Email received re BS25999
BS25999 Part 2 Launched
Its here, the long awaited specification is now available.
BS25999 Part 2 has now been launched. Officially titled BS 25999-2:2007 ‘Specification for business continuity management’ it joins and complements Part 1, or BS 25999-1:2006 Business continuity management. Code of practice.
BS 25999-2 specifies requirements for establishing, implementing, operating, monitoring, reviewing, exercising, maintaining and improving a documented Business Continuity Management System (BCMS) within the context of managing an organization’s overall business risks.
The requirements specified in BS 25999-2 are be generic and intended to be applicable to all organisations, regardless of type, size and nature of business. The extent of application of these requirements depends on the organisation's operating environment and complexity.
BS 25999-2 can be used by internal and external parties, including certification bodies, to assess an organization’s ability to meet its own business continuity needs, as well as any customer, legal or regulatory needs.
Over the next few weeks we will be updating our Part 2 content to reflect the published standard rather than the draft version and a number of articles on the certification process. The site supplier directory now lists a couple of certification bodies.
Monday, 26 November 2007
Tuesday, 13 November 2007
Who's responsible for security awareness?
Why do so few organisations run comprehensive security awareness and training? Some seems to think the CIO, or possibly HR, should be responsible but I'm not sure about either of those suggestions. Most CIOs naturally focus on IT - as in technical - security, if indeed they take any interest in security. Relatively few HR people I've worked with have had much interest in IT, let alone information security.
No, it seems to me we have created a false dichotomy, offering a choice of two inappropriate owners. The more appropriate home for security awareness is surely the Information Security Manager, especially if management are open-minded enough to ensure that the ISM role has influence right across the enterprise, rather than being buried out of sight in the depths of IT. The ISM should be working hand-in-hand with IT, HR, Legal, Risk, Compliance, R&D, Ops ... in fact I can't think of anyone the ISM can safely ignore (is there any department that doesn't rely on information?).
To have any real effect on the organization's security stance and culture, the ISM needs the full support of executive management. My reasoning goes like this:
- Security awareness is part of information security.
- Information security is part of IT governance.
- IT governance is part of corporate governance.
- Corporate governance applies across the whole organization, and is a matter for senior management collectively.
- Ultimately the CEO and the Board are accountable for information security. They have the power to prioritize it, allocate sufficient funding, mandate security policies, standards etc. The CIO is much too far down the food-chain to have teeth.
Subscribe to:
Posts (Atom)