Nice simple FAQ for ISO27001

Good overview here thanks to Sevennine and some editing and updates by me.

What is information security?
Information is an asset which has value to an organisation and needs to be suitably protected. Information assets can be electronically stored, printed or written, transmitted by post or electronically.

Information security is the preservation of

• Confidentiality – Ensuring that information is accessible only to those authorised to have access.
• Integrity – Safeguarding the accuracy and completeness of information and processing methods
• Availability – Ensuring that authorised users have access to information and associated assets when required.

This confidentiality, integrity and availability of information may be essential to maintain your organisation's commercial position, legal compliance and profitability.

Many organisations are now being asked by their business partners to provide clear statements about their information security management position. Working to an existing standard such as ISO 27001 is the best means to achieve a comprehensive and thorough system that will satisfy regulators and business partners. Seven Nine can help you meet these challenges.

What is the scope of the standard?
Eleven areas are covered within ISO 27001. (plus the clauses 4-8 which constitute the managment system activities)

• Information Security Policy – Is there management direction and a written policy to provide support and direction for information security activities?
• Organisational Security – Is there an infrastructure to manage security within the organisation? - includes management forum and processes, third party access and outsourced arrangements
• Asset Management – Are organisational assets protected? - Includes inventory and classification
• Human Resources Security – Are the risks of human error or fraud reduced? - Includes personnel screening and T&C's, security training and incident reporting
• Physical and Environmental Security – Is unauthorised access to business premises controlled? - Includes physical security, secure areas, equipment security, maintenance and disposal.
• Communications and Operations Management - Are information processing facilities operated in a correct and secure manner – Includes operating procedures and change control, system planning, protection against malicious software, backup, media handling, information exchange, and email security.
• Access Control – Is access to business information and processes controlled on the basis of business and security requirements? - Includes user and password management, mobile users, access to applications and network services.
• Information Systems – Is security is built into information systems? - Includes development and support processes, cryptography and data validation.
• Incident management – Are events and weaknesses reported, and are events consistently managed?
• Business Continuity – Are critical business processes protected from the effects of major failures or disasters?
• Compliance – Does the firm take measures to avoid breaches of law, statutory , regulatory or contractual obligations?

What is the difference between BS 7799 and ISO 27001?
ISO 27001 is essentially the adoption of BS 7799 Part 2 as an ISO standard. Changes have only been minor. BS7799 no longer exists.

What is ISO 27002?
ISO 27002 is a development of ISO 17799, and is a set of guidelines for Information Security best practice. Firms can seek to comply with this standard, but cannot be certified against it. ISO 27001 was created in order to provide a framework that organisations can be audited and certified against. Note If you have the ISO17799 standard, you do not need to buy ISO27002...as identical, unless you want the latest updated copy.

What is certification?
Certification is achieved through a process of external audit. A number of bodies are approved for ISO 27001 audit work. As with any external certification, regular surveillance and re-certification audits are required to maintain the certification.

What is compliance?
Any firm can produce a statement of compliance with ISO 27001. The implementation of a compliant system will require much of the same work as achieving certification. Your organisation has to consider the relative commercial merits of Compliance against Certification. You must remember that this only represents your view, and that your partners may set greater store by the recognition provided by third party audit.

Do I have to gain certification for the whole organisation?
No, you can choose to limit the scope of your implementation. Be aware that most Information Security components are closely connected throughout your whole firm, so too tight a scope might be difficult to justify. You may choose to limit the scope to specific organisational units or geographical locations.

Where can I find more information about ISO 27001?
Good starting points are the ISMS International User Group www.17799.com and BSI www.bsi-global.com. If you want to order a copy of the standards, you can get one from BSI for around £200.

Why use ISO27001

Over the past few months more clients are asking what is ISO 27001 and what are the benefits of implementing an Information Security Management System based on the standard?

ISO 27001 is a vendor and technology neutral internationally recognised standard which provides companies with a risk based approach to securing their information. It provides organisations with independent third party verification that their Information Security Management System meets an internationally recognised standard. This provides a company, and its customers and partners, with the confidence that they are managing their security in accordance with recognised and audited best practises.

However, in my opinion companies that have implemented an ISO 27001 based ISMS can demonstrate many efficiencies and other benefits such as;

• Increased reliability and security of systems:

Security is often defined as protecting the Confidentiality, Integrity and Availability of an asset. Using a standards based approach, which ensures that adequate controls, processes and procedures are in place will ensure that the above goals are met. Meeting the CIA goals of security will also by default improve the reliability, availability and stability of systems.

• Increased profits:

Having stable, secure and reliable systems ensures that interruptions to those systems are minimised thereby increasing their availability and productivity. In addition to the above, a standards based approach to information security demonstrates to customers that the company can be trusted with their business. This can increase profitability by retaining existing, and attracting new, customers.

• Reduced Costs:

A standards based approach to information security ensures that all controls are measured and managed in a structured manner. This ensures that processes and procedures are more streamlined and effective thus reducing costs.

Some companies have found they can better manage the tools they have in place by consolidating redundant systems or re-assigning other systems from assets with low risk to those with higher risk.

• Compliance with legislation:

Having a structured Information Security Management System in place makes the task of compliance much easier.

• Improved Management:

Knowing what is in place and how it should be managed and secured makes it easier to manage information resources within a company.

• Improved Customer and Partner Relationships:

By demonstrating the company takes information security seriously, customers and trading partners can deal with the company confidently knowing that the company has taken an independently verifiable approach to information security risk management.

ISO 27001 can be implemented within an organisation as a framework to work against or indeed the organisation can seek to gain certification against the standard.

If you are serious about information security and need to know “how secure is secure enough?”, then I strngly recommend you get a copy of the standard with a view to implementing it.

Thanks and source: Security Watch

What is ISO27001?

In a nutshell it is an ISO standard specifying the requirements for an information security management system. It was published in October 2005, and was based heavily upon the British Standard, BS 7799-2.

ISO/IEC 27001 is often considered to be the prime ISO 27000 standard because it is this against which certification can be sought. It is aligned with other ISO quality management standards, such as ISO 9001 and ISO 14001.

The standard is also intended to drive the selection of adequate and proportionate security controls. Hence the relationship with ISO 27002, (also known as ISO17799) which defines individual controls within a code of practice framework.

A good place for good tips and info on ISO27001

ISO27001security dotcom is a vendor-neutral website dedicated to promoting the ISO/IEC 27000-family international standards for Information Security Management Systems (“ISO27k”).

The ISO27k standards provide intgernationally-accepted best practice guidance on protecting the confidentiality, integrity and availability of the information and information systems on which we all depend.

Three ISO27k standards are already released and publicly available:

• ISO/IEC 27001, the Information Security Management System certification standard;
• ISO/IEC 27002, the code of practice for information security management with advice on a broad range of controls;
• ISO/IEC 27006, a guide to the ISMS certification process for certification bodies.

Here