect their information at agreed security levels, along with improvements in organization’s
supply chain security. All of these elements are closely related to your organization’s ability to
deliver satisfaction to its customers, and fulfil the expectations and wishes of its stakeholders,
while protecting the organization’s capacity for doing business in the long run.
In the report the ISMS in accordance with ISO 27001:2013 has been implemented hypothetically
in a Bank named as “ABC Bank”. While implementation the researcher has faced the issues like
categorisation of assets, assigning the responsibility and the major issue which is faced by
researcher is how to secure the personal sensitive data of the customer! Because there is no
straight forward instruction in the standard to secure the sensitive personal data of the customer
or employees while it is on rest (stored in the drive) or in motion (in transmission) for which the
researcher has found that the ABC Bank needs to comply with other standard that is PCIDSS
(Payment Card Industry Data Security Standard), it is a widely accepted standard introduced by
payment card industry giants like Discover, MasterCard, JCB, VISA, the current version of
Page | 80
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
PCIDSS is V4. The PCIDSS is providing the straight forward guideline for securing the sensitive
personal informations like (Customer’s Credit Card, Debit Card, Permanent Account Number
and Aadhar number) while they are on rest (stored) or in motion (transmission). The suggestions
for the removal of such issue will be elaborated in next section.
It is hoped and anticipated that in the near future more and more organizations in India,
especially those from the government and financial sectors will view ISMS as a necessity for
them in order to assist them to grow their operations and business and secure the vital
information and assets that enables them to do so.
5.2. Suggestions
To ensure a better and effective ISMS implementation, it is recommended that the following
guidelines are followed to improve the process:
Researcher want to suggest that the organisations has to start working on the security of their
information system along with the establishment of their Information system, this approach can
enable an organisation to achieve continual improvement and effective information security.
Page | 81
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
BIBLIOGRAPHY
BOOKS
Steve Watkins and Alan Calder, IT Governance: An International Guide to Data
Security and ISO 27001/ ISO 27002, Kogan Publisher, Sixth Edition 2015, ISBN
978- 0- 7494- 7405- 8. Available at:
https://books.google.co.in/books/about/IT_Governance.html?id=OctwCgAAQBA
J&printsec=frontcover&source=kp_read_button&redir_esc=y#v=onepage&q&f=f
alse.
Alan Calder, Implementing Information Security Based on ISO 27001/ ISO
27002- A management Guide, Van Haren Publishing, Second Edition, 2009,
ISBN 978- 90 8753- 540- 7.
Shon Harris, All in One CISSP Exam Guide, McGraw-Hill Companies
Publications, Eighth Edition 2016, ISBN 978-0-07-178173-2
Ja’far Alqatawna. (2016). The Challenge of Implementing Information Security
Standards in Small and Medium e-Business Enterprises. Journal of Software
Engineering and Applications, ISSN 883-890
Anthony Tarantino (2012). Governance, Risk and Compliance Handbook:
Technology, Finance, Environmental and International Guidance and Best
Practices. Sixth Edition, John Wiley & Sons Inc. ISBN 978-0-470-09589-8.
Steve G Watkins (2015). An Introduction to Information Security and ISO
27001:2013 A Pocket Guide . India: IT Governance Publishing. 10-85. ISBN 978-
1-84928-526-1.
Edward Humphrise (2016). Implementing the ISO/IEC 27001 ISMS Standard. 2nd
ed. UK: Artech House. 10-85. ISBN 13:978-1-60807-930-8.
Kai Roer (2015). Build a Security Culture. USA: ITGP. 10-35. ISBN
13: 9781849287166.
Page | 82
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
STANDARDS
ISO/IEC 27000:2016 Information Technology- Security Techniques- Information
Security Management Systems- Overview and Vocabulary.
ISO/IEC 27001:2013 Information Technology- Security Techniques- Information
Security Management Systems- Requirements.
ISO/IEC 27002:2013 Information Technology - Security Techniques Code of
Practice for Information Security Controls
ISO/IEC 27003:2017 Information technology - Security techniques - Information
security management systems – Guidance.
WEBSITES
https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/WREB210111_ES.pdf
https://www.iso.org/
http://www.iec.ch/about/activities/?ref=menu
https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
https://advisera.com/27001academy/free-downloads/
https://advisera.com/27001academy/knowledgebase-category/iso-27001-
implementation/
http://cnii.cybersecurity.my/main/resources/ISMS.pdf
http://www.ijens.org/vol_11_i_05/113505-6969-ijecs-ijens.pdf
http://www.securityfeeds.com/drupal7/sites/default/files/ISACA_ISO27001_How
To.pdf
Page | 83
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
https://www2.deloitte.com/mt/en/pages/risk/articles/mt-risk-article-it-auditing-
iso27001.html
https://www.itgovernance.co.uk/blog/iso-27001-five-tips-for-successful-
implementation/
https://www.itgovernance.co.uk/shop/product/build-a-security-culture
http://www.uni-sz.bg/tsj/Vol9N4_2011/J.Karakaneva.pdf
https://www.sciencedirect.com/science/article/pii/S0895717712002014
https://www.bsigroup.com/en-IN/ISOIEC-27001-Information-
Security/Introduction-to-ISOIEC-27001/.
https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001
https://dqsus.com/certification/iso-27001/
https://digitalguardian.com/blog/what-glba-compliance-understanding-data-
protection-requirements-gramm-leach-bliley-act
www.businessdictionary.com/definition/HIPPA-privacy-rule.html
searchsecurity.techtarget.com/definition/Federal-Information-Security-
Management-Act
https://www.techopedia.com/definition/29060/security-breach
http://zih.hr/sites/zih.hr/files/cr-collections/3/iso27002.pdf
Page | 84
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
ANNEXURE
Page | 85
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
ABC Bank
Page | 86
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Document Control
Document History
Document Information
REVIEWED BY –
DIVISION / DESIGNATION DATE
NAME
APPROVED BY –
DIVISION / DESIGNATION DATE
NAME
Distribution List
NAME DIVISION
Page | 87
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
A.1.1. Purpose
The purpose of this policy is to manage information security within ABC Bank and
maintain appropriate security controls in the Information Systems (IS) environments
within ABC Bank and define the Vision and Mission for Information Security.
A.1.2. Scope
This Policy applies to all ABC Bank’s employees, temporary, trainees, interns and
employees of temporary employment agencies, vendors, business partners, and
contractor personnel irrespective of geographic location.
This Policy specifically covers all Information and Information Systems (IS)
environments operated by ABC Bank or contracted to a third party by ABC Bank. The
term “IS environment” defines the total environment and includes, but is not limited to,
all documentation, physical and logical controls, personnel, hardware (e.g. Mainframe,
distributed, desktop, network devices, and wireless devices), software, and
data/information.
A.1.3.Policy Maintenance
Information Technology Department is responsible for the maintenance and
accuracy of this policy.
Any queries should be directed to Information Technology Department for
resolution.
Page | 88
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
A.1.4.Definitions
Definition of some of the common terms:
Information Asset: Any resource of information which has a value to the organization,
it can be any system or component, hardware, software, database or facility.
Availability: Ensuring that authorized users have access to information and associated
assets when required.
A.1.5.Policy Assumptions
1. The terms “must” and “shall” in this policy denotes a mandatory action;
2. The term “should” in this policy denotes a recommended action;
3. This policy is based on documented conditions that are assumed to be true during
creation.
A.1.6.Policy Statements
This Policy stipulates guidelines for defining the roles and responsibilities pertaining to
information security for Information Technology Department. To ensure that
information security is properly implemented, all employees of ABC Bank must
understand and comply with the responsibilities identified in this document when their
duties entail one or more of the roles described below.
A.1.7.1. Vision:
To enable the successful achievement of the overall business goals by continually minimizing
security risks through a secure environment that protects revenues and ensures confidentiality,
integrity and availability of information system assets.
A.1.7.2. Mission:
To provide high quality, proactive, and optimal Information Security service to all the
customers by fully aligning the Information Security management, infrastructure, strategy
and processes with business and IT requirements.
Page | 89
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
A.1.8.1.Management Commitment
Management shall actively support information security within the organization through
clear direction, demonstrated commitment, explicit assignment, and acknowledgment of
information security responsibilities.
All members of the management team will be responsible for information security.
All information security responsibilities shall be clearly defined for all users.
Infosec Department will be responsible for directing and coordinating information
security initiatives. It will be specifically responsible for:
Reviewing and approving information security policies and overall responsibilities
through the ITSC (as per the charter);
Monitoring significant changes in the exposure of information assets to major threats;
Reviewing, monitoring and reporting information security incidents;
Approving major initiatives to enhance information security through the ITSC.
Page | 90
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Description
ABC Bank’s, when under attack from the Internet, may need external third parties
(e.g. an Internet service provider or telecommunications operator) to take action
against the attack source.
A.1.10.Compliance Monitoring
Compliance with Information Security Organization policy is mandatory. ABC Bank’s
managers must ensure continuous compliance monitoring within the organization.
Compliance with the policy will be matter for periodic review by Audit Committee of
ABC Bank as per the audit charter.
Violations of the policies, standards and guideline of ABC Bank will result in
corrective action by management. Disciplinary action will be consistent with the
severity of the incident, as determined by the Human Resource Policy of ABC Bank.
A.1.11.Custodians
Policy Reference Custodian
Page | 92
RGNCLC, NLIU, BHOPAL
Implementation of ISO 27001:2013 in Banking Industry
Page | 93
RGNCLC, NLIU, BHOPAL