Krzysztof Mackowiak


About speaker:
Krzysztof Maćkowiak earned his degree at the Department of Computer Science and Management of the Poznań Technical University. His interests center around data protection and  cryptology. He’s the founder of a popular Polish cryptography site Krzysztof presented talks on quantum and molecular cryptography at ENIGMA, SECURE and CONFidence. He was the lead editor of the crypto issue of the Software 2.0 magazine. He’s written articles on the subject of information security and cryptology published in CSO, Networld, Boston IT Security Review, and Software 2.0. For the last two years he’s been working with Doradztwo Gospodarcze DGA S.A. as a Security Consultant focusing on IT security audits and implementations of security management systems that follow the ISO/IEC 27001:2005 (earlier code BS 7799-2) standards. He took part in several projects for the clients from the energy industry, financial institutions, IT industry, and government. He’s a member of the Polish IT Society (PTI), MENSA Poland and ISACA International. He’s earned the following certifications: CISA (passed exam, certification path), leading audit ISO/IEC 27001:2005, CompTIA Security+.

Risk assessment as the basis for the introduction of an Information Security Management System based on the ISO/IEC 27001:2005 standard.

IT security is a very important, but not the only aspect that influences the security of the information processed by an organization. Appropriate configuration and management of information systems is the key task of IT, but we should not forget other areas of security, such as: personal security, security guaranteed by law, physical security, training or information processing procedures for the workstations personnel, or the procedures for paper-based information processing.
A quick analysis of newspaper headlines related to famous security incidents shows that they were caused by the lack of clear rules and low security awareness among the staff. Simple things like that result in personal information being discarded in trash bins or third parties having access to the internal networks after being given passwords by the personnel. It seems that the best solution to this problems is an introduction of a comprehensive Information Security Management System that covers the areas of IT, personal, regulatory, and physical security.
The international ISO/IEC 27001:2005 standard based on the British BS 7799-2 standard is a global framework for the implementation of Information Security Management Systems.
The ISO/IEC 27001:2005 standard contains requirements in the following areas:

  • Security policy;
  • Security organization;
  • Asset classification and control;
  • Personal security;
  • Physical and environmental security;
  • System and network management;
  • System access control;
  • System development and maintenance;
  • Security incident management;
  • Enterprise continuity management in the context of information;
  • Regulatory and internal conformance.

Effective implementation of ISMS in an organization is not an easy task. The ISO/IEC 27001:2005 standard contains the requirements that a system should meet, but it does not point to ready-made solutions. The authors of the standard clearly point to the risk assessment as the essential building block for ISMS development and management. The development of risk assessment methods and practical applications of such methods are without a doubt the key and most difficult elements in the development of an ISMS. It is especially difficult, because most of the known risk assessment methods are so complex that their practical implementation would be very time-consuming, if not impossible.
During my talk I’d like to cover the following areas:

  • basic terminology related the fields of information security and risk assessment
  • rules for a systematic approach to information security  (PDCA),
  • basic facts about ISO/IEC 27001:2005,
  • important requirements in each field,
  • standard requirements for risk assessment,
  • different approaches to risk assessment,
  • overview of an ISMS implementation process and common problems.