Advertisement Details

Information Security System

INFORMATION SECURITY

The ISO 27000-family of information security management standards align with other ISO management system standards, such as ISO 9001 (quality management) and ISO 14001(environmental management), regarding both general structure and the nature of integrating best practices with certification standards.  Certification of an organization to ISO/IEC 27001 is one means of providing assurance that the organization has not only implemented a system for the management of information security in line with the international standard, but also maintains and continuously improves the system.

 

With increased usage of new technology to store, transmit, and retrieve information, we have exposed ourselves to increased numbers and types of threats.  The overall approach to Information Security and integration of different security initiatives needs to be managed in order for each element to be most effective.  An ISMS allows you to coordinate your security efforts effectively.  The implementation of ISO/IEC 27001:2005 will reassure customers and suppliers that information security is taken seriously within your organization and defined processes are in place to deal with information security threats and issues.

 

The new standard can be used by a broad range of organizations – small, medium and large – in most of the commercial and industrial market sectors: finance and insurance, telecommunications, healthcare, utilities, retail and manufacturing sectors, various service industries, transportation sector, government and many others.  ISO/IEC 27001:2005 specifies the processes to enable a business to establish, implement, review and monitor, manage and maintain effective ISMS. 

 

ISO/IEC 27001 is intended to be used with ISO/IEC 17799, the Code of Practice for Information Security Management, which lists objectives, controls, and implementation guidelines. Organizations that implement ISMS in accordance with ISO 17799 are likely to also meet the requirements of ISO/IEC 27001.  This ISO standard is the first in a family of information security related standards which are assigned numbers in the 27000 series.

 

 They include:

 

-         ISO/IEC 27000 - a vocabulary or glossary of terms used in the ISO 27000-series standards

-         ISO/IEC 27002 - the proposed re-naming of existing standard ISO 17799

-         ISO/IEC 27003 - a new ISMS implementation guide

-         ISO/IEC 27004 - a new standard for information security measurement and metrics

-         ISO/IEC 27005 - a proposed standard for risk management, potentially related to the current British Standard BS 7799 part 3

-         ISO/IEC 27006 - a guide to the certification process 

 

 

The ISO 27001:2005 standard effectively covers twelve sections:

 

-         security policy

-         organization of information security

-         asset management

-         human resources security

-         physical and environmental security

-         communications and operations

-         management

-         access control

-         information systems acquisition, development and maintenance

-         information security incident management

-         business continuity management

-         compliance

 

To start with, an assessment is made on how your ISMS have been implemented to identify the gap vs. the standard requirements. After gaps have been filled, the initial audit follows. From the audit, you will receive a report that outlines the key measures needed to receive positive certification. Once no major corrective action is required, you’ll obtain direct certification. Annual compliance audits will follow and the certificate will be renewed every three years as long as systems are maintained.

 

  Steps for Implementing ISO 27001: 2005

1       Define an information security policy

2       Define scope of the information security management system

3       Perform a security risk assessment

4       Manage the identified risk

5       Select controls to be implemented and applied

6       Prepare an SOA (a "statement of applicability").

 

Benefit of ISO 27001:2005

The reputation of ISO and the certification against the internationally recognized ISO 27001:2005 enhances any company’s credibility. It clearly demonstrates the validity of your information and a real commitment to upholding information security. The set up and certification of an ISMS can also transform your corporate culture both internally and externally, opening up new business opportunities with security conscious customers/clients, in addition to improving employee ethics and the notion of confidentiality throughout the workplace. What’s more, it allows you to enforce information security and reduce the possible risk of fraud, information loss and disclosure.

 

-         Minimizing the risk of privacy and security breaches

-         Demonstrating due diligence for compliance with privacy laws

-         Defining the security process

-         Creating security objectives and requirements

-         Cost-effectively managing security risks

-         Ensuring the organization's security objectives are met by providing a roadmap for managing requirements

-         Complying with government, industry and other regulations

-         Providing a uniform platform to show customers and partners how information is secured

Determining the extent of compliance with corporate directives and government policies 

Control Objectives and Controls

In addition to the clauses of the standard, the following are the minimum control objectives and controls in ISO 27001, and they align directly with those in ISO 17799.  Minimally, these objectives and controls shall be a part of the ISMS.  Additional objectives and controls may be necessary, depending on the organization’s requirements.

 

 

A.5 Information Security

-         Information security policy


A.6 Organization of Information Security

-         Internal organization

-         External parties


A.7 Asset Management

-         Responsibility for assets

-         Information classification


A.8 Human Resources Security

-         Prior to employment

-         During employment

-         Termination or change of employment


A.9 Physical and Environmental Security

-         Secure areas

-         Equipment security


A.10 Communications and Operations Management

-         Operational procedures and responsibilities

-         Third party service delivery management

-         System planning and acceptance

-         Protection against malicious and mobile code

-         Back-up

-         Network security management

-         Media handling

-         Exchange of information

-         Electronic commerce services

-         Monitoring


A.11 Access Control

-         Business requirements for access control

-         User access management

-         User responsibilities

-         Network access control

-         Operating system access control

-         Application and information access and control

-         Mobile computing and tele-working


A.12 Information Systems Acquisition, Development, and Maintenance

-         Security requirements of information systems

-         Correct processing in applications

-         Cryptographic controls

-         Security of system files

-         Security in development and support processes

-         Technical vulnerability management


A.13 Information Security Incident Management

-         Reporting information security events and weaknesses

-         Management of information security incidents and improvement


A.14 Business Continuity Management

-         Information security aspects of business continuity mgmt.


A.15 Compliance

-         Compliance with legal requirements

-         Compliance with security policies and standards, and technical compliance

                      -         Information systems audit consideration