What is information security?
Information is an asset which has value to an organisation and needs to be suitably protected. Information assets can be electronically stored, printed or written, transmitted by post or electronically.
Information security is the preservation of
• Confidentiality – Ensuring that information is accessible only to those authorised to have access.
• Integrity – Safeguarding the accuracy and completeness of information and processing methods
• Availability – Ensuring that authorised users have access to information and associated assets when required.
This confidentiality, integrity and availability of information may be essential to maintain your organisation's commercial position, legal compliance and profitability.
Many organisations are now being asked by their business partners to provide clear statements about their information security management position. Working to an existing standard such as ISO 27001 is the best means to achieve a comprehensive and thorough system that will satisfy regulators and business partners. Seven Nine can help you meet these challenges.
What is the scope of the standard?
Eleven areas are covered within ISO 27001. (plus the clauses 4-8 which constitute the managment system activities)
- Information Security Policy – Is there management direction and a written policy to provide support and direction for information security activities?
- Organisational Security – Is there an infrastructure to manage security within the organisation? - includes management forum and processes, third party access and outsourced arrangements
- Asset Management – Are organisational assets protected? - Includes inventory and classification
- Human Resources Security – Are the risks of human error or fraud reduced? - Includes personnel screening and T&C's, security training and incident reporting
- Physical and Environmental Security – Is unauthorised access to business premises controlled? - Includes physical security, secure areas, equipment security, maintenance and disposal.
- Communications and Operations Management - Are information processing facilities operated in a correct and secure manner – Includes operating procedures and change control, system planning, protection against malicious software, backup, media handling, information exchange, and email security.
- Access Control – Is access to business information and processes controlled on the basis of business and security requirements? - Includes user and password management, mobile users, access to applications and network services.
- Information Systems – Is security is built into information systems? - Includes development and support processes, cryptography and data validation.
- Incident management – Are events and weaknesses reported, and are events consistently managed?
- Business Continuity – Are critical business processes protected from the effects of major failures or disasters?
- Compliance – Does the firm take measures to avoid breaches of law, statutory , regulatory or contractual obligations?
What is the difference between BS 7799 and ISO 27001?
ISO 27001 is essentially the adoption of BS 7799 Part 2 as an ISO standard. Changes have only been minor. BS7799 no longer exists.
What is ISO 27002?
ISO 27002 is a development of ISO 17799, and is a set of guidelines for Information Security best practice. Firms can seek to comply with this standard, but cannot be certified against it. ISO 27001 was created in order to provide a framework that organisations can be audited and certified against. Note If you have the ISO17799 standard, you do not need to buy ISO27002...as identical, unless you want the latest updated copy.
What is certification?
Certification is achieved through a process of external audit. A number of bodies are approved for ISO 27001 audit work. As with any external certification, regular surveillance and re-certification audits are required to maintain the certification.
What is compliance?
Any firm can produce a statement of compliance with ISO 27001. The implementation of a compliant system will require much of the same work as achieving certification. Your organisation has to consider the relative commercial merits of Compliance against Certification. You must remember that this only represents your view, and that your partners may set greater store by the recognition provided by third party audit.
Do I have to gain certification for the whole organisation?
No, you can choose to limit the scope of your implementation. Be aware that most Information Security components are closely connected throughout your whole firm, so too tight a scope might be difficult to justify. You may choose to limit the scope to specific organisational units or geographical locations.
Where can I find more information about ISO 27001?
Good starting points are the ISMS International User Group www.17799.com and BSI www.bsi-global.com. If you want to order a copy of the standards, you can get one from BSI for around £200.
20 comments:
This is a good set of ISO27001 FAQs. It’s worth noting, small point though it is, that BS7799 still exists – ISO27001 is dual-numbered in the UK as BS7799-2:2005; ISO17799 has now been replaced by ISO27002, which has precisely the same content as ISO17799, and is dual-numbered in the UK as BS7799-1:2005. In addition, BS7799-3:2006 continues to exist as a British only standard, dealing with Information Security Risk Assessment.
Nice FAQs of ISO27001.
If you need find other ISO 27001 I recommend ISO 27001 Blog
I commend your simple approach. I am writing a blog about implementing ISO 27001 with the same objectives of making it more accessible and easy to understand. I think this blog is the first to be written form the perspective of an internal implmentor.
The Blog's title is Implementing ISO 27001 Coal-Face Account From The Secure Data Destruction Industry.
Good FAQ regarding ISO 27001. I would like to read all FAQ of ISO 27001 and i really like this article. For more information regarding ISO 27001 Certification
Information Security Management is indeed a burning issue. That is why at Taktika Management we chose to top up our implementation services with a key standard: the Information Security Management ISO 27001 and the implementation of best practices in order to provide a competitive advantage to a firm.
Information Security aims to protect information against a whole range of potential threats, in order to maintain the flow of transactions, to reduce as much as possible the risk and to optimize the ROI as well as potential opportunities for the company.
According to me, ISO 27001 has become a benchmark in terms of Information Security Management systems and Taktika Management (we are based in Montreal) can help you implement this standard.
As far as I think, the benefits of implementing a standard for Information Security Management are:
Being certified helps a company to be trustworthy, (from the stakeholders point of view: shareholders, business partners, suppliers, governmental entities…)
To drop the costs selecting the right security policies to manage your information and to develop a consolidated auditing model
Thanks again for the post, and feel free to consult our website www.taktikamanagement.com!
Alpha Diallo, Senior IT Consultant, Taktika Management (Montreal).
Free [url=http://www.COOLINVOICES.COM]free invoice[/url] software, inventory software and billing software to create professional invoices in one sec while tracking your customers.
Paragraph writing is also a excitement, if you be familiar
with afterward you can write or else it
is complex to write.
Here is my blog ... akribos watches
Useful information. Lucky me I found your web site by accident, and I am surprised why this coincidence did not happened in advance!
I bookmarked it.
Also visit my webpage: evjbs.taurus.uberspace.de
My brother suggested I might like this website. He was entirely right.
This put up actually made my day. You cann't believe just how so much time I had spent for this info! Thank you!
my web blog www.sintorn.se
Woah! I'm really enjoying the template/theme of this blog. It's simple, yet effective.
A lot of times it's very hard to get that "perfect balance" between usability and visual appeal. I must say you have done a superb job with this. In addition, the blog loads very fast for me on Chrome. Exceptional Blog!
Also visit my site ... http://kurse.kahlweiss.ch/
I am actually grateful to the holder of this site who has shared
this fantastic article at at this time.
Also visit my weblog ... www.toodbook.com
I was extremely pleased to find this web site. I need to to thank you for your time just for this fantastic read!
! I definitely appreciated every bit of it and i
also have you saved to fav to check out new things in your website.
Here is my webpage; scptuj.si
I've read several good stuff here. Definitely value bookmarking for revisiting. I surprise how so much effort you set to create this kind of magnificent informative web site.
My blog partipirate.org
Hey very nice blog!
Feel free to surf to my weblog Comclub7.com
Link exchange is nothing else except it is simply placing
the other person's website link on your page at proper place and other person will also do same in support of you.
Stop by my blog - Relic watches
Hey! This is kind of off topic but I need some help from an established
blog. Is it very difficult to set up your own blog?
I'm not very techincal but I can figure things out pretty fast. I'm
thinking about creating my own but I'm not sure where to begin. Do you have any ideas or suggestions? With thanks
Feel free to visit my web site :: Rc car
Implementation of information security management systems as per ISO 27001 Audit gives a systematic approach to minimizing the risk of unauthorized access or loss of information and ensuring the effective deployment of protective measures for securing the same. It provides a framework for organizations to manage their compliance with legal and other requirements, and improve performance in managing information securely.
You really make it seem so easy with your presentation but I find this topic to be really one thing that I
believe I'd never understand. It sort of feels too complicated and very huge for me. I am having a look forward to your subsequent submit, I will attempt to get the hold of it!
My blog: womens armitron watches
I do not know whether it's just me or if everybody else encountering problems with your site. It appears as if some of the text within your posts are running off the screen. Can someone else please provide feedback and let me know if this is happening to them too? This could be a issue with my internet browser because I've had this happen previously.
Thanks
My web-site: akribos xxiv for women
useful information .Thanks for sharing.
ISO Certification
Post a Comment