Last day to save $500 for SANS San Diego 2013

OnSite

MGT411: SANS 27000 Implementation & Management

The International Standards Organization (ISO) has recently revised what has become the de facto document for creating and maintaining a secure enterprise, today known as the ISO/IEC 27000 standard.

The strength of this document is derived from the meticulous attention to detail provided by the many contributing authors and organizations as well as the applicability of the standard to the realities of doing business today. The standard seeks to offer best practice guidance regarding all manner of security issues and can assist any organization that chooses to adopt it to develop a truly security minded corporate culture. Using our tested method for developing and applying controls using the ISO 27000 standard, you will learn to implement the guidance contained in ISO-27000 with step-by-step pragmatic examples to move quickly into compliance with the specification.

This track is designed for information security officers or other management professionals who are looking for a how-to guide for implementing ISO-27000 effectively and quickly. While the standard is very well written, anyone who has actually tried to shift to an ISO-27000 structured security organization knows that there can be some significant hurdles to overcome. This track will give you the information you need to go back to your organization with a plan of action to get the job done! This course has proven especially valuable for organizations whose 27000 implementation is currently "stuck in the mud" or is simply taking longer than management would like.

Course Syllabus
Course Contents
  MGT411.1: Introduction to ISO/IEC 27000: Policy, ISMS & Awareness
Overview

Day one begins with a general introduction and overview of ISO 27000 series of standards. How to apply this standard and reconcile it with other comparable standards is also discussed today and throughout the week. From the very beginning, the class is focused on "How To". Examine a twelve step process (that works!) to implementing 27000 or almost any other standard. See how to Plan, Do, Check and Act. Explore SANS' own version of PDCA which actually extends the ISO 27000 methodology, giving you a strategy for attacking the rollout issues that you will face under ISO 27000. Learn how to create, administer and manage an effective awareness program and how to design the Information Security Management System.

CPE/CMU Credits: 6

Topics

  • Overview of ISO 27000
  • Twelve Step implementation plan for ISO 27000
  • SANS ISO 27000 Methodology
 
  MGT411.2: SANS 27000 Controls & Process Improvement I
Overview

This day deals with a variety of personnel and issue-specific security topics. The object of the material covered is to apply the policy creation techniques from day one to specific areas of the organization as they apply to employees and co-sourced individuals. On this day we'll also spend time covering business impact analysis methodology in relation to risk mitigation through policy and education while simultaneously examining possible process improvements and how they can be applied to the ISO 27000 controls.

CPE/CMU Credits: 6

Topics

  • Personnel Screening
  • Job Descriptions
  • Rotation of Responsibilities
  • Onsite Service by Outside Contractors
  • Responsibilities of Employees to the Organization
  • Communicating Security Objectives and Policy to Personnel
  • Issue Specific Policies
 
  MGT411.3: SANS 27000 Controls & Process Improvement II
Overview

Day three of the ISO 27000 implementation track covers access controls, user access management, remote access controls and network device security from the point of view of incident planning and handling.Time will be spent explaining how to measure the core competencies within the organization and identifying the best ways to handle security incidents in terms of fully defining the incident handling policy and staffing the incident-handler teams.This topic leads naturally to the discussion of business continuity planning and business continuity management.To better define the actual controls that are put into place operationally, much of the day will be spent covering a variety of technical topics.

CPE/CMU Credits: 6

Topics

  • Authentication Methods
  • Operating System Access Controls
  • Application Access Controls
  • Security Monitoring Systems
  • Cryptographic Controls
  • Security of System Files
  • Network controls
  • Switches
  • Firewalls
 
  MGT411.4: SANS 27000 Controls & Process Improvement III
Overview

Day four will complete the three day discussion of each individual control in the audit criteria for 27000, continuing to describe key controls, explain them, discuss implementations and possible process improvements. We will address the issues surrounding continuous improvement of the methods used to develop security competency at both the organizational and personal level.

CPE/CMU Credits: 6

Topics

  • Business Continuity Planning
  • Systems Development and Maintenance
  • Security in Application Systems
  • Security of System Files
  • Security in Support Processes
  • Compliance
 
  MGT411.5: Risk Management, Security Compliance & Audit Controls
Overview

This portion of the course focuses exclusively on risk analysis and risk management and relates them to compliance and audit controls. A variety of risk analysis strategies will be evaluated and compared, including basic methods, detailed methods, paper methods, and software-based approaches.We will analyze risk trees and relate all of these to the creation of strong preventative controls.The control measures used in class come directly from the ISO 27001 criteria.

CPE/CMU Credits: 6

Topics

  • Risk Analysis
  • Risk Management
  • Compliance and Audit Controls
  • FMECA
  • Fault Trees
  • Event Trees
  • CCA
 
  MGT411.6: ISO 27000 Implementation
Overview

This last day is devoted to the hands-on construction of an ISMS. The instructor acts as the CEO and the ISO, organizing the class into various committees. After the steering committee generates some initial control statements, the individual committees will work to create simple high-level policies that will be reviewed periodically throughout the day. Exercises in risk analysis and mitigation will be presented as problems are discovered during the course of development.

CPE/CMU Credits: 6

Topics
  • Hands-On Construction of an ISMS
 
Additional Information
 
  Laptop Recommended

While a laptop will be useful, it is not required. We will still be providing a CD of useful follow-on materials and tools that are mentioned during the week, but the hands-on exercises for this course revolve more specifically around how to perform useful risk assessments, how to create an ISMS charter, how to draft an effective policy under your ISMS, etc.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.
 

Author Statement

Anyone who has ever tried to implement ISO-27000 in their organization recognizes that it is an outstanding security standard, but that the initial creation of the Information Security Management System (ISMS) to build and maintain compliance can be a long and painful process. What we tried to do with this track is to take real world examples of what works and why it works to teach students how to apply the same methodologies within their own organizations. We also give the students a risk driven methodology to assist in deciding which controls to implement and how to implement them effectively. The end result is that after taking this track you will fully understand all aspects of the ISO 27000 family of standards and be in a position to create a world class ISMS with maximum efficiency and minimum effort!

- David Hoelzer

As a SysAdmin, I found this course invaluable. It not only gave me the skills I need to audit my own systems, but also gave me some insight on how to better work with external auditors.
Christoper O'Keefe

Share
Forensics 526
Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Last 25 Papers »

Latest Tweets @SANSInstitute

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP