Thursday, September 10, 2009

Dextrys Achieves ISO 27001 Security Certification

Dextrys, a US-based China outsourcing firm delivering Product Engineering and Application Services has achieved ISO 27001 certification for its information security management system – specifically, design, development, testing and maintenance of all software.

Monday, March 30, 2009

How ISO 27001:2005 works

ISO/IEC 27001:2005 covers twelve sections:

  1. Security Policy
  2. Organisation of Information Security
  3. Asset Management
  4. Human Resources Security
  5. Physical and Environmental Security
  6. Communications and Operations
  7. Management
  8. Access Control
  9. Information Systems Acquisition, Development and Maintenance
  10. Information Security Incident Management
  11. Business Continuity Management
  12. Compliance

Saturday, February 28, 2009

Style Of Delivery And Course Leaders

our course leaders are business improvement professionals. They have extensive hands-on experience of leading change in a wide range of sectors including manufacturing, finance, pharmaceuticals, local and national government. They have all, at one time or another, applied the full range of the most successful business improvement models and techniques around at the moment, including ISO 9000, the EFQM Model, Investors in People, Total Quality Management and Six Sigma.

Monday, February 16, 2009

Why use the Hosted Business Model?

We emphasis the Business rather than just the Security or IT part of ISO 27001. Instead of many Polices, Procedure and Work Instructions (one system we converted had over 80 Work Instructions which was completely unworkable). We concentrate on an integrated solution.
Note – ISO 27001 should not be dominated by IT requirements since it relates to all Company information. Nor should the controls and processes be dominated by only Security issues since the Standard relates to Risk Management associated to the:

What is the actual definition of "ISO Certification"?

The International Organization for Standardization headquartered in Geneva, Switzerland is the world's largest developer and publisher of International Standards, many that describe the best practices of private industry and government. Over 157 countries including the United States have adopted ISO standards as their own. After a rigorous review of our facility, practices, and technology, TeleDirect was certified in November for this prestigious distinction. This means that TeleDirect adheres to strict guidelines for the protection of your data and continuously strives to improve those safeguards. By earning ISO 27001 certification we have further demonstrated our commitment to making our Company more secure and securing your information.

Attestation 27001

The ISO 27001 security standard requires the implementation of an Information Security Management System (ISMS).
The necessary control objectives are not only implemented but also operated, monitored, controlled, maintained and improved.
The standard requires the company's IT operations to maintain the following qualities:
  • Confidentiality: information for identified, authorized persons
  • Integrity: information, methods and processes are precise and permanent
  • Availability: systems and infrastructure are stable and available round-the-clock

Four costs need to be considered when implementing this type of project.

1. Internal resources - the system covers a wide range of business functions - management, HR, IT, facilities & security. These resources will be required during the implementation of an ISMS.
2. Consultancy resources - a experienced consultant will save a huge amount of time, an will often challenge you on the implications of the controls you select. They will also prove a useful tool during internal audits where our independence and Lead Auditor status will ensure smooth transition towards certification. Contact us and we can give you a better picture of our costs. Typically look for 20-30 days work at similar rates to other IT consultants / professional services.
3. Certification costs - only a few certification bodies currently assess companies against ISO 27001, but fees are not much more than against other standards eg ISO 9001 or ISO 14001.
4. Implementation costs - this cannot be estimated by us. If, as a result of a risk assessment, or audit, a gap appears in your system and you feel the best way to address the risk is to buy a better firewall for example, it could be construed as an implementation cost.

ISO 27001/ISO 17799 Audit Questions and Checklist

Below sample question that yout can find in the ISO7799 Audit Questions and Checklist. The excel list also could be downloaded below
  • Whether there exists an Information security policy, which is approved by the management, published and communicated as appropriate to all employees.
  • Whether it states the management commitment and set out the organisational approach to managing information security. Whether the Security policy has an owner, who is responsible for its maintenance and review according to a defined review process.
  • Whether the process ensures that a review takes place in response to any changes affecting the basis of the original assessment, example: significant security incidents, new vulnerabilities or changes to organisational or technical infrastructure.
  • Whether there is a management forum to ensure there is a clear direction and visible management support for security initiatives within the organisation.
  • Whether there is a cross-functional forum of management representatives from relevant parts of the organisation to coordinate the implementation of information security controls.

Achieving ISO 20000 with Business Beam

Business Beam offers expert consulting services for effective implementation of ISO20000.
  • Awareness and Project Scoping: We start with ISO 20000 awareness trainings. We then define the scope of certification within your organization and confirm the eligibility for certification. We also propose an approach for how your organization should consider achieving and subsequently retaining ISO 20000.
  • Capability Assessment: Capability Assessment is a rigorous snapshot of your service management capability against the standard. The assessment takes places via a combination of on-site visits, information gathering, off-site evidence reviews, clarification and elaboration interviews culminating in a final comprehensive assessment report.
  • Gap Closure: Following on from the capability and gap assessment we work with your teams to discuss the gaps, the relevance of the closure activities and the time frames in which these will be completed. We then draw up a project plan and project initiation document to address every gap in a realistic timescale. RAID assessments are also undertaken (Risks, Assumptions, Issues and Dependencies).

ISO 20000 scope

ISO 20000 itself is not clear on scoping. It says, simply, that it defines ‘the requirements for a service provider to deliver managed services of an acceptable quality for its customers.’ This statement is so broad that it might appear that virtually any organization that delivers managed services to customers would be eligible for ISO 20000 certification.
It is necessary to turn to the additional, published guidance on ISO 20000 scoping to clarify the requirements. Clause 1 of these guidelines says: “in order for a Service Provider organization to achieve certification under the ISO/IEC 20000 scheme it must be able to demonstrate that it has ‘management control’ of all the processes defined within the ISO/IEC 20000 standard. For this purpose, ‘management control’ of a process consists of:
  • Knowledge and control of inputs;
  • Knowledge, use and interpretation of outputs;
  • Definition and measurement of metrics;
  • Demonstration of objective evidence of accountability for process functionality in conformance to the ISO/IEC 20000 standard; and
  • Definition, measurement and review of process improvements.”

This two-day course is designed for professionals...

  • who are familiar with ISO 27001/27002
  • who are looking for guidance on auditing against the ISO 27002 standards
  • who plan to adopt the security framework and implement the standards
  • who would like to see their organization certified to ISO 27001
  • who would like to improve their security program and align their security goals to their business objectives

We recommend the following best practice guidelines to minimize the risks involved in credit card transactions:

* Ensure that credit cards used to purchase goods or services on the Internet have a low credit limit, or if debit cards are used, that they have limited funds and are only topped up to cover specific Internet purchases.
* All expenses incurred through Internet transactions should be carefully audited on a regular basis for any anomalies.
* Only enter credit card details on a Web site if you are confident as to its authenticity and that the connection is secure - the prefix https (as opposed to the usual http) in the Web Site address indicates a secure connection.
* If the security of a Web site is in doubt, any confidential information posted to it may be exposed to malicious intent. Be extremely cautious when posting confidential details on any site where the Internet Service Provider hosting the site is not verified. Note that we have pre-checked all sites referenced in this newsletter for security!

SOCIAL ENGINEERING - ARE YOU SUSCEPTIBLE?

The term 'social engineering' can conjure up a variety of ideas, usually based around the concept of genetic tampering. However, when applied to IT security, it has its own implications and its own vocabulary.
Following interviews with known computer criminals, a list of approaches has been produced. These are designed to gather information without the target even realizing that they have parted with it. The attempts are often made on an opportune bases, with common locations for this sort of activity being planes, trains and pubs. The telephone is probably the major source of pre-meditated acts.

Structure and format of ISO/IEC 27002

ISO/IEC 27002 is a code of practice - a generic, advisory document, not truly a standard or formal specification such as ISO/IEC 27001. It lays out a well structured set of suggested controls to address information security risks, covering confidentiality, integrity and availability aspects. Organizations that adopt ISO/IEC 27002 must assess their own information security risks and apply suitable controls, using the standard for guidance. Strictly speaking, none of the controls are mandatory but if an organization chooses not to adopt something as common as, say, antivirus controls, they should certainly be prepared to demonstrate that this decision was reached through a rational risk management decision process, not just an oversight, if they anticipate being certified compliant to ISO/IEC 27001.

Scope of ISO/IEC 27002

Like governance, information security is a broad topic with ramifications in all parts of the modern organization. Information security, and hence ISO/IEC 27002, is relevant to all types of organization including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, government departments and quasi-autonomous bodies - in fact any organization that handles and depends on information. The specific information security requirements may be different in each case but the point of ISO/IEC 27002 is that there is a lot of common ground.
The standard is explicitly concerned with information security, meaning the security of information assets, and not just IT/systems security per se. The IT Department is merely the custodian of a good proportion of the organization’s information assets and is charged with securing them by the information asset owners - the business managers who are accountable for the assets. A large proportion of written and intangible information (e.g. the knowledge and experience of workers) is nothing to do with IT.

ISO/IEC 27002:2005 - the current, issued standard

ISO/IEC 17799:2005 was renumbered ISO/IEC 27002:2005 in the middle of 2007 to bring it into the ISO/IEC 27000 family of standards. The text remains word-for-word identical to ISO/IEC 17799:2005 - in fact, for some while the ISO/IEC 17799 standard continued to be delivered to anyone who ordered ISO/IEC 27002, along with a cover sheet noting the change of number.

THE CONTENTS OF ISO 17799 / 27002

The content sections are:
· Structure
· Risk Assessment and Treatment
· Security Policy
· Organization of Information Security
· Asset Management
· Human Resources Security
· Physical Security
· Communications and Ops Management
· Access Control
· Information Systems Acquisition, Development, Maintenance
· Information Security Incident management
· Business Continuity

The ISO 27001:2005 standard covers twelve areas:

  • security policy
  • organisation of information security
  • asset management
  • human resources security
  • physical and environmental security
  • communications and operations
  • management
  • access control
  • information systems acquisition, development and maintenance
  • information security incident management
  • business continuity management
  • compliance

Product Description

Here, at last, is a book by a business manager who knows what makes a business work and why best practice information security is essential. Written in clear English, this book explains why so many organizations have already successfully registered to BS7799/ISO27001 and makes a crystal clear case for pursuing the standard that management in any organization anywhere in the world will accept. Information security is about more, so much more than compliance, security and survival - it's about sharpening your competitive edge for battle in the information economy. Alan Calder, the author of "IT Governance: a Manager's Guide to Data Protection and BS7799/ISO17799", led one of the first successful BS7799 certification efforts in the world. He also belongs to the committee of experts of a global certification body. This book sets out why ISO 27001 is the right answer to the information security challenge.

Wednesday, February 11, 2009

IMPLEMENTING INFORMATION SECURITY BASED ON ISO 27001 AND ISO 17799

IMPLEMENTING INFORMATION SECURITY BASED ON ISO 27001 AND ISO 17799 1 Introduction 2 Information security and ISO 27001 3 Certification 4 ISO 27001 and ISO 17799 5 Frameworks and management system integration 6 Documentation requirements and record control 7 Project team 8 Project initiation 9 Process approach and the PDCA cycle 10 Plan – establish the ISMS 11 Scope definition 12 Risk management 13 Assets within scope 14 Assessing risk 15 Risk treatment plan 16 Risk assessment tools 17 Statement of Applicability 18 Third party checklists and resources 19 Do – implement and operate the ISMS 20 Check – monitor and review the ISMS 21 Act – maintain and improve the ISMS 22 Measurement 23 Preparing for an ISMS audit

What is Program Certification?

Certification is the term used by the CHC to describe the determination by a qualified authority that your operation meets the standard and is being maintained on an ongoing basis. This involves having an auditor from QMI-SAI Global, come to your operation to:
· Review your OFFS Manual(s) and related records,
· Visit your facilities and interview the operator and staff,
· Assess your conformance to the CHC OFFS Audit Checklist.
Since the Audit Checklist covers all eight modules, multi-crop producers need only one audit. Once you pass the audit, you will be certified to the Program

ISO 27002

ISO 27002 is derived from BS 7799 Part 1, which it superseded (formerly called ISO 17799).
ISO 27002 is the 'Code of Practice for Information Security Management' and is a management guide to the implementation of adequate security in an organisation.
It is a checklist of controls within the eleven clauses and explains or gives further guidance on them. It is used to advise the implementer of how and why the controls are implemented and gives some guidance on how they are to be implemented.
ISO 27002 does not set the 'need' for security but provides a 'shopping list' of components that can be installed.

The Excellence Model

This is a standard of excellent organisational performance and a highly structured scheme whereby any organisation can measure how its operational performance compares with the best around. It is both a national and international standard of organisational excellence with a range of award categories.
Carshaw can help organisations large and small to assess their scores in three different ways:
a) By Performa scoring individually or in groups
b) by team activity scoring using a card system
c) by questionnaire completion individually or in groups
The scores for each of the 9 sections of the model can then be related to the critical success factors of the organisation and a detailed improvement action plan can be derived. Spin-off benefits of working through self-assessment include a clearer understanding of the purpose and goals of the organisation, plus better teamwork, greater commitment and improved levels of communication.

Benefits to Your Business

In the modern business environment, all of your employees have some level of access to your business-critical information; and so all employees should be involved in protecting it. You will learn about.
· The business objectives of information security management
· International best practice in information security management
· Application of security controls to manage risks to your information
· The Plan-Do-Check-Act process model for maintaining security
· The difference between compliance and certification
· The future direction of international standards for information security

The five step approach to the compliance audit is explained below

Scope and Plan
  • The identification of scope for Compliance Audit
  • Project planning, resourcing and scheduling

Information Gathering

  • Understand the standards or best practices that the organization is complied with.
  • Understand the organizational processes, configurations and supporting documents

Audit

  • Prepare compliance review sheets/checklists
  • Review the existing and implemented processes and standards against the established standard
  • Understand the deviations (gaps) from the standard, impact and scope for improvements
  • Evidence on compliance to standards or best practices

Documentation

  • Documentation of information assessed and evidences where required
  • Provide current state analysis report on compliance
  • Provide recommendations to close the gaps and non-conformities

Improvement

  • Assist in the corrective action on closing the gaps
  • Guide in amending the existing processes to achieve the business and organization goals

The 11 areas of audit focus are:

  • Corporate Security Management Objectives
  • Systems Development and Maintenance Objectives
  • Information Access Control Management Objectives
  • Compliance Management Objectives
  • Human Resource Security Management Objectives
  • Information Security Incident Management Objectives
  • Communications and Operations Management Objectives
  • Organizational Asset Management Objectives
  • Physical and Environmental Security Management Objectives
  • Security Policy Management Objectives
  • Disaster Recovery Plan and Business Continuity Objectives

Top 5 Facts about the ISO 27001 Standard

Here are some important facts about the ISO 27001 standard which concerned businesses should take note of if they want to remain competitive.
1. The ISO 27001 version, which was published officially in 2005, is only the first among the ISO 27000 series but it is by far the most significant considering that it defined the system.
2. The ISO 27001 has been harmonized so it compliments and is compatible with ISO 17799 (also known as ISO 27002), ISO 14000 and ISO 9000. However, each of them has their own function.
3. Organizations or establishments that are already compliant with the provisions of ISO 27002 can opt for certification although the fact that they have been certified under ISO 27002 means they can meet the provisions of the present standard, Those seeking certification for ISO 27001 can contact the various certification bodies that have been accredited.
4. ISO 27001 is the first of a series and organizations can expect a long list from the ISO 27000 series including the following:
· ISO 27003 which contains the new guide to the implementation of the ISMS
· ISO 27004 which contains the new standards set for the measurement of information security as well as metrics
· ISO 27005 which contains a list of the suggested standard for managing risks
· ISO 27006 which contains the guidelines to be followed for the registration and certification process
· ISO 27007 which contains the guidelines to be followed in the audit of systems for information security management · ISO 27799 which contains the guidelines to be followed by the health sector when complying with ISO 27001
5. ISO 27001 has been translated and published in different languages but the information contained in all the versions should be the same as the original version.

How Does Your Organization Measure Up to ISO 27001?

In a testament to the growing momentum behind ISO 27001, Microsoft Global Foundation Services has chosen to align its information security program with the international standard’s rigorous requirements. As the first major online service provider to earn ISO/IEC 27001:2005 certification, Microsoft has achieved external validation that its approach to managing security risk in a global organization is both comprehensive and effective.
As ISO 27001 continues to demonstrate its value, more and more leading corporations like Microsoft are choosing the international standard as the foundation for their information security programs. ISO 27001 certification not only helps ensure effective security management practices, but also streamlines compliance with multiple regulations by providing one defensible standard of care. In fact, a 2007 survey revealed that 65 percent of organizations complying with PCI were planning to take a more holistic, standards-based approach to compliance by standardizing on ISO 27001.

Being Audited to ISO 27001

Once all the requirements of ISO 27001 have been met, you can apply for an external audit. This should be carried out by a third party, accredited certification body. In the UK, the body should be accredited by UKAS (look for the 'crown and tick' logo).
The chosen certification body will firstly review relevant documentation. This should include the declared policy, scope of the ISMS, documents covering the risk assessment, risk treatment plan, Statement of Applicability and documented security procedures. The auditors will also be checking that you have identified and implemented the controls that are appropriate to your size and type of business. This process is normally carried out at your premises, being more beneficial to both parties.
This is followed at a later date by a full on-site audit to ensure that working practices observe these procedures and stated objectives, and that appropriate records are kept. After a successful audit, a certificate of registration to ISO 27001 will be issued. There will then be surveillance visits (usually once or twice a year) to ensure that the system continues to work

What Is the Difference?

Both the ISO 17799 and 27001 standards were derived from multiple iterations of the originating British Standards Institute standard number BS7799. Originally this standard consisted of two parts. Part one was first adopted as ISO 17799. Part two was later adopted in 2005 as ISO 27001. The ISO 17799 standard will be renumbered under the ISO 27000 series of standards as ISO 27002 sometime in 2007 or 2008.
ISO 17799 is a code of practice. In essence, it is a set of guidelines that an organization may use in developing an information security management system. These guidelines have been developed over many years and have gone through many revisions. The guidelines are internationally accepted as one of the industry de facto best practice baselines. There is no certification for ISO 17799 as it is a set of guidelines that can be used to help ensure the compliance and successful implementation of the ISO 27001 specifications.

All-round Protection

ISO/IEC certification at T-Systems extends in detail to:
  • Security strategy: The management sets the course
  • Security organization: An infrastructure is in place to ensure information security
  • Capture and classification of values: Classification, naming and treatment of information are specified
  • Personal security: Job descriptions, user training, behavior in the event of security-relevant incidents
  • Physical and environmental security: equipment, zones, measures
  • Management and operational communications: Procedures and responsibilities, system planning and approval, protection from malware, network management, etc.


ISO 17799 compared to ISO 27001

ISO 17799 is Part 1 of BS 7799 (the ISO standard for information security). ISO 17799 is a code of best practice for information security management and provides practical guidance on implementation of the security controls that should be implemented on the basis of the ISO 27001 risk assessment. ISO 17799 will be renumbered to ISO/IEC 27002 in the course of 2007.
ISO 27001 is Part 2 of BS 7799 is the risk assessment standard for certification and sets the requirements that an organization must fulfill in order to establish an information security management system. The PTA ISO 27001:27005 is a full implementation of the ISO 27001 compliance check list. If you find that ISO 17799 is more relevant to your practice, please contact us and we may consider development of a PTA library for this standard as well.

Why Excel is a bad choice for a security audit

Excel is easy to use, but you can lose or destroy your data pretty easily. Although risk assessment standards such as ISO 27001 or PCI DSS 1.1 have a one dimensional hierarchical structure of controls - you can get into big trouble once you try and link controls to vulnerabilities, assets and threats. The model starts getting multi-dimensional and that’s where Excel breaks down quickly and you lose data integrity.

We recommend the following best practice guidelines to minimize the risks involved in credit card transactions:

* Ensure that credit cards used to purchase goods or services on the Internet have a low credit limit, or if debit cards are used, that they have limited funds and are only topped up to cover specific Internet purchases.
* All expenses incurred through Internet transactions should be carefully audited on a regular basis for any anomalies.
* Only enter credit card details on a Web site if you are confident as to its authenticity and that the connection is secure - the prefix https (as opposed to the usual http) in the Web Site address indicates a secure connection.
* If the security of a Web site is in doubt, any confidential information posted to it may be exposed to malicious intent. Be extremely cautious when posting confidential details on any site where the Internet Service Provider hosting the site is not verified. Note that we have pre-checked all sites referenced in this newsletter for security!

Achieving ISO 27001 Certification

Program empowers you to successfully certify your organization against ISO 27001 through a robust security system. Often, mere compliance to a framework may not mean reduced risk for the organization. In order to deliver full advantage of the management system, drill-down level of techniques and tools need to be deployed to ensure complete and effective risk management.
ISO 27001 provides a blueprint for an information security management system (ISMS) based on a riskmanagement approach, to establish, implement, operate, monitor, maintain and improve information security. Besides, certification is an accepted way of providing assurance that the organization has implemented a management system which meets the requirements specified in the ISO 27001 standard.

Could your organisation cope with a major information security incident?

Would it be your responsibility? Customers in all sectors are increasingly concerned about the security of business and personal information and perhaps they have good reason to with 66 per cent of UK businesses expecting more security incidents in the next year than in the last and 60 per cent expecting security breaches to be harder to detect in the future.*
The number of reported incidents suffered by affected businesses also rose by 50 per cent and the average costs associated with each security incident rose by 20 per cent. What would be the consequences of an expensive information security incident in your organisation?*
As a Quality Manager, it’s your responsibility to implement and maintain your organisation’s Quality Management System, and achieve and maintain compliance with ISO 9001. For businesses competing in a global marketplace, customer satisfaction, loyalty and retention are increasingly important in achieve and maintaining competitive advantage.

M I G awarded ISO 27001

ISO Certifications awarded to M I G Investments for meeting quality and security standardsM I G Investments has been awarded the ISO 9001:2000 certification in recognition of its standardized Quality Management best-practices, and the ISO 27001:2005 certification for standardized Information Security techniques. The move comes as M I G Investments leverages its international expertise as a major Swiss, online FX broker by bringing customers quality services, innovation, technology and high security standards.

Excellent flow chart on the IS27002 certification process.

I would warmly recommend a tool for ISO 27001 automation that uses PTA - Practical Threat Analysis. What these folks have done is to write a generic library for performing an ISO 27001 assessment using the PTA Professional freeware. The framework is all there and you can build a real life threat model in about 15 minutes by adding your ownthreats and assets. The part I like about PTA is the optimized risk mitigation plan that recommends the most effective controls.

Who originally wrote the security standard?

Originally a BSI/DISC committee, which included representatives from a wide section of industry/commerce. It was reviewed subsequently by an ISO (International Standards Organization) committee and ultimately emerged through the ISO publication process.

HIGH LEVEL POLICY FOR IT SYSTEM ACQUISITION

Procurement procedures in respect of the purchase, lease or rental of all technology based products and services need to be developed. Internal control procedures covering these processes are to be developed and approved incorporating these requirements and providing the means to verify that these procurement control policies are being complied with on an ongoing basis.

The advantages of an external audit are,

1) A fresh approach and a clear 3 part perspective about the ISMS
2) External auditor’s have more experience than internal auditors’ unless the company is large and they have a high quality team of internal auditors’ themselves
3) Absence of prejudice, whereas the internal audit team could be influenced by it

International Organization for Standardization / International Electrotechnical Commission 27001

  • Establishes requirements for an organization´s Information Security Management System (ISMS)
  • Determines documentation requirements and management responsibility
  • Requires internal audits and managerial review of the ISMS
  • Demands ISMS improvement
  • Provides controls and control objectives derived from best practices in ISO/IEC 27002

Why Appin Recommends ISO 27001 As the Benchmark for ISMS

ISO 27001 is a globally acknowledged standard defining the requirements for an Information Security Management System (ISMS). The standard considers Information Security as a combination of people, process, and technology. The standard is globally acknowedged, comprehensive and widely acknowledged. It is also easily integrated with other standards of the ISO family, particularly with ISO 9001. ISO 20000, the service delivery standard, is easily plugged on.That way ISO 27001 enables companies to measure the risk to their information and ensure the selection of adequate and proportionate security controls that protect information assets, thus enhancing confidence of the organization's stakeholders. At the same time ISO 27001 streamlines business processes and facilitates implementing other standards.

What can you expect?

  • Regular emergency management for the safeguarding of the system availability for the critical enterprise processes.
  • Proof of security towards third parties by fulfillment of a world-wide approved standard.
  • Knowledge and control of IT risks (residual risks).
  • Transparent processes and optimized structures deliver the basis for lasting cost optimization and achievement optimization.
  • Within the scope of the annual audit, the certification according to ISO 27001 can serve as a proof, respective the regularity of the IT company, for the certified accountant.

What are the critical success factors?

Experience has shown that the following factors are often critical to the successful implementation of information security within an organization:
  • security policy, objectives and activities that reflect business objectives;
  • an approach to implementing security that is consistent with the organizational culture;
  • visible support and commitment from management
  • a good understanding of the security requirements, risk assessment and risk management
  • effective marketing of security to all managers and employees;
  • distribution of guidance on information security policy and standards to all employees and contractors;
  • provide appropriate training and education;

ISO27001 and ISO17799 identify 10 key areas and controls.

  • Security Policy - to provide Management Direction and support for information security.
  • Organisation of Assets and Resources - to help you manage information security.
  • Asset classification and control – to help you identify and protect your assets.
  • Personnel security – to reduce the risks of human error, theft, fraud or misuse of facilities.
  • Physical and environmental security – to prevent unauthorized access, damage, and interference with business premises and information.
  • Communications and operations management - to ensure the correct and secure operation of information processing facilities.
  • Systems development and maintenance – to ensure that security is built into information systems. Access control – to control access to information.

How can you protect against risks to your information security?

The most effective way to manage risks to information security is to implement an Information Security Management system in line with best practice and the recognised standard for best practice is ISO 27001 (BS7799).
To demonstrate that you are meeting best practice, a company needs to have its achievement independently validated - this process is called certification.

Tested and Standardized Security

Aims Management Consultants a German certification body for management systems, has certificated T-Systems in accordance with the international ISO/IEC 27001:2005 standard. It thereby certifies that the information security management system (ISMS) for the development, provision and operation of ICT solutions complies in full with the standard’s requirements for business customers in Austria, Brazil, Germany, Italy, Spain and Switzerland. Certification of further country companies is to follow.
The ISO/IEC 27001 standard on information technology – security techniques -information security – management systems and requirements, developed by independent experts, specifies with due regard for all risks the requirements of an information security management system in respect of production, launch, operation, monitoring, maintenance and improvement. In addition to companies, government and nonprofit organizations also have themselves ISO/IEC certificated so that their customers and partners can feel sure their data is protected.

Business continuity management

Our Business Continuity Management services are based on BS 25999. We help you evaluate information assets and its criticality levels in determining the strategies for minimum loss in productivity through optimum utilization of resources. Objectives as part of the Business Continuity Management service are
  • Minimize disruptions of business functions and external entities
  • Provide roadmap for disaster recovery operations
  • Ensure timely resumption of normal business at earliest possible time
  • Limit impact of disruption on company's mission and reputation
  • Limit financial losses

What is it like being a records management consultant?

The twenty first century records manager has an internal consultancy role within their organisation (either alongside of, or instead of, a more traditional service delivery role).
Consultancy is one of a set of key skills and competencies (including influencing, presentation and change management) that once you feel confident in them enable you to utilise the valuable records management knowledge you possess in the service of your organisation, or the organsation you are working for.
Like many valuable arts, consultancy has some simple rules which are easy to learn, but would take more than a lifetime to master. And like any other art form these rules can be expressed in many different ways.

THE ESSENTIAL STARTER KIT

The ISO 27000 Toolkit will get you off to an excellent start in understanding the two ISO 27000 standards, and addressing the key issues. Further, the support resources and materials included in the kit should prove to be useful for many years to come.
All the items in the kit have been designed and created from the standpoint of helping with the ISO 27001 and ISO 27002 compliance initiatives. Indeed, their quality is such, that some are sold stand alone, as independent security products. However, purchase within the toolkit delivers significant and substantial savings.

Why would you choose the certification offered by AIMS MANAGEMENT CONSULTANTS.

1. We have over 10 years of experience in the certification activity.
2. Our offer includes a large range of services including courses for your employees;
3. We can offer you the services of a team of specialists in the ISMS domain;
4. Because our clients (most of them well–known companies in the IT&C domain) continue to recommend to other organizations;
5. You could become one of the 2500 clients satisfied with our services.
6. We can also perform combined certifications (integrated) in case you already are certified for a management system (Quality, Environmental, etc) so that your organization eventually has a single integrated management system, not one or more.

Which ISO27002 controls are most important?

That largely depends upon the individual organization. However, ISO27002 does give some guidance, in the form of 'legislative essentials' and 'common best practice' under the IS "starting point" section. These are:
- intellectual property rights
- safeguarding of organizational records
- data protection and privacy of personal information
- information security policy document
- allocation of information security responsibilities
- information security education and training
- reporting security incidents

User Group given opportunity to feed into revision of ISO27002

Members of the UK ISO27001 User Group were given the opportunity to contribute to the revision of ISO27002, the Code of practice for information security management at a workshop on 5 August 2008.
Those who attended considered proposed changes to the Standard and working in small facilitated groups developed papers that will be considered by the technical committees that are responsible for the revision of ISO27002.

Benefit and usefulness to you

  • The services we offer embody competency and a serious approach at the highest level, augmented by close links to actual everyday practice and individual consideration of the real IT security needs of your organisation as regards protection
  • Fulfilment of the requirements of the management framework for information security: Security Management which is "state-of-the-art"
  • Systematic recognition, assessment and evaluation of information security risks, using risk assessments
  • Integration of the information risk management into existing structures and processes (e.g. into the global risk management) of the company
  • Implementation of security measures which are always appropriate (i.e. which can also be justified from a financial point of view)

ISO 27000 Related Definitions and Terms

In this edition of the ISO 27000 Newsletter we look at further definitions and terms related to ISO 27001 and ISO 27002 that commence with the letter “I”.
Identity Hacking Posting on the Internet or Bulletin Board(s) anonymously, pseudonymously, or giving a completely false name/address/telephone with intent to deceive. This is a controversial activity, generating much discussion amongst those who maintain the net sites. There are two cases in which problems can be caused for organizations:- - a member of staff engages in such practices and is 'found out' by net users, thereby associating the organization name with the activity. - a posting by an unrelated third party, pretending to be the organization, or a representative. In either case, if such posts are abusive, or otherwise intended to stir up an argument, a possible result is a Flame Attack, or Mail Bombing.

ISO 27001 / 27002 Newsletter

Welcome to the latest issue of the ISO 27001 / 27002 newsletter, intended to provide news and updates regarding the information security standards.
Included in this issue are the following topics:
1) Security Risk Management
2) ISMS Based Document Controls via ISO/IEC 27001
3) Trials and tribulations of a Part-time Information Security Officer
4) Information Security News
5) Information Security Within Your Business Continuity Process
6) ISO 27001 / 2: Common Mistakes Part 3
7) ISO 27000 Related Definitions and Terms
8) Protecting Against Malicious Code Attacks

27000 series of standards

In addition to the development of ISO/IEC 27001, ISO/IEC JTC1 SC 27 is working on several other standards that will all be included in the 27000 series of standards - in analogy to the other management system standards, such as ISO 9000. The standards in the 27000 series are:
· ISO/IEC 27000: Information security management system fundamentals and vocabulary
· ISO/IEC 27001: Information security management system - Requirements
· ISO/IEC 27002: Code of practice for Information Security Management
· ISO/IEC 27003: Information security management system implementation guidance
· ISO/IEC 27004: Information security management measurement
· ISO/IEC 27005: Information security risk management
· ISO/IEC 27006: Requirements for bodies providing audit and certification of information security management systems

ISO 27001:2005 Implementation Assistance

Objectives: During this mission our consultants will help your company to implement an Information Security Management System compliant with ISO 27001 standard. Is this mission appropriate to your needs? You want to show evidence that you are using security best practices to your stakeholders (strategic partners, customers, shareholders, regulators…). What will be the deliverables? At the end of the mission your company is operating an ISO 27001 compliant ISMS. Our consultants are also going to provide you an Excel tool in order to evaluate your compliance level on a day to day basis.

Saturday, January 24, 2009

ISO/IEC 27001:2005 is broken into the following sections:

• Introduction
• Scope
• Normative References
• Terms and Definitions
• Information Security Management System
• Management Responsibility
• Management review of the ISMS
• ISMS improvement

1 day awareness course for ISO 27001

This seminar, run in association with BSI Business Information), introduces delegates to the features and benefits (of adoption) of the ISO/IEC 27000 Standards (including ISO/IEC 17799).
The International Standard ISO/IEC 17799:2005 is the latest code of practice for information security management. It provides a complete set of guidelines for an effective information security management system (ISMS).
It is essential guidance to help you manage an effective information security policy. It offers a common basis to enable an organization to develop, implement and measure effective security management practice.

ISO27002 SECTION 14: BCP REVIEW

Business continuity planning is covered by section 14 of the 27002 standard, a core requirement of which is the creation and maintenance of a business continuity plan.
Creating such a plan from scratch is a difficult undertaking of course. This is one reason why software products were produced. Unfortunately these often become problematic in themselves... difficult to learn, expensive, etc.
Recent times have therefore seen a move to simplification, with organizations keen to avoid adding complexity to an already complex task. At the vanguard of this change was a product developed entirely in MS-Word: The BCP Generator.
This was designed from top down to simplify business continuity planning. It comprises two components: a plan template and an interactive guide (the latter using Word macros to jump to and fro into the correct part of the template). It's impact upon the business continuity scene has been substantial, with organizations from the very largest to the smallest embracing the tool and its concepts. It is in active use in over 40 countries.

ISO/IEC 27001

IT security now also available in German. So far, the central standard for information security management systems (ISMS), ISO/IEC 27001:2005, has only been available in English. Now the standard is also available as a draft in German with the number DIN ISO/IEC 27001:2007-02. The standard defines the requirements for the implementation, surveillance and maintenance of a documented ISMS, which can be certified according to this standard. The key element is the comprehensive risk management system. The standard additionally specifies the systematic structure of a management system, which focuses on application of a process approach, and establishes the prerequisites for an integrated system: ISO 27001 is structured similarly to ISO 9001 and ISO 14001.