Like governance, information security is a broad topic with ramifications in all parts of the modern organization. Information security, and hence ISO/IEC 27002, is relevant to all types of organization including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, government departments and quasi-autonomous bodies - in fact any organization that handles and depends on information. The specific information security requirements may be different in each case but the point of ISO/IEC 27002 is that there is a lot of common ground.
The standard is explicitly concerned with information security, meaning the security of information assets, and not just IT/systems security per se. The IT Department is merely the custodian of a good proportion of the organization’s information assets and is charged with securing them by the information asset owners - the business managers who are accountable for the assets. A large proportion of written and intangible information (e.g. the knowledge and experience of workers) is nothing to do with IT.
No comments:
Post a Comment