Mar 04 2019

Probably the best-selling ISO27001 Toolkit in the world

Category: ISO 27kDISC @ 2:11 pm

IT Governance Ltd, the world’s one-stop shop for ISO27001 information, books, toolkits, training and consultancy for ISO27001 Information Security Management, has now sold 1,034 copies of its ISO27001 ISMS Documentation Toolkit.

“We estimate that between 5% and 10% of all ISO27001-certified organisations worldwide have drawn on the comprehensive, best practice templates contained in our ISO27001 Toolkit,” commented Alan Calder, CEO of IT Governance.

  • The ISO27001 Documentation Toolkit
  • ISO 27001 Implementation


    • Enter your email address:

    Delivered by FeedBurner

    Mar 03 2019

    ISO27002 2013 ISMS Controls Gap Analysis Tool (Download)

    Category: ISO 27kDISC @ 10:28 pm

    ISO27002: 2013 compliant! This tool has a very specific, high-level purpose in any ISMS project, which is to quickly and clearly identify the controls and control areas in which an organization does not conform to the requirements of the standard.

    Use this self-assessment tool to quickly and clearly identify the extent to which your organization has implemented the controls and addressed the control objectives in ISO 27002.

    Special offer: Get two gap analysis tools for the price of one!

    Complete your gap analysis with the ISO 27002:2013 ISMS Controls Gap Analysis Tool.

    Buy the ISO 27001:2013 ISMS Gap Analysis Tool and get this tool for free!

    Use the following code at the checkout when you buy the ISO 27001:2013 ISMS Gap Analysis Tool and the ISO 27002:2013 ISMS Controls Gap Analysis Tool will automatically be added to your shopping cart: B1G1GAP*


    Feb 05 2019

    ISO 27001 ISMS Documentation Toolkit Bolt-on

    Category: ISO 27kDISC @ 8:37 am

    Combine with the ISO 9001:2015 QMS Documentation Toolkit and/or the ISO 14001:2015 EMS Documentation Toolkit to create an ISO 27001- compliant integrated management system (IMS).

  • ISO 27001 ISMS Documentation Toolkit Bolt-on


    • DISC InfoSec 🔒 securing the business 🔒 Cyber Security Awareness

    DISC InfoSec blog

    ↑ Grab this Headline Animator


    Tags: EMS, IMS, isms, ISO27001, QMS

    Sep 16 2018

    Download ISO27k standards

    Category: ISO 27kDISC @ 7:23 pm

     

     

    Download ISO27000 family of information security standards today!

    • ISO27001 2013 ISMS Requirement (Download now)

    • ISO27002 2013 Code of Practice for ISM (Download now)

    ISO 27001 Do It Yourself Package (Download)

     

    ISO 27001 Training Courses –  Browse the ISO 27001 training courses

    ISO 27001 Training Courses

     

     ISO 27001 Risk Assessment and Gap Assessment


    Tags: ISO 27001 2013, ISO 27001 2013 Toolkit

    Aug 23 2018

    Nine Steps to Successful implementation

    Category: ISO 27kDISC @ 1:32 pm

    Achieving and maintaining accredited certification to ISO 27001 can be complicated, especially for those who are new to the Standard.

    Aligned with the latest iteration of ISO 27001:2013, the North American edition of Nine Steps to Success – An ISO 27001 Implementation Overview is ideal for anyone tackling ISO 27001 for the first time.

    In nine critical steps, the guide covers each element of the ISO 27001 project in simple, non-technical language.

    Get step-by-step guidance on successful ISO 27001 implementation from an industry leader.

    Implementation Overview, North American edition
    This must-have guide from ISO 27001 expert Alan Calder helps you get to grips with the requirements of the Standard and make your ISO 27001 implementation project a success:

    Details the key steps of an ISO 27001 project from inception to certification
    Explains each element of the ISO 27001 project in simple, non-technical language
    An ideal guide for anyone tackling ISO 27001 implementation for the first time


    Feb 11 2018

    Pinpoint your current cyber security gaps

    Category: ISO 27kDISC @ 9:07 pm

    A comprehensive information security management system (as defined by the requirements contained in ISO 27001) details the steps required for the effective management of information security (and cyber security) risks.

    An ISO 27001 gap analysis is a sensible starting point for assessing the gaps in your information security regime.

    Even if you aren’t considering certification to ISO 27001, an in-person gap analysis against the requirements of a leading information security standard offers the following benefits:

     

    • A high-level review of the efficacy of your policies, procedures, processes and controls
    • Interviews with key managers
    • Assistance defining the scope of a proposed information security management system (ISMS)
    • A detailed compliance status report against the clauses and controls described in ISO 27001

     

    Description

    Our ISO27001 Gap Analysis will provide you with an informed assessment of:

    • Your compliance gaps against ISO 27001
    • The proposed scope of your information security management system (ISMS)
    • Your internal resource requirements; and
    • The potential timeline to achieve certification readiness.

     

    What to expect:

    An ISO 27001 specialist will interview key managers and perform an analysis of your existing information security arrangements and documentation.

    Following this, you will receive a gap analysis report collating the findings of these investigations. The report will detail areas of compliance and areas requiring improvement, and provide further recommendations for the proposed ISO 27001 compliance project.

     

    The report includes:

    • The overall state and maturity of your information security arrangements
    • The specific gaps between these arrangements and the requirements of ISO 27001
    • Options for the scope of an ISMS, and how they help to meet your business and strategic objectives
    • An outline action plan and indications of the level of internal management effort required to implement an ISO 27001 ISMS; and
    • A compliance status report (red/amber/green) against the management system clauses (clause-by-clause), as well as the information security controls (control-by-control) described in ISO 27001:2013.

     

    Please contact us for further information or to speak to an infosec expert.


    Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment

    Nov 08 2017

    How ISO 27001 can help to achieve GDPR compliance

    Category: GDPR,ISO 27kDISC @ 2:44 pm

    gdpr

    By Julia Dutton

    Organizations have until 25 May 2018 to comply with the EU General Data Protection Regulation (GDPR).

    Those who have studied the Regulation will be aware that there are many references to certification schemes, seals and marks. The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organisation is actively managing its data security in line with international best practice.

    Managing people, processes and technology

    ISO 27001 is the international best practice standard for information security, and is a certifiable standard that is broad-based and encompasses the three essential aspects of a comprehensive information security regime: people, processes and technology.  By implementing measures to protect information using this three-pronged approach, the company is able to defend itself from not only technology-based risks, but other, more common threats, such as poorly informed staff or ineffective procedures.

    By implementing ISO 27001, your organisation will be deploying an ISMS (information security management system): a system that is supported by top leadership, incorporated into your organisation’s culture and strategy, and which is constantly monitored, updated and reviewed.  Using a process of continual improvement, your organisation will be able to ensure that the ISMS adapts to changes – both in the environment and inside the organisation – to continually identify and reduce risks.

    What does the GDPR say?

    The GDPR states clearly in Article 32 that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

    1. the pseudonymisation and encryption of personal data;
    2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
    4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

    Let’s look at these items separately:

    Encryption of data is recommended by ISO 27001 as one of the measures that can and should be taken to reduce the identified risks.  ISO 27001:2013 outlines 114 controls that can be used to reduce information security risks.  Since the controls an organisation implements are based on the outcomes of an ISO 27001-compliant risk assessment, the organisation will be able to identify which assets are at risk and require encryption to adequately protect them.

    One of ISO 27001’s core tenets is the importance of ensuring the ongoing confidentiality, integrity and availability of information.  Not only is confidentiality important, but the integrity and availability of such data is critical as well. If the data is available but in a format that is not usable because of a system disruption, then the integrity of that data has been compromised; if the data is protected but inaccessible to those who need to use it as part of their jobs, then the availability of that data has been compromised.

    Risk assessment

    ISO 27001 mandates that organisations conduct a thorough risk assessment by identifying threats and vulnerabilities that can affect an organisation’s information assets, and to take steps to assure the confidentiality, availability and integrity (CIA) of that data. The GDPR specifically requires a risk assessment to ensure an organisation has identified risks that can impact personal data.

    Business continuity

    ISO 27001 addresses the importance of business continuity management, whereby it provides a set of controls that will assist the organisation to protect the availability of information in case of an incident and protect critical business processes from the effects of major disasters to ensure their timely resumption.

    Testing and assessments

    Lastly, organisations that opt for certification to ISO 27001 will have their ISMSs independently assessed and audited by an accredited certification body to ensure that the management system meets the requirements of the Standard. Companies need to regularly review their ISMS and conduct the necessary assessments as prescribed by the Standard in order to ensure it continues protecting the company’s information. Achieving accredited certification to ISO 27001 delivers an independent, expert assessment of whether you have implemented adequate measures to protect your data.

    The requirements to achieve compliance with ISO 27001 of course do not stop there.  Being a broad standard, it covers many other elements, including the importance of staff awareness training and leadership support.  ISO 27001 has already been adopted by thousands of organisations globally, and, given the current rate and severity of data breaches, it is also one of the fastest growing management system standards today.

    Related articles:

    Read more about ISO 27001 and the GDPR >>>>
    GDPR Documentation Toolkit and gap assessment tool >>>>
    Understanding the GDPR: General Data Protection Regulation >>>>

     


    Oct 25 2017

    Conducting an asset-based risk assessment in ISO 27001:2013

    Category: ISO 27k,Risk AssessmentDISC @ 11:14 am

    Conducting an asset-based risk assessment in ISO 27001:2013 – Vigilant Software

    The nature of ISO27001 is that it is heavily focused on risk-based planning. This is to ensure that the identified information risks are appropriately managed according to the threats and the nature of the threats. While asset-based risk assessments are still widely regarded as best practice, and present a robust methodology for conducting risk assessments, it is no longer a requirement under ISO 27001:2013.  ISO 27001:2013 leaves it to the organisation to choose the relevant risk assessment methodology, i.e. ISO 27005, or ISO/IEC 31010.

    It is commonly believed that an asset-based information security risk assessment provides a thorough and comprehensive approach to conducting a risk assessment, and this article will look at the steps to follow when conducting this type of risk assessment.

    Where do you start when you embark on an asset-based information security risk assessment?

    The first step would be to produce an asset register, which can be done through a series of interviews with asset owners. The ‘asset owner’ is an individual or entity that has responsibility for controlling the production, development, maintenance, use and security of an information asset.

    Note: In the new standard, ISO 27001:2013, there is a stronger emphasis on the role of the ‘risk owner’, which pushes up the responsibility for the risks to a higher level within the organisation. However, since the approach we are following is an asset-based methodology, the asset owner would be the logical point to start in order to compile an asset register.

    Once the asset register has been compiled, the next step is to identify any potential threats and vulnerabilities that could pose risks to those assets. A vulnerability / weakness of an asset or control can be defined as one that can be exploited by one or more threats.

    Risk assessment & impact determination

    Once the threats and vulnerabilities have been identified, then an analysis of the risks should be undertaken, to establish the impact level of the risks.  The impact value needs to take into consideration how the Confidentiality, Integrity and Availability of data can be affected by each of the risks.

    It should also consider the business, legal, contractual and regulatory implications of risks, including the cost of the replacement of the asset, the potential loss of income, fines and reputational damage.

    ISO 27005 presents a structured, systematic and rigorous process of analysing risks, and for creating the risk treatment plan, and includes a list of known threats and vulnerabilities that can be used for establishing the risks your information assets are exposed to.

    vsRisk comes with an optional, pre-populated asset library.  Organisational roles are pre-assigned to each asset group, and the corresponding potential threats / risks are pre-applied to each asset. vsRisk also pre-assigns the relevant controls from Annex A to each threat. See sample below. View options to purchase vsRisk now.

    Sample risk assessment

    vsRisk™ provides key benefits for anyone undertaking an asset-based risk assessment.

    By providing a simple framework and process to follow, vsRisk minimises the manual hassle and complexity of carrying out an information security risk assessment, saving the risk assessor time and resources. In addition, once the assessment has been completed, the risk assessments can be repeated easily in a standard format year after year.  The tool generates a set of 6 reports that can be exported and edited,  presented to management and audit teams, and includes pre-populated databases of threats and vulnerabilities as well as 7 different control sets that can be applied to treat the risks.


    Tags: Risk Assessment

    Aug 28 2017

    ISO27001 Gap Analysis

    Category: ISO 27kDISC @ 10:41 pm

     

    A specialist, in-person review of your current information security posture against the requirements of ISO/IEC 27001:2013.

    Get the true picture of your ISO 27001 compliance gap, and receive expert advice on how to scope your project and establish your project resource requirements.

    What to expect:

    An ISO 27001 specialist will interview key stakeholders  and perform an analysis of your existing information security arrangements and documentation.

    Following this, you will receive a gap analysis report collating the findings of these investigations. The report will detail areas of compliance and areas requiring improvement, and provide further recommendations for the proposed ISO 27001 compliance project.

    The report includes:

    • The overall state and maturity of your information security arrangements
    • The specific gaps between these arrangements and the requirements of ISO 27001
    • ISO 27001 2013 requirements
    • ISO 27002 2013 controls, categories and domains
    • Compliance report by ISO 27001 requirements
    • Compliance report by control ISO 27002 2013
    • Compliance report by category ISO 27002 2013
    • Compliance report by domain ISO 27002 2013

    DISC gap assessment includes three or six level rating (CMMI) matrix of your choice for each control, category and domain.

    Start your ISMS project with ISO27001 2013 Documentation Toolkit

    ISO/IEC 27001 2005 to 2013 Gap Analysis Tool (Download)

    Download ISO27000 family of information security standards today!

    • ISO27001 2013 ISMS Requirement (Download now)

    • ISO27002 2013 Code of Practice for ISM (Download now)

    Contact us for further information or visit DISC site for our ISO27k services


    Tags: ISO 27001 2013 Gap Assessment

    Aug 10 2017

    Security Management and Governance

    Category: GRC,Information Security,ISO 27kDISC @ 9:38 am
    • The textbook for the Open University’s postgraduate information security course.
    • The recommended textbook for all IBITGQ ISO 27001 courses.
    • Available in softcover or eBook format.



    Description

    Fully updated expert information security management and governance guidance based on the international standard for information security management, ISO 27001.

    As global threats to information security increase in frequency and severity, and organisations of all sizes, types and sectors face increased exposure to fast-evolving cyber threats, there has never been a greater need for robust information security management systems.

    Now in its sixth edition, the bestselling IT Governance: An International Guide to Data Security and ISO27001/ISO27002 provides best-practice guidance for technical and non-technical managers looking to enhance their information security management systems and protect themselves against information security threats.

    This new edition of IT Governance: An International Guide to Data Security and ISO27001/ISO27002 has been fully updated to take account of current cyber security trends and advanced persistent threats, and reflects the latest regulatory and technological developments, including the 2013 updates to ISO 27001 and ISO 27002.

    Product overview

    Including coverage of key international markets, such as the UK, North America, the EU and the Asia-Pacific region, IT Governance: An International Guide to Data Security and ISO27001/ISO27002 is the definitive guide to implementing an effective information security management system (ISMS), as set out in the international standard ISO 27001.

    It covers all aspects of data protection/information security, including viruses, hackers, online fraud, privacy regulations, computer misuse and investigatory powers.

    Changes introduced in this edition include:

    • Full updates in line with the 2013 revisions to the ISO 27001 standard and ISO 27002 code of practice.
    • Full coverage of changes to data protection regulations in different jurisdictions and advice on compliance.
    • Guidance on the new continual improvement model that replaces the plan-do-check-act cycle that was mandated in the 2005 iteration of ISO 27001.
    • New developments in cyber risk and mitigation practices.
    • The latest technological developments that affect IT governance and security.
    • Guidance on the new information security risk assessment process.

    IT Governance: An International Guide to Data Security and ISO27001/ISO27002 is the recommended textbook for the Open University’s postgraduate information security course and the recommended text for all IBITGQ ISO 27001 courses.


    Apr 24 2017

    Why is ISO 27001 so important for US technology firms?

    Category: ISO 27kDISC @ 10:47 am

    by Rob Freeman

    At IT Governance, we have long known that compliance with the ISO 27001 information security management standard is essential for all US companies that wish to do business with the rest of the world. This requirement is fuelled by the ever growing threat of cybercrime and the increasing awareness of the data privacy rights of all individuals in target markets globally.

    Win international business

    To win and maintain international business, your firm needs to demonstrate that it takes cybersecurity and data privacy seriously, and fully complies with all of the relevant laws and regulations.

    This is particularly true for US technology companies, many of which deliver services and products using online web-based channels. Modern Internet marketing and sales methodology demands the acquisition of large databases of customers’ personal data. In return for purchasing goods and services, these customers expect that their data will be secured, stored, and used in an appropriate manner. From the big guys like Microsoft or Salesforce.com to the little guys trading internationally on Ebay, ensuring the data security and privacy of customers is just as important as delivering a great product.

    Although now a little dated, I can recommend that you view the August news release from InsideView, a CA-based market intelligence company, which announced “InsideView Expands ISO/IEC 27001:2013 Certification to Include ISO/IEC 27018”. This somewhat innocuous headline is hiding a really big message that is buried in the second paragraph:

    A global priority

    Protection of personal information has become a globally recognized priority. Emerging regulations and frameworks, such as European Union Data Protection Directive (GDPR) and the US Department of Commerce Privacy Shield, will require data processors to provide specific protections and rights of access regarding personal information.

    “This extension of our ISO 27001 information security management system to include the ISO 27018 controls for personal data shows that InsideView is leading the market in preparation for new privacy regulations,” said Jenny Cheng, Chief Product Officer at InsideView.

    If you are not aware of the importance of ISO 27001, I can recommend that you purchase and read this textbook: IT Governance – An International Guide to Data Security and ISO27001/ISO27002, Sixth Edition.

    Apr 21 2017

    vsRisk™ risk assessment

    Category: ISO 27k,Security Risk AssessmentDISC @ 8:42 am

    vsRisk Standalone 3.0 – Brand new vsRisk™ risk assessment software available now

    vsRisk is fully aligned with ISO 27001:2013 and helps you conduct an information security risk assessment quickly and easily. The upgrade includes three key changes to functionality: custom acceptance criteria, a risk assessment wizard and control set synchronization. This major release also enables users to export the asset database in order to populate an asset management system/register.

    Price: $745.00

    Buy now

    Tags: Risk Assessment

    Feb 17 2017

    Fragmented cybersecurity regulation threatens organizations

    Category: ISO 27k,IT GovernanceDISC @ 11:10 am

    Fragmented cybersecurity regulation threatens organizations

    Melanie Watson

    Organizations across the United States have a number of cybersecurity regulations to comply with, and need to show that they take protection of sensitive data seriously.

    Consumer data in the US is currently protected by a patchwork of industry-specific, federal, and state laws, the scope and jurisdiction of which vary. The challenge of compliance for organizations that conduct business across all 50 states is considerable.

    Forbes summarizes the issue:

    “Increased regulatory fragmentation unduly diverts focus and resources, and ultimately threatens to make us more vulnerable to cyber attacks. Instead of a fractured approach by state, we need a coordinated national strategy for regulating cybersecurity.”

    For example, NY financial institutions will be required to implement security measures in order to protect themselves against cyber attacks from March 1, 2017. They will need to not only maintain a cybersecurity policy and program, appoint a CISO, and implement risk assessment controls and an incident response plan, they will also have to provide regular cybersecurity awareness training, conduct penetration testing, and identify vulnerabilities.

    Organizations also have the National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST SP 800-53) for guidance on helping reduce cybersecurity risks, and many organizations are required by contract or by law to implement the framework.

    Complying with multiple cybersecurity regulations

    ISO 27001 Cybersecurity Documentation Toolkit

    Fulfil multiple cybersecurity obligations and benefit from international information security best practice to produce a solid framework with the ISO 27001 Cybersecurity Documentation Toolkit.

    Covering state, national, and international cybersecurity frameworks, this toolkit will enable you to produce a robust management system that complies with:

    • NIST SP 800-53
    • New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies
    • Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth
    • ISO 27001, the internationally-recognized cybersecurity framework

    Comply with multiple cybersecurity regulations

    Pre-order now >>

    Top Rated ISO 27001 Books

    Jan 09 2017

    The new CISO role: The softer side

    Category: Information Security,ISO 27kDISC @ 12:17 pm

     

    English: Risk mitigation action points

    English: Risk mitigation action points (Photo credit: Wikipedia)

    By Tracy Shumaker

    In order for CISOs to stay relevant in their field today, they must add communication and soft skills to their list of capabilities. Traditionally, their role has been to take charge of IT security. Now CISOs oversee cybersecurity and risk management systems. They must manage teams and get leadership approval in order to successfully implement a system that aligns with overall business goals.

    Speak in a common business language

    The CISO will need to appoint both technical and non-technical individuals to support a risk management system, which requires communication in a language that everyone can relate to. Additionally, senior executives’ approval is required and this will involve presenting proposals in non-technical terms.
    Being able to communicate and having the soft skills to manage people is a challenge CISOs face. For CISOs to reach a larger audience, they need to clearly explain technical terms and acronyms that are second nature and translate the cybersecurity risks to the organization into simple business vocabulary.

    Get the tools to gain the skills

    IT Governance Publishing books are written in a business language that is easy to understand even for the non-technical person. Our books and guides can help you develop the softer skills needed to communicate in order to successfully execute any cybersecurity or risk management system.

    Develop your soft skills with these books >>

    Discover the best-practice cyber risk management system, ISO 27001

    This international standard sets out a best-practice approach to cyber risk management that can be adopted by all organizations. Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they face in the most cost-effective and efficient way.

    Find more information about ISO 27001 here >>

    Top Rated CISO Books

    Nov 14 2016

    Implementing an ISMS: where should you start?

    Category: ISO 27kDISC @ 9:56 am

    ISO27ktoolkit

    With the number of ISO 27001 certifications rising fast in the US, organizations will be looking to implement an ISO 27001-compliant information security management system (ISMS) quickly, before any of their competitors.

    However, the hardest part of achieving ISO 27001 certification is providing the documentation for the ISMS. Often – particularly in more complex and larger businesses – the documentation can be up to a thousand pages. Needless to say, this task can be lengthy, stressful and complicated.

    IT Governance Publishing’s (ITGP) ISO 27001 toolkits offer this documentation in pre-written templates, along with a selection of other tools to:

    • Help save you months of work as all the toolkits contain pre-written templates created by industry experts that meet ISO 27001:2013 compliance requirements.
    • Reduce costs and expenses as you tackle the project alone.
    • Save the hassle of creating and maintaining the documents yourself.
    • Accelerate your management system implementation by having all of the tools and resources you need at your disposal.
    • Ensure nothing is left out of your ISMS documentation.

    When an organization’s need help with their ISMS projects, they’re normally at a loss.

    The two major challenges they face are creating supporting documentation and performing a risk assessment.

    With wide range of fixed-price toolkits, these toolkits can provide you with the official ISO 27000 standards, implementation guidance, documentation templates, and risk assessment software to aid your project.

    • Do you know how to implement an ISMS?
    • What steps should you take?
    • How long will it take?


    Tags: isms, iso 27001 certification, iso 27002

    Oct 29 2015

    Keep certification simple using ITGP’s toolkits

    Category: ISO 27kDISC @ 8:13 pm

    ISO

    When implementing ISO management systems, most of us would like to:

    • get it right first time,
    • keep it as straightforward as possible,
    • be able to integrate the system with other frameworks,
    • reduce common errors that are made during the process, and
    • cut implementation costs where possible.

     

    Implementing management systems has never been easier with ITGP’s toolkits

    Authored by industry experts and used by over 4,000 organisations worldwide, ITGP’s toolkits will help you do all of the above and more.

    Comprising pre-written templates, customisable worksheets, policies and helpful guidance, the documentation toolkits are perfect for organisations seeking certification, compliance and/or best-practice implementation.

    View all toolkits >>




    Tags: ISO 27001 2013 Toolkit, toolkit

    Oct 19 2015

    New York Stock Exchange cybersecurity guide recommends ISO 27001

    Category: ISO 27kDISC @ 11:11 am

    NYSE
    by Neil Ford

    The New York Stock Exchange (NYSE) has released a 355-page guide to cybersecurity (Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers), written by more than 80 individual contributors representing organizations including Booz Allen Hamilton, Dell SecureWorks, Georgia Institute of Technology, the Internet Security Alliance, Rackspace Inc., the US Department of Justice Cybersecurity Unit, Visa, Wells Fargo, and the World Economic Forum.

    This ‘definitive guide’ collects “the expertise and experience of CEOs, CIOs, lawyers, forensic experts, consultants, academia, and current and former government officials”, and “contains practical and expert advice on a range of cybersecurity issues including compliance and breach avoidance, prevention and response.”

    “No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk.”

    Tom Farley, President, New York Stock Exchange

    Among the report’s many opinions is one that we at IT Governance have maintained for a long time: the recommendation that organizations align their cybersecurity program with “at least one standard… so progress and maturity can be measured. In determining which standard to use as a corporate guidepost, organizations should consider the comprehensiveness of the standard. […] ISO/IEC 27001… is a comprehensive standard and a good choice for any size of organization because it is respected globally and is the one most commonly mapped against other standards.”

    All NYSE-listed company board members will receive a copy of the guide; if you are yet to receive your copy, it can be downloaded here >>

    For more information on ISO 27001 and how it can help your organization with a best-practice cybersecurity posture, click here >>

    “This is not simply an IT issue. It is a business problem of the highest level.”

    Charles W. Scharf, CEO, Visa Inc.

    ISO 27001 information security management

    An information security management system (ISMS), as described by ISO 27001, provides a risk-based approach to information security that enables organizations of all sizes, sectors, and locations to mitigate the risks they face with appropriate controls. An ISMS addresses people, processes, and technology, providing an enterprise-wide approach to protecting information – in whatever form it is held – based on the specific threats the organization actually faces, thereby limiting the inadvertent threats posed by untrained staff, inadequate procedures, out-of-date software solutions, and more.

    Priced from only $659, IT Governance’s ISO 27001 Packaged Solutions provide unique information security implementation resources for all organizations, whatever their size, budget, or preferred project approach. Combining standards, tools, books, training, and online consultancy and support, they allow all organizations to implement an ISMS with the minimum of disruption and difficulty.


    Tags: Information Security Management System, ISO/IEC 27001, NYSE

    Sep 22 2015

    North America has largest growth rate of ISO 27001 registrations

    Category: ISO 27kDISC @ 4:46 pm

    by Melanie Watson

    North America is currently the fastest growing region in terms of ISO 27001 registrations, according to ISO Survey 2014.

    Now totalling 836 registrations, North America boasts an annual growth rate of 17.42% in 2014.

    Other regions include the Middle East with a growth rate of 13.53%, Central and South Asia with 12.54%, Europe with 9.53%, East Asia and Pacific with 4.07%, Central/South America with 1.84% and Africa with a decline of 18.18%.

    ISO 27001 – The CyberSecurity Standard

    ISO 27001, the international cybersecurity standard, has long been regarded as the leading framework for implementing an information security management system (ISMS) that enables organizations to obtain an independent registration to prove their cybersecurity credentials.

    In fact, the US has the ninth largest number of ISO 27001 registrations globally (664), moving up one place from last year.

    ISO27001CertificateUS_2014

    ISO27001 registration is often a supply chain requirement and, as such, can help organizations broaden their client base and supply chain network, while supporting business opportunities in international markets where the Standard is recognized.

    Other ISO 27001 benefits include: enhanced reputation, increased stakeholder trust, meeting regulatory and compliance requirements, and improved internal processes.

    Find out more about ISO 27001

    More and more companies across North America have come to realise the benefits of implementing an ISO 27001-accredited information security management system, both in terms of improving security and gaining a competitive advantage.

    Find out more about ISO 27001 >>

    New to ISO 27001? Learn from the experts >>

     

    Sep 21 2015

    International law firms see ISO 27001 certification as competitive differentiator

    Category: ISO 27k,Security and privacy LawDISC @ 9:22 am

    International law firms see ISO 27001 certification as competitive differentiator

    by

    laptop-820274_1280
    ISO 27001 has long been regarded as the information security standard to protect a company’s sensitive information, but more recently law firms have been viewing it as a key competitive differentiator in their field.

    Key selling point

    Shook, Hardy & Bacon achieved ISO 27001 certification last year and described the standard as a key selling point for their firm. “We wanted to make sure we had the processes in place so [clients] had confidence that we were doing the best we could,” says the firm’s chair, John Murphy.

    Strengthened position in the legal market

    Murphy continues that certifying to ISO 27001 has strengthened SHB’s position in the legal market and that prospective clients ask the firms they’re evaluating about their data security policies and procedures; some even specifically ask firms whether they have an ISO 27001 certification.

    Certification to ISO 27001 has been achieved by at least 12 large law firms, half of which are based in the United Kingdom, and another 16 US firms were identified as “working toward or investigating certification” (International Legal Technology Association’s LegalSEC conference, June 2014).

    The importance of data security in the legal sector

    Having worked with some of the top law firms in the country – including Eversheds, Freshfields, and Slaughter and May – we know how important data security is to those in the legal sector.

    Find out how you can emulate top law firms and achieve internationally recognized data security status with ISO 27001 by downloading our free green paper, which reveals:

    • How top law firms successfully use ISO 27001 to grow their client base.
    • How ISO 27001 will benefit your firm as a whole.
    • Why stringent data security in the legal sector is a key business enabler.

    Download now >>


    Tags: iso 27001 certification, Law enforcement agency, Law firms, security law

    Sep 14 2015

    Code of practice for protection of Personally Identifiable Information

    Category: ISO 27kDISC @ 2:39 pm

    ISO

    ISO 27018 Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors

    by Microsoft Azure

    ISO/IEC 27018 was published in July 2014 by the International Organization for Standardization (ISO), as a new component of the ISO 27001 standard. ISO 27018 adds controls to the ISO/IEC 27001/27002 standards to address processing personally identifiable information (PII) in a cloud computing environment.

    The code of practice provides guidance for Cloud Service Providers (CSP) that act as processors of PII and recommends a set of controls. Furthermore, ISO 27018 provides guidance on what CSPs need to achieve in terms of contractual obligations related to processing PII.

    ISO 27018 provides controls that reflect considerations specifically for protecting PII in public cloud services. For example, new controls prohibit the use of customer data for advertising and marketing purposes without the customer’s express consent. ISO 27018 also provides clear guidance to CSPs for the return, transfer and/or secure disposal of PII belonging to customers leaving their service. And it provides guidance to the CSP to identify any sub-processor before their use, and inform customers promptly of new sub-processors, to give customers an opportunity to object or terminate their agreement.

    ISO 27018 is the first international set of privacy controls in the cloud, and Microsoft Azure was the first cloud computing platform to adopt ISO 27018 as validated during an independent audit by the British Standards Institution (BSI). Office 365, Dynamics CRM Online, and Microsoft Intune have also adopted ISO 27018.

    Maintaining compliance with this and similar international standards is part of a broader commitment from Microsoft to protect the privacy of our customers, as described in this Microsoft on the Issues post from Brad Smith, General Counsel & Executive Vice President.

    Microsoft will continue to conduct annual audits by independent third parties to confirm Azure compliance, which can then be relied upon by the customer to support their own regulatory obligations.

    We understand that security and compliance are extremely important to our customers so we make it a core part of how we design and manage Azure. As we rapidly innovate in productivity services with Azure, we will continue to invest in fielding a service that emphasizes security and compliance with global as well as regional and industry specific standards and regulations.

    Tags: ISO 27018, PII

    « Previous PageNext Page »