ISO 27001 Information Security Management

Monday, December 6, 2010

Quality Management Principles:

1.Customer focus
2.Leadership
3.Involvement of people
4.Process approach
5.System approach to management
6.Continual improvement
7.Factual approach to decision making
8।Mutually beneficial supplier relationships

फॉर मोरे ईन्फ़ोर्मतिओन विसित उस अत "ह्त्त्प://व्व्व.इसोकेर्तिफ़िकतिओनसिअ.कॉम"

Quality management systems

ISO 9001 Certification is a Quality Management System Standard. It applies to all types of organizations. It doesn’t matter what size they are or what they do. It can help both product and service oriented organizations achieve standards of quality that are recognized and respected throughout the world.

Tuesday, September 22, 2009

Thursday, September 10, 2009

Dextrys Achieves ISO 27001 Security Certification

Dextrys, a US-based China outsourcing firm delivering Product Engineering and Application Services has achieved ISO 27001 certification for its information security management system – specifically, design, development, testing and maintenance of all software.

Monday, March 30, 2009

How ISO 27001:2005 works

ISO/IEC 27001:2005 covers twelve sections:

Security Policy
Organisation of Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations
Management
Access Control
Information Systems Acquisition, Development and Maintenance
Information Security Incident Management
Business Continuity Management
Compliance

Saturday, February 28, 2009

Style Of Delivery And Course Leaders

our course leaders are business improvement professionals. They have extensive hands-on experience of leading change in a wide range of sectors including manufacturing, finance, pharmaceuticals, local and national government. They have all, at one time or another, applied the full range of the most successful business improvement models and techniques around at the moment, including ISO 9000, the EFQM Model, Investors in People, Total Quality Management and Six Sigma.

Monday, February 16, 2009

Why use the Hosted Business Model?

We emphasis the Business rather than just the Security or IT part of ISO 27001. Instead of many Polices, Procedure and Work Instructions (one system we converted had over 80 Work Instructions which was completely unworkable). We concentrate on an integrated solution.
Note – ISO 27001 should not be dominated by IT requirements since it relates to all Company information. Nor should the controls and processes be dominated by only Security issues since the Standard relates to Risk Management associated to the:

What is the actual definition of "ISO Certification"?

The International Organization for Standardization headquartered in Geneva, Switzerland is the world's largest developer and publisher of International Standards, many that describe the best practices of private industry and government. Over 157 countries including the United States have adopted ISO standards as their own. After a rigorous review of our facility, practices, and technology, TeleDirect was certified in November for this prestigious distinction. This means that TeleDirect adheres to strict guidelines for the protection of your data and continuously strives to improve those safeguards. By earning ISO 27001 certification we have further demonstrated our commitment to making our Company more secure and securing your information.

Attestation 27001

The ISO 27001 security standard requires the implementation of an Information Security Management System (ISMS).
The necessary control objectives are not only implemented but also operated, monitored, controlled, maintained and improved.
The standard requires the company's IT operations to maintain the following qualities:

Confidentiality: information for identified, authorized persons
Integrity: information, methods and processes are precise and permanent
Availability: systems and infrastructure are stable and available round-the-clock

Four costs need to be considered when implementing this type of project.

1. Internal resources - the system covers a wide range of business functions - management, HR, IT, facilities & security. These resources will be required during the implementation of an ISMS.
2. Consultancy resources - a experienced consultant will save a huge amount of time, an will often challenge you on the implications of the controls you select. They will also prove a useful tool during internal audits where our independence and Lead Auditor status will ensure smooth transition towards certification. Contact us and we can give you a better picture of our costs. Typically look for 20-30 days work at similar rates to other IT consultants / professional services.
3. Certification costs - only a few certification bodies currently assess companies against ISO 27001, but fees are not much more than against other standards eg ISO 9001 or ISO 14001.
4. Implementation costs - this cannot be estimated by us. If, as a result of a risk assessment, or audit, a gap appears in your system and you feel the best way to address the risk is to buy a better firewall for example, it could be construed as an implementation cost.

ISO 27001/ISO 17799 Audit Questions and Checklist

Below sample question that yout can find in the ISO7799 Audit Questions and Checklist. The excel list also could be downloaded below

Whether there exists an Information security policy, which is approved by the management, published and communicated as appropriate to all employees.
Whether it states the management commitment and set out the organisational approach to managing information security. Whether the Security policy has an owner, who is responsible for its maintenance and review according to a defined review process.
Whether the process ensures that a review takes place in response to any changes affecting the basis of the original assessment, example: significant security incidents, new vulnerabilities or changes to organisational or technical infrastructure.
Whether there is a management forum to ensure there is a clear direction and visible management support for security initiatives within the organisation.
Whether there is a cross-functional forum of management representatives from relevant parts of the organisation to coordinate the implementation of information security controls.

Achieving ISO 20000 with Business Beam

Business Beam offers expert consulting services for effective implementation of ISO20000.

Awareness and Project Scoping: We start with ISO 20000 awareness trainings. We then define the scope of certification within your organization and confirm the eligibility for certification. We also propose an approach for how your organization should consider achieving and subsequently retaining ISO 20000.
Capability Assessment: Capability Assessment is a rigorous snapshot of your service management capability against the standard. The assessment takes places via a combination of on-site visits, information gathering, off-site evidence reviews, clarification and elaboration interviews culminating in a final comprehensive assessment report.
Gap Closure: Following on from the capability and gap assessment we work with your teams to discuss the gaps, the relevance of the closure activities and the time frames in which these will be completed. We then draw up a project plan and project initiation document to address every gap in a realistic timescale. RAID assessments are also undertaken (Risks, Assumptions, Issues and Dependencies).

ISO 20000 scope

ISO 20000 itself is not clear on scoping. It says, simply, that it defines ‘the requirements for a service provider to deliver managed services of an acceptable quality for its customers.’ This statement is so broad that it might appear that virtually any organization that delivers managed services to customers would be eligible for ISO 20000 certification.
It is necessary to turn to the additional, published guidance on ISO 20000 scoping to clarify the requirements. Clause 1 of these guidelines says: “in order for a Service Provider organization to achieve certification under the ISO/IEC 20000 scheme it must be able to demonstrate that it has ‘management control’ of all the processes defined within the ISO/IEC 20000 standard. For this purpose, ‘management control’ of a process consists of:

Knowledge and control of inputs;
Knowledge, use and interpretation of outputs;
Definition and measurement of metrics;
Demonstration of objective evidence of accountability for process functionality in conformance to the ISO/IEC 20000 standard; and
Definition, measurement and review of process improvements.”

This two-day course is designed for professionals...

who are familiar with ISO 27001/27002
who are looking for guidance on auditing against the ISO 27002 standards
who plan to adopt the security framework and implement the standards
who would like to see their organization certified to ISO 27001
who would like to improve their security program and align their security goals to their business objectives

We recommend the following best practice guidelines to minimize the risks involved in credit card transactions:

* Ensure that credit cards used to purchase goods or services on the Internet have a low credit limit, or if debit cards are used, that they have limited funds and are only topped up to cover specific Internet purchases.
* All expenses incurred through Internet transactions should be carefully audited on a regular basis for any anomalies.
* Only enter credit card details on a Web site if you are confident as to its authenticity and that the connection is secure - the prefix https (as opposed to the usual http) in the Web Site address indicates a secure connection.
* If the security of a Web site is in doubt, any confidential information posted to it may be exposed to malicious intent. Be extremely cautious when posting confidential details on any site where the Internet Service Provider hosting the site is not verified. Note that we have pre-checked all sites referenced in this newsletter for security!

SOCIAL ENGINEERING - ARE YOU SUSCEPTIBLE?

The term 'social engineering' can conjure up a variety of ideas, usually based around the concept of genetic tampering. However, when applied to IT security, it has its own implications and its own vocabulary.
Following interviews with known computer criminals, a list of approaches has been produced. These are designed to gather information without the target even realizing that they have parted with it. The attempts are often made on an opportune bases, with common locations for this sort of activity being planes, trains and pubs. The telephone is probably the major source of pre-meditated acts.

Structure and format of ISO/IEC 27002

ISO/IEC 27002 is a code of practice - a generic, advisory document, not truly a standard or formal specification such as ISO/IEC 27001. It lays out a well structured set of suggested controls to address information security risks, covering confidentiality, integrity and availability aspects. Organizations that adopt ISO/IEC 27002 must assess their own information security risks and apply suitable controls, using the standard for guidance. Strictly speaking, none of the controls are mandatory but if an organization chooses not to adopt something as common as, say, antivirus controls, they should certainly be prepared to demonstrate that this decision was reached through a rational risk management decision process, not just an oversight, if they anticipate being certified compliant to ISO/IEC 27001.

Scope of ISO/IEC 27002

Like governance, information security is a broad topic with ramifications in all parts of the modern organization. Information security, and hence ISO/IEC 27002, is relevant to all types of organization including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, government departments and quasi-autonomous bodies - in fact any organization that handles and depends on information. The specific information security requirements may be different in each case but the point of ISO/IEC 27002 is that there is a lot of common ground.
The standard is explicitly concerned with information security, meaning the security of information assets, and not just IT/systems security per se. The IT Department is merely the custodian of a good proportion of the organization’s information assets and is charged with securing them by the information asset owners - the business managers who are accountable for the assets. A large proportion of written and intangible information (e.g. the knowledge and experience of workers) is nothing to do with IT.

ISO/IEC 27002:2005 - the current, issued standard

ISO/IEC 17799:2005 was renumbered ISO/IEC 27002:2005 in the middle of 2007 to bring it into the ISO/IEC 27000 family of standards. The text remains word-for-word identical to ISO/IEC 17799:2005 - in fact, for some while the ISO/IEC 17799 standard continued to be delivered to anyone who ordered ISO/IEC 27002, along with a cover sheet noting the change of number.

THE CONTENTS OF ISO 17799 / 27002

The content sections are:
· Structure
· Risk Assessment and Treatment
· Security Policy
· Organization of Information Security
· Asset Management
· Human Resources Security
· Physical Security
· Communications and Ops Management
· Access Control
· Information Systems Acquisition, Development, Maintenance
· Information Security Incident management
· Business Continuity

The ISO 27001:2005 standard covers twelve areas:

security policy
organisation of information security
asset management
human resources security
physical and environmental security
communications and operations
management
access control
information systems acquisition, development and maintenance
information security incident management
business continuity management
compliance

Product Description

Here, at last, is a book by a business manager who knows what makes a business work and why best practice information security is essential. Written in clear English, this book explains why so many organizations have already successfully registered to BS7799/ISO27001 and makes a crystal clear case for pursuing the standard that management in any organization anywhere in the world will accept. Information security is about more, so much more than compliance, security and survival - it's about sharpening your competitive edge for battle in the information economy. Alan Calder, the author of "IT Governance: a Manager's Guide to Data Protection and BS7799/ISO17799", led one of the first successful BS7799 certification efforts in the world. He also belongs to the committee of experts of a global certification body. This book sets out why ISO 27001 is the right answer to the information security challenge.

Wednesday, February 11, 2009

IMPLEMENTING INFORMATION SECURITY BASED ON ISO 27001 AND ISO 17799

IMPLEMENTING INFORMATION SECURITY BASED ON ISO 27001 AND ISO 17799 1 Introduction 2 Information security and ISO 27001 3 Certification 4 ISO 27001 and ISO 17799 5 Frameworks and management system integration 6 Documentation requirements and record control 7 Project team 8 Project initiation 9 Process approach and the PDCA cycle 10 Plan – establish the ISMS 11 Scope definition 12 Risk management 13 Assets within scope 14 Assessing risk 15 Risk treatment plan 16 Risk assessment tools 17 Statement of Applicability 18 Third party checklists and resources 19 Do – implement and operate the ISMS 20 Check – monitor and review the ISMS 21 Act – maintain and improve the ISMS 22 Measurement 23 Preparing for an ISMS audit

What is Program Certification?

Certification is the term used by the CHC to describe the determination by a qualified authority that your operation meets the standard and is being maintained on an ongoing basis. This involves having an auditor from QMI-SAI Global, come to your operation to:
· Review your OFFS Manual(s) and related records,
· Visit your facilities and interview the operator and staff,
· Assess your conformance to the CHC OFFS Audit Checklist.
Since the Audit Checklist covers all eight modules, multi-crop producers need only one audit. Once you pass the audit, you will be certified to the Program

ISO 27002

ISO 27002 is derived from BS 7799 Part 1, which it superseded (formerly called ISO 17799).
ISO 27002 is the 'Code of Practice for Information Security Management' and is a management guide to the implementation of adequate security in an organisation.
It is a checklist of controls within the eleven clauses and explains or gives further guidance on them. It is used to advise the implementer of how and why the controls are implemented and gives some guidance on how they are to be implemented.
ISO 27002 does not set the 'need' for security but provides a 'shopping list' of components that can be installed.

The Excellence Model

This is a standard of excellent organisational performance and a highly structured scheme whereby any organisation can measure how its operational performance compares with the best around. It is both a national and international standard of organisational excellence with a range of award categories.
Carshaw can help organisations large and small to assess their scores in three different ways:
a) By Performa scoring individually or in groups
b) by team activity scoring using a card system
c) by questionnaire completion individually or in groups
The scores for each of the 9 sections of the model can then be related to the critical success factors of the organisation and a detailed improvement action plan can be derived. Spin-off benefits of working through self-assessment include a clearer understanding of the purpose and goals of the organisation, plus better teamwork, greater commitment and improved levels of communication.

Benefits to Your Business

In the modern business environment, all of your employees have some level of access to your business-critical information; and so all employees should be involved in protecting it. You will learn about.
· The business objectives of information security management
· International best practice in information security management
· Application of security controls to manage risks to your information
· The Plan-Do-Check-Act process model for maintaining security
· The difference between compliance and certification
· The future direction of international standards for information security

The five step approach to the compliance audit is explained below

Scope and Plan

The identification of scope for Compliance Audit
Project planning, resourcing and scheduling

Information Gathering

Understand the standards or best practices that the organization is complied with.
Understand the organizational processes, configurations and supporting documents

Audit

Prepare compliance review sheets/checklists
Review the existing and implemented processes and standards against the established standard
Understand the deviations (gaps) from the standard, impact and scope for improvements
Evidence on compliance to standards or best practices

Documentation

Documentation of information assessed and evidences where required
Provide current state analysis report on compliance
Provide recommendations to close the gaps and non-conformities

Improvement

Assist in the corrective action on closing the gaps
Guide in amending the existing processes to achieve the business and organization goals

The 11 areas of audit focus are:

Corporate Security Management Objectives
Systems Development and Maintenance Objectives
Information Access Control Management Objectives
Compliance Management Objectives
Human Resource Security Management Objectives
Information Security Incident Management Objectives
Communications and Operations Management Objectives
Organizational Asset Management Objectives
Physical and Environmental Security Management Objectives
Security Policy Management Objectives
Disaster Recovery Plan and Business Continuity Objectives

Top 5 Facts about the ISO 27001 Standard

Here are some important facts about the ISO 27001 standard which concerned businesses should take note of if they want to remain competitive.
1. The ISO 27001 version, which was published officially in 2005, is only the first among the ISO 27000 series but it is by far the most significant considering that it defined the system.
2. The ISO 27001 has been harmonized so it compliments and is compatible with ISO 17799 (also known as ISO 27002), ISO 14000 and ISO 9000. However, each of them has their own function.
3. Organizations or establishments that are already compliant with the provisions of ISO 27002 can opt for certification although the fact that they have been certified under ISO 27002 means they can meet the provisions of the present standard, Those seeking certification for ISO 27001 can contact the various certification bodies that have been accredited.
4. ISO 27001 is the first of a series and organizations can expect a long list from the ISO 27000 series including the following:
· ISO 27003 which contains the new guide to the implementation of the ISMS
· ISO 27004 which contains the new standards set for the measurement of information security as well as metrics
· ISO 27005 which contains a list of the suggested standard for managing risks
· ISO 27006 which contains the guidelines to be followed for the registration and certification process
· ISO 27007 which contains the guidelines to be followed in the audit of systems for information security management · ISO 27799 which contains the guidelines to be followed by the health sector when complying with ISO 27001
5. ISO 27001 has been translated and published in different languages but the information contained in all the versions should be the same as the original version.

How Does Your Organization Measure Up to ISO 27001?

In a testament to the growing momentum behind ISO 27001, Microsoft Global Foundation Services has chosen to align its information security program with the international standard’s rigorous requirements. As the first major online service provider to earn ISO/IEC 27001:2005 certification, Microsoft has achieved external validation that its approach to managing security risk in a global organization is both comprehensive and effective.
As ISO 27001 continues to demonstrate its value, more and more leading corporations like Microsoft are choosing the international standard as the foundation for their information security programs. ISO 27001 certification not only helps ensure effective security management practices, but also streamlines compliance with multiple regulations by providing one defensible standard of care. In fact, a 2007 survey revealed that 65 percent of organizations complying with PCI were planning to take a more holistic, standards-based approach to compliance by standardizing on ISO 27001.

Being Audited to ISO 27001

Once all the requirements of ISO 27001 have been met, you can apply for an external audit. This should be carried out by a third party, accredited certification body. In the UK, the body should be accredited by UKAS (look for the 'crown and tick' logo).
The chosen certification body will firstly review relevant documentation. This should include the declared policy, scope of the ISMS, documents covering the risk assessment, risk treatment plan, Statement of Applicability and documented security procedures. The auditors will also be checking that you have identified and implemented the controls that are appropriate to your size and type of business. This process is normally carried out at your premises, being more beneficial to both parties.
This is followed at a later date by a full on-site audit to ensure that working practices observe these procedures and stated objectives, and that appropriate records are kept. After a successful audit, a certificate of registration to ISO 27001 will be issued. There will then be surveillance visits (usually once or twice a year) to ensure that the system continues to work

What Is the Difference?

Both the ISO 17799 and 27001 standards were derived from multiple iterations of the originating British Standards Institute standard number BS7799. Originally this standard consisted of two parts. Part one was first adopted as ISO 17799. Part two was later adopted in 2005 as ISO 27001. The ISO 17799 standard will be renumbered under the ISO 27000 series of standards as ISO 27002 sometime in 2007 or 2008.
ISO 17799 is a code of practice. In essence, it is a set of guidelines that an organization may use in developing an information security management system. These guidelines have been developed over many years and have gone through many revisions. The guidelines are internationally accepted as one of the industry de facto best practice baselines. There is no certification for ISO 17799 as it is a set of guidelines that can be used to help ensure the compliance and successful implementation of the ISO 27001 specifications.

All-round Protection

ISO/IEC certification at T-Systems extends in detail to:

Security strategy: The management sets the course
Security organization: An infrastructure is in place to ensure information security
Capture and classification of values: Classification, naming and treatment of information are specified
Personal security: Job descriptions, user training, behavior in the event of security-relevant incidents
Physical and environmental security: equipment, zones, measures
Management and operational communications: Procedures and responsibilities, system planning and approval, protection from malware, network management, etc.

ISO 17799 compared to ISO 27001

ISO 17799 is Part 1 of BS 7799 (the ISO standard for information security). ISO 17799 is a code of best practice for information security management and provides practical guidance on implementation of the security controls that should be implemented on the basis of the ISO 27001 risk assessment. ISO 17799 will be renumbered to ISO/IEC 27002 in the course of 2007.
ISO 27001 is Part 2 of BS 7799 is the risk assessment standard for certification and sets the requirements that an organization must fulfill in order to establish an information security management system. The PTA ISO 27001:27005 is a full implementation of the ISO 27001 compliance check list. If you find that ISO 17799 is more relevant to your practice, please contact us and we may consider development of a PTA library for this standard as well.

Why Excel is a bad choice for a security audit

Excel is easy to use, but you can lose or destroy your data pretty easily. Although risk assessment standards such as ISO 27001 or PCI DSS 1.1 have a one dimensional hierarchical structure of controls - you can get into big trouble once you try and link controls to vulnerabilities, assets and threats. The model starts getting multi-dimensional and that’s where Excel breaks down quickly and you lose data integrity.

We recommend the following best practice guidelines to minimize the risks involved in credit card transactions:

Achieving ISO 27001 Certification

Program empowers you to successfully certify your organization against ISO 27001 through a robust security system. Often, mere compliance to a framework may not mean reduced risk for the organization. In order to deliver full advantage of the management system, drill-down level of techniques and tools need to be deployed to ensure complete and effective risk management.
ISO 27001 provides a blueprint for an information security management system (ISMS) based on a riskmanagement approach, to establish, implement, operate, monitor, maintain and improve information security. Besides, certification is an accepted way of providing assurance that the organization has implemented a management system which meets the requirements specified in the ISO 27001 standard.

Could your organisation cope with a major information security incident?

Would it be your responsibility? Customers in all sectors are increasingly concerned about the security of business and personal information and perhaps they have good reason to with 66 per cent of UK businesses expecting more security incidents in the next year than in the last and 60 per cent expecting security breaches to be harder to detect in the future.*
The number of reported incidents suffered by affected businesses also rose by 50 per cent and the average costs associated with each security incident rose by 20 per cent. What would be the consequences of an expensive information security incident in your organisation?*
As a Quality Manager, it’s your responsibility to implement and maintain your organisation’s Quality Management System, and achieve and maintain compliance with ISO 9001. For businesses competing in a global marketplace, customer satisfaction, loyalty and retention are increasingly important in achieve and maintaining competitive advantage.

M I G awarded ISO 27001

ISO Certifications awarded to M I G Investments for meeting quality and security standardsM I G Investments has been awarded the ISO 9001:2000 certification in recognition of its standardized Quality Management best-practices, and the ISO 27001:2005 certification for standardized Information Security techniques. The move comes as M I G Investments leverages its international expertise as a major Swiss, online FX broker by bringing customers quality services, innovation, technology and high security standards.

Excellent flow chart on the IS27002 certification process.

I would warmly recommend a tool for ISO 27001 automation that uses PTA - Practical Threat Analysis. What these folks have done is to write a generic library for performing an ISO 27001 assessment using the PTA Professional freeware. The framework is all there and you can build a real life threat model in about 15 minutes by adding your ownthreats and assets. The part I like about PTA is the optimized risk mitigation plan that recommends the most effective controls.

Who originally wrote the security standard?

Originally a BSI/DISC committee, which included representatives from a wide section of industry/commerce. It was reviewed subsequently by an ISO (International Standards Organization) committee and ultimately emerged through the ISO publication process.

HIGH LEVEL POLICY FOR IT SYSTEM ACQUISITION

Procurement procedures in respect of the purchase, lease or rental of all technology based products and services need to be developed. Internal control procedures covering these processes are to be developed and approved incorporating these requirements and providing the means to verify that these procurement control policies are being complied with on an ongoing basis.

The advantages of an external audit are,

1) A fresh approach and a clear 3 part perspective about the ISMS
2) External auditor’s have more experience than internal auditors’ unless the company is large and they have a high quality team of internal auditors’ themselves
3) Absence of prejudice, whereas the internal audit team could be influenced by it

International Organization for Standardization / International Electrotechnical Commission 27001

Establishes requirements for an organization´s Information Security Management System (ISMS)
Determines documentation requirements and management responsibility
Requires internal audits and managerial review of the ISMS
Demands ISMS improvement
Provides controls and control objectives derived from best practices in ISO/IEC 27002

Why Appin Recommends ISO 27001 As the Benchmark for ISMS

ISO 27001 is a globally acknowledged standard defining the requirements for an Information Security Management System (ISMS). The standard considers Information Security as a combination of people, process, and technology. The standard is globally acknowedged, comprehensive and widely acknowledged. It is also easily integrated with other standards of the ISO family, particularly with ISO 9001. ISO 20000, the service delivery standard, is easily plugged on.That way ISO 27001 enables companies to measure the risk to their information and ensure the selection of adequate and proportionate security controls that protect information assets, thus enhancing confidence of the organization's stakeholders. At the same time ISO 27001 streamlines business processes and facilitates implementing other standards.

What can you expect?

Regular emergency management for the safeguarding of the system availability for the critical enterprise processes.
Proof of security towards third parties by fulfillment of a world-wide approved standard.
Knowledge and control of IT risks (residual risks).
Transparent processes and optimized structures deliver the basis for lasting cost optimization and achievement optimization.
Within the scope of the annual audit, the certification according to ISO 27001 can serve as a proof, respective the regularity of the IT company, for the certified accountant.

What are the critical success factors?

Experience has shown that the following factors are often critical to the successful implementation of information security within an organization:

security policy, objectives and activities that reflect business objectives;
an approach to implementing security that is consistent with the organizational culture;
visible support and commitment from management
a good understanding of the security requirements, risk assessment and risk management
effective marketing of security to all managers and employees;
distribution of guidance on information security policy and standards to all employees and contractors;
provide appropriate training and education;

ISO27001 and ISO17799 identify 10 key areas and controls.

Security Policy - to provide Management Direction and support for information security.
Organisation of Assets and Resources - to help you manage information security.
Asset classification and control – to help you identify and protect your assets.
Personnel security – to reduce the risks of human error, theft, fraud or misuse of facilities.
Physical and environmental security – to prevent unauthorized access, damage, and interference with business premises and information.
Communications and operations management - to ensure the correct and secure operation of information processing facilities.
Systems development and maintenance – to ensure that security is built into information systems. Access control – to control access to information.

How can you protect against risks to your information security?

The most effective way to manage risks to information security is to implement an Information Security Management system in line with best practice and the recognised standard for best practice is ISO 27001 (BS7799).
To demonstrate that you are meeting best practice, a company needs to have its achievement independently validated - this process is called certification.