Feb 17 2017

Fragmented cybersecurity regulation threatens organizations

Category: ISO 27k,IT GovernanceDISC @ 11:10 am

Fragmented cybersecurity regulation threatens organizations

Melanie Watson

Organizations across the United States have a number of cybersecurity regulations to comply with, and need to show that they take protection of sensitive data seriously.

Consumer data in the US is currently protected by a patchwork of industry-specific, federal, and state laws, the scope and jurisdiction of which vary. The challenge of compliance for organizations that conduct business across all 50 states is considerable.

Forbes summarizes the issue:

“Increased regulatory fragmentation unduly diverts focus and resources, and ultimately threatens to make us more vulnerable to cyber attacks. Instead of a fractured approach by state, we need a coordinated national strategy for regulating cybersecurity.”

For example, NY financial institutions will be required to implement security measures in order to protect themselves against cyber attacks from March 1, 2017. They will need to not only maintain a cybersecurity policy and program, appoint a CISO, and implement risk assessment controls and an incident response plan, they will also have to provide regular cybersecurity awareness training, conduct penetration testing, and identify vulnerabilities.

Organizations also have the National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST SP 800-53) for guidance on helping reduce cybersecurity risks, and many organizations are required by contract or by law to implement the framework.

Complying with multiple cybersecurity regulations

ISO 27001 Cybersecurity Documentation Toolkit

Fulfil multiple cybersecurity obligations and benefit from international information security best practice to produce a solid framework with the ISO 27001 Cybersecurity Documentation Toolkit.

Covering state, national, and international cybersecurity frameworks, this toolkit will enable you to produce a robust management system that complies with:

  • NIST SP 800-53
  • New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies
  • Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth
  • ISO 27001, the internationally-recognized cybersecurity framework

Comply with multiple cybersecurity regulations

Pre-order now >>

Top Rated ISO 27001 Books

Jan 09 2017

The new CISO role: The softer side

Category: Information Security,ISO 27kDISC @ 12:17 pm

 

English: Risk mitigation action points

English: Risk mitigation action points (Photo credit: Wikipedia)

By Tracy Shumaker

In order for CISOs to stay relevant in their field today, they must add communication and soft skills to their list of capabilities. Traditionally, their role has been to take charge of IT security. Now CISOs oversee cybersecurity and risk management systems. They must manage teams and get leadership approval in order to successfully implement a system that aligns with overall business goals.

Speak in a common business language

The CISO will need to appoint both technical and non-technical individuals to support a risk management system, which requires communication in a language that everyone can relate to. Additionally, senior executives’ approval is required and this will involve presenting proposals in non-technical terms.
Being able to communicate and having the soft skills to manage people is a challenge CISOs face. For CISOs to reach a larger audience, they need to clearly explain technical terms and acronyms that are second nature and translate the cybersecurity risks to the organization into simple business vocabulary.

Get the tools to gain the skills

IT Governance Publishing books are written in a business language that is easy to understand even for the non-technical person. Our books and guides can help you develop the softer skills needed to communicate in order to successfully execute any cybersecurity or risk management system.

Develop your soft skills with these books >>

Discover the best-practice cyber risk management system, ISO 27001

This international standard sets out a best-practice approach to cyber risk management that can be adopted by all organizations. Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they face in the most cost-effective and efficient way.

Find more information about ISO 27001 here >>

Top Rated CISO Books

Nov 14 2016

Implementing an ISMS: where should you start?

Category: ISO 27kDISC @ 9:56 am

ISO27ktoolkit

With the number of ISO 27001 certifications rising fast in the US, organizations will be looking to implement an ISO 27001-compliant information security management system (ISMS) quickly, before any of their competitors.

However, the hardest part of achieving ISO 27001 certification is providing the documentation for the ISMS. Often – particularly in more complex and larger businesses – the documentation can be up to a thousand pages. Needless to say, this task can be lengthy, stressful and complicated.

IT Governance Publishing’s (ITGP) ISO 27001 toolkits offer this documentation in pre-written templates, along with a selection of other tools to:

  • Help save you months of work as all the toolkits contain pre-written templates created by industry experts that meet ISO 27001:2013 compliance requirements.
  • Reduce costs and expenses as you tackle the project alone.
  • Save the hassle of creating and maintaining the documents yourself.
  • Accelerate your management system implementation by having all of the tools and resources you need at your disposal.
  • Ensure nothing is left out of your ISMS documentation.

When an organization’s need help with their ISMS projects, they’re normally at a loss.

The two major challenges they face are creating supporting documentation and performing a risk assessment.

With wide range of fixed-price toolkits, these toolkits can provide you with the official ISO 27000 standards, implementation guidance, documentation templates, and risk assessment software to aid your project.

  • Do you know how to implement an ISMS?
  • What steps should you take?
  • How long will it take?


Tags: isms, iso 27001 certification, iso 27002

Oct 29 2015

Keep certification simple using ITGP’s toolkits

Category: ISO 27kDISC @ 8:13 pm

ISO

When implementing ISO management systems, most of us would like to:

  • get it right first time,
  • keep it as straightforward as possible,
  • be able to integrate the system with other frameworks,
  • reduce common errors that are made during the process, and
  • cut implementation costs where possible.

 

Implementing management systems has never been easier with ITGP’s toolkits

Authored by industry experts and used by over 4,000 organisations worldwide, ITGP’s toolkits will help you do all of the above and more.

Comprising pre-written templates, customisable worksheets, policies and helpful guidance, the documentation toolkits are perfect for organisations seeking certification, compliance and/or best-practice implementation.

View all toolkits >>




Tags: ISO 27001 2013 Toolkit, toolkit

Oct 19 2015

New York Stock Exchange cybersecurity guide recommends ISO 27001

Category: ISO 27kDISC @ 11:11 am

NYSE
by Neil Ford

The New York Stock Exchange (NYSE) has released a 355-page guide to cybersecurity (Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers), written by more than 80 individual contributors representing organizations including Booz Allen Hamilton, Dell SecureWorks, Georgia Institute of Technology, the Internet Security Alliance, Rackspace Inc., the US Department of Justice Cybersecurity Unit, Visa, Wells Fargo, and the World Economic Forum.

This ‘definitive guide’ collects “the expertise and experience of CEOs, CIOs, lawyers, forensic experts, consultants, academia, and current and former government officials”, and “contains practical and expert advice on a range of cybersecurity issues including compliance and breach avoidance, prevention and response.”

“No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk.”

Tom Farley, President, New York Stock Exchange

Among the report’s many opinions is one that we at IT Governance have maintained for a long time: the recommendation that organizations align their cybersecurity program with “at least one standard… so progress and maturity can be measured. In determining which standard to use as a corporate guidepost, organizations should consider the comprehensiveness of the standard. […] ISO/IEC 27001… is a comprehensive standard and a good choice for any size of organization because it is respected globally and is the one most commonly mapped against other standards.”

All NYSE-listed company board members will receive a copy of the guide; if you are yet to receive your copy, it can be downloaded here >>

For more information on ISO 27001 and how it can help your organization with a best-practice cybersecurity posture, click here >>

“This is not simply an IT issue. It is a business problem of the highest level.”

Charles W. Scharf, CEO, Visa Inc.

ISO 27001 information security management

An information security management system (ISMS), as described by ISO 27001, provides a risk-based approach to information security that enables organizations of all sizes, sectors, and locations to mitigate the risks they face with appropriate controls. An ISMS addresses people, processes, and technology, providing an enterprise-wide approach to protecting information – in whatever form it is held – based on the specific threats the organization actually faces, thereby limiting the inadvertent threats posed by untrained staff, inadequate procedures, out-of-date software solutions, and more.

Priced from only $659, IT Governance’s ISO 27001 Packaged Solutions provide unique information security implementation resources for all organizations, whatever their size, budget, or preferred project approach. Combining standards, tools, books, training, and online consultancy and support, they allow all organizations to implement an ISMS with the minimum of disruption and difficulty.


Tags: Information Security Management System, ISO/IEC 27001, NYSE

Sep 22 2015

North America has largest growth rate of ISO 27001 registrations

Category: ISO 27kDISC @ 4:46 pm

by Melanie Watson

North America is currently the fastest growing region in terms of ISO 27001 registrations, according to ISO Survey 2014.

Now totalling 836 registrations, North America boasts an annual growth rate of 17.42% in 2014.

Other regions include the Middle East with a growth rate of 13.53%, Central and South Asia with 12.54%, Europe with 9.53%, East Asia and Pacific with 4.07%, Central/South America with 1.84% and Africa with a decline of 18.18%.

ISO 27001 – The CyberSecurity Standard

ISO 27001, the international cybersecurity standard, has long been regarded as the leading framework for implementing an information security management system (ISMS) that enables organizations to obtain an independent registration to prove their cybersecurity credentials.

In fact, the US has the ninth largest number of ISO 27001 registrations globally (664), moving up one place from last year.

ISO27001CertificateUS_2014

ISO27001 registration is often a supply chain requirement and, as such, can help organizations broaden their client base and supply chain network, while supporting business opportunities in international markets where the Standard is recognized.

Other ISO 27001 benefits include: enhanced reputation, increased stakeholder trust, meeting regulatory and compliance requirements, and improved internal processes.

Find out more about ISO 27001

More and more companies across North America have come to realise the benefits of implementing an ISO 27001-accredited information security management system, both in terms of improving security and gaining a competitive advantage.

Find out more about ISO 27001 >>

New to ISO 27001? Learn from the experts >>

 

Sep 21 2015

International law firms see ISO 27001 certification as competitive differentiator

Category: ISO 27k,Security and privacy LawDISC @ 9:22 am

International law firms see ISO 27001 certification as competitive differentiator

by

laptop-820274_1280
ISO 27001 has long been regarded as the information security standard to protect a company’s sensitive information, but more recently law firms have been viewing it as a key competitive differentiator in their field.

Key selling point

Shook, Hardy & Bacon achieved ISO 27001 certification last year and described the standard as a key selling point for their firm. “We wanted to make sure we had the processes in place so [clients] had confidence that we were doing the best we could,” says the firm’s chair, John Murphy.

Strengthened position in the legal market

Murphy continues that certifying to ISO 27001 has strengthened SHB’s position in the legal market and that prospective clients ask the firms they’re evaluating about their data security policies and procedures; some even specifically ask firms whether they have an ISO 27001 certification.

Certification to ISO 27001 has been achieved by at least 12 large law firms, half of which are based in the United Kingdom, and another 16 US firms were identified as “working toward or investigating certification” (International Legal Technology Association’s LegalSEC conference, June 2014).

The importance of data security in the legal sector

Having worked with some of the top law firms in the country – including Eversheds, Freshfields, and Slaughter and May – we know how important data security is to those in the legal sector.

Find out how you can emulate top law firms and achieve internationally recognized data security status with ISO 27001 by downloading our free green paper, which reveals:

  • How top law firms successfully use ISO 27001 to grow their client base.
  • How ISO 27001 will benefit your firm as a whole.
  • Why stringent data security in the legal sector is a key business enabler.

Download now >>


Tags: iso 27001 certification, Law enforcement agency, Law firms, security law

Sep 14 2015

Code of practice for protection of Personally Identifiable Information

Category: ISO 27kDISC @ 2:39 pm

ISO

ISO 27018 Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors

by Microsoft Azure

ISO/IEC 27018 was published in July 2014 by the International Organization for Standardization (ISO), as a new component of the ISO 27001 standard. ISO 27018 adds controls to the ISO/IEC 27001/27002 standards to address processing personally identifiable information (PII) in a cloud computing environment.

The code of practice provides guidance for Cloud Service Providers (CSP) that act as processors of PII and recommends a set of controls. Furthermore, ISO 27018 provides guidance on what CSPs need to achieve in terms of contractual obligations related to processing PII.

ISO 27018 provides controls that reflect considerations specifically for protecting PII in public cloud services. For example, new controls prohibit the use of customer data for advertising and marketing purposes without the customer’s express consent. ISO 27018 also provides clear guidance to CSPs for the return, transfer and/or secure disposal of PII belonging to customers leaving their service. And it provides guidance to the CSP to identify any sub-processor before their use, and inform customers promptly of new sub-processors, to give customers an opportunity to object or terminate their agreement.

ISO 27018 is the first international set of privacy controls in the cloud, and Microsoft Azure was the first cloud computing platform to adopt ISO 27018 as validated during an independent audit by the British Standards Institution (BSI). Office 365, Dynamics CRM Online, and Microsoft Intune have also adopted ISO 27018.

Maintaining compliance with this and similar international standards is part of a broader commitment from Microsoft to protect the privacy of our customers, as described in this Microsoft on the Issues post from Brad Smith, General Counsel & Executive Vice President.

Microsoft will continue to conduct annual audits by independent third parties to confirm Azure compliance, which can then be relied upon by the customer to support their own regulatory obligations.

We understand that security and compliance are extremely important to our customers so we make it a core part of how we design and manage Azure. As we rapidly innovate in productivity services with Azure, we will continue to invest in fielding a service that emphasizes security and compliance with global as well as regional and industry specific standards and regulations.

Tags: ISO 27018, PII

Aug 21 2015

Five ISO 27001 books you should read

Category: ISO 27kDISC @ 9:14 am

Take a plunge into the world of ISO 27001 with these recommended reads

by

As a professional embarking on your first journey implementing ISO 27001, you are probably hungry for knowledge and eager to make progress. While starting a new project may be exciting, it can also be daunting if you lack relevant experience and cannot rely on internal support and guidance.

Many ISO 27001 practitioners attend ISO 27001 Lead Implementer courses to gain practical knowledge and skills to develop an information security management system (ISMS). Some go even further by securing a budget to call in an experienced ISO 27001 consultant to guide them through the process and help them with the more complex aspects of the project. But most information security professionals start the journey by simply reading a lot on the subject and doing initial preparation on their own – a method that is not only cost effective, but also gives them a good foundation to understand what is needed for successful ISO 27001 delivery.

Here are five books from IT Governance’s own ISO 27001 library that we believe can help ISO 27001 practitioners prepare for ISO 27001 implementation.

The Case for ISO 27001

As the title says, this book explains the business case for implementing ISO 27001 within an organisation. It highlights the importance and outlines the many benefits of the Standard, making it an ideal supporting document for developing an ISO 27001 project proposal.

The Case for ISO 27001 can be ordered from the IT Governance website.

IT Governance – An International Guide to Data Security and ISO27001/ISO27002

Now in its sixth edition, the bestselling IT Governance: An International Guide to Data Security and ISO27001/ISO27002 is the perfect manual for designing, documenting and implementing an ISO 27001-compliant ISMS, and seeking certification. Selected as the textbook for the Open University’s postgraduate information security course, this comprehensive book offers a systematic process and covers the main topics in depth.

Jointly written by renowned ISO 27001 experts Alan Calder and Steve Watkins, IT Governance: An International Guide to Data Security and ISO27001/ISO27002, sixth edition is due to be released 3 September 2015, and is now available for pre-order.

Nine Steps to Success

If you are looking for a concise, practical guide to implementing an ISMS and achieving ISO 27001 certification, consider obtaining a copy of Nine Steps to Success. Written from first-hand experience, it guides you through an ISO 27001 implementation project step-by-step, covering the most essentials aspects including gaining management support, scoping, planning, communication, risk assessment and documentation.

ISO 27001 Assessments Without Tears

With ISO 27001 certification being the final goal for most organisations implementing the Standard, the pressure is usually on the ISO 27001 practitioners to ensure that staff are prepared to answer tricky auditor questions. ISO 27001 Assessments Without Tears is a succinctly written pocket guide that explains what an ISO 27001 assessment is, why it matters for the organisation, and what individual staff should and should not do if an auditor chooses to question them.

ISO 27001 in a Windows Environment

Most ISO 27001 implementations will involve a Windows® environment at some level. Unfortunately, there is often a knowledge gap between those trying to implement ISO 27001 and the IT specialists trying to put the necessary best-practice controls in place using Microsoft®’s technical controls. Written by information security expert Brian Honan, ISO27001 in a Windows Environment bridges that gap and gives essential guidance to everyone involved in a Windows-based ISO27001 project.


Tags: Chief Information Security Officer, Computer security, Data center, Information Security Management System, ISO/IEC 27001

Dec 29 2014

How to identify risks, threats and vulnerabilities for small business

Category: ISO 27kDISC @ 12:21 pm

Small business owners are often lulled into a false sense of security, thinking that only major retailers, banks and healthcare companies are at risk of a data breach.

Although a malicious attack is the most commonly discussed threat to cyber security, it isn’t the only type your business should watch out for. Natural disasters, human error and internal attacks can wreak havoc with your systems and data.

vsRisk helps you meet every essential compliance requirement.

  • Includes six pre-populated control sets:
    • ISO/IEC 27001:2013 and ISO/IEC 27001:2005
    • PCI DSS v3
    • NIST SP 800-53
    • Cloud Controls Matrix
    • ISO/IEC 27032.
  • Fully compatible with ISO 27001:2013.
  • Includes integrated, searchable databases of threats, vulnerabilities and risk scenarios.
  • Produces a set of exportable, reusable and audit-ready ISO 27001-compliant reports.
  • Features a controls console that offers a quick view of the status of controls and actions planned.

Have you identified all the risks, threats and vulnerabilities that your organisation’s data and intellectual capital faces?

vsRisk Standalone - Basic

vsRisk Standalone – Basic

An information security risk assessment using vsRisk can provide a deeper understanding of your IT weaknesses and exposures.

 vsRisk has been proven to save huge amounts of time, effort and expense when tackling complex risk assessments. Fully compliant with ISO 27001:2013, this widely applicable risk assessment tool automates and delivers an information security risk assessment quickly and easily. vsRisk Standalone is intended for a single, desktop-based user.
Related articles

Nov 18 2014

Independent Risk Assessment

Category: ISO 27k,Risk AssessmentDISC @ 9:42 am

RA toolkit

The essential suite for undertaking an independent risk assessment compliant with ISO/IEC 27001; supporting ISO/IEC 27002 and conforming to ISO/IEC 27005, whilst providing guidance to multiple internal Asset Owners.

Risk assessment is the core competence of information security management. This toolkit provides essential information, guidance & tools YOU NEED to undertake an effective ISO 27001 risk assessment.

The No 2 Risk Assessment Toolkit has the added benefit of supplying five soft cover versions of Risk Assessment for Asset Owners: A Pocket Guide. This enables you to provide a copy of the pocket guide to each member of staff involved in the ISO 27001 implementation, so that they can understand the risk assessment process.

 

What’s included?

Information Security Risk Management for ISO 27001/ISO 17799 (eBook): provides comprehensive guidance on risk management, in line with the requirements of ISO 27001. It is essential reading for anyone undertaking an ISO 27001 risk assessment.

The requirements for an ISMS are specified in ISO27001. Under ISO27001, a risk assessment has to be carried out before any controls can be selected and implemented, making risk assessment the core competence of information security management.

This book provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001.

 

vsRisk™- the Cybersecurity Risk Assessment Tool : vsRisk is a unique software tool designed to guide your organisation through the process of carrying out an information security risk assessment that will meet the requirements of ISO 27001:2005.

The contents of this toolkit provide clear, practical and comprehensive guidance on developing a risk management methodology that meets the requirements of ISO27001, the information security management standard, and how to carry out a risk assessment that will help achieve corporate risk management objectives.

 

The Cybersecurity Risk Assessment Tool which:

  • Automates and delivers an ISO/IEC 27001-compliant risk assessment.
  • Assesses confidentiality, integrity &; availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001.
  • Supports / conforms / complies to ISO/IEC 27001, ISO/IEC 27002, BS7799-3:2006,ISO/IEC TR 13335-3:1998, NIST SP 800-30 and the UK’s Risk Assessment Standard.
  • One year of support get all software updates and unlimited telephone and email support for a year.

vsRisk™ – the Cybersecurity Risk Assessment Tool comes in two forms – Standalone or Network-enabled (single user licence). vsRisk Network-enabled (single user licence) has exactly the same functionality as the vsRisk Standalone version – but can be installed on a network.

 

Risk Assessment for Asset Owners: A Pocket Guide (eBook):
This Pocket Guide to the ISO27001 risk assessment is designed to assist asset owners and others who are working within an ISO27001/ISO27002 (ISO17799) framework to deliver a qualitative risk assessment.

The contents of this toolkit provide clear, practical and comprehensive guidance on developing a risk management methodology that meets the requirements of ISO27001, the information security management standard, and how to carry out a risk assessment that will help achieve corporate risk management objectives.

Benefits of a risk assessment

  • Stop the hacker. With a proper risk assessment, you can select appropriate controls to protect your organisation from hackers, worms and viruses, and other threats that could potentially cripple your business.
  • Achieve optimum ROI. Failure to invest sufficiently in information security controls is ‘penny wise, pound foolish’, since, for a relatively low outlay, it is possible to minimise your organisation’s exposure to potentially devastating losses.
  • Build customer confidence. Protecting your information security is essential if you want to preserve the trust of your clients and to keep your business running smoothly from day to day.
  • Comply with corporate governance codes. Information security is a vital aspect of enterprise risk management (ERM). An ERM framework is required by various corporate governance codes, such as the Turnbull Guidance contained within the UK’s Combined Code on Corporate Governance, and the American Sarbanes-Oxley Act (SOX) of 2002, and standards such as ISO310000.

 

Related articles

Nov 09 2014

When to use tools for ISO 27001/ISO 22301 and when to avoid them

Category: ISO 27kDISC @ 8:54 pm

ISO 27001 2013

If you’re starting to implement complex standards like ISO 27001 or ISO 22301, you’re probably looking for a way to make your job easier. Who wouldn’t? After all, reinventing the wheel doesn’t sound like a very interesting job.

So, you start looking for some tool to help you with these information security and business continuity standards, but beware – not every tool will help you: you might end up with a truck wheel that doesn’t fit the car you’re driving.

Types of tools

Let’s start first with what types of tools you’ll find in the market that are made specifically for ISO 27001 and ISO 22301:

a) Automation tools – these tools help you semi-automate part of your processes – e.g., performing the risk assessment, writing the business continuity plans, managing incidents, keeping your documentation, assisting in measurement, etc.

b) Tools for writing documentation – these tools help you develop policies and procedures – usually, they include documentation templates, tutorials for writing documentation, etc.

Pros and cons of automation tools

Automation tools are generally useful for larger companies – for example, using spreadsheets for assessing risks can be a problem if you have, e.g., 100 departments, because when you have to merge those results this becomes very difficult. Or, if you have 50 different recovery plans and you want to change the same detail in each of them, using a tool is probably much easier.

However, applying such automation tools to smaller companies can prove to be very expensive – most of these tools are not priced with smaller companies in mind, and even worse – training employees for using such tools takes too much time. Therefore, for smaller companies, performing risk assessment using Excel or writing business continuity plans in Word is a very quick and affordable solution.

There are some tools for which I personally see no purpose – for example, tools for keeping ISO documentation. For that purpose, larger companies will use their existing document management system (e.g., SharePoint), while smaller companies can upload the documentation to shared folders with defined access rights – it doesn’t have to be any more sophisticated than that.

Can you automate everything?

One important fact needs to be emphasized here: automation tools cannot help you manage your information security or business continuity. For instance, you cannot automate writing your Access control policy – to finalize such a document, you need to coordinate your CISO, IT department and business side of the organization, and only after you reach an agreement can you write this policy. No automation can do that for you.

Yes, you can semi-automate the measurement of success of particular controls, but again a human needs to interpret those results to understand why the control was performing well or poorly – this part of the process cannot be automated, and neither can the decision on which corrective or preventive actions need to be taken as a result of gained insight.

What to watch out for when looking for documentation writing tools

You won’t need tools for writing your policies, procedures, and plans if you already developed your documentation based on a framework that it similar to ISO 27001 – e.g., COBIT, Cybersecurity Framework, or NFPA 1600. Also, if you hired a consultant, then it will be his duty to write all the documents (see also: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant).

In other cases you will find documentation writing tools (i.e., documentation templates) quite useful because they will speed up writing your policies and procedures. The main question here is how to choose the right ones – here are a couple of tips:

  • Are they appropriate for your company size? If you are a small company and the templates are made for big companies, they will be overkill for you, and vice versa.
  • Which kind of help do you receive for writing documents? Are there any guidelines, tutorials, support, or anything similar that comes with the templates?
  • Experience of the authors? It would be best if the author has experience in both consulting and auditing, so that the templates are practical for daily operations, but also acceptable for the certification audit.

So, to conclude: yes – in most cases tools can help you with your ISO 27001 and ISO 22301 implementation. Since there are many tool providers in the market, make sure you perform thorough research before you decide to use one.

Author: Dejan Kosutic, Expert at 27001Academy, is the author of a documentation tool aimed at small and mid-sized companies: ISO 27001 & ISO 22301 Documentation Toolkit .

Related articles

Tags: Acceptable use policy, Access Control, BCMS, isms, ISO/IEC 27001, ISO22301, Risk Assessment

Aug 22 2014

Do it yourself solution for ISO27001 implementation

Category: ISO 27kDISC @ 3:16 pm

DoItYourself

ISO 27001 Do It Yourself Package

This is the do-it-yourself solution for ISO27001 implementation

Cyber crime is increasing exponentially, and this trend will continue as more business activities move online and more consumers connect to the Internet. ISO/IEC 27001 is the only international information security management Standard that can help your organization protect its critical data assets, comply with legislation and regulations, and thrive as customer confidence in its data security practices increases.

This package is aimed at organisations that have substantial management system expertise (with ISO9001, or ISO20000, for instance) and an understanding of information security management, as well as the necessary available internal resources and a corporate culture of keeping overall external costs down by following a do-it-yourself approach to project management.

 

This package does not include certification fees which are paid directly to the certification body.

 

The ISO 27001 do-it-yourself package contains:

  • The ISO 27001:2013 Standard, which details the requirements against which you will be audited.
  • The ISO 27002:2013 Standard, which is the code of practice that provides supports for the implementation of information security controls for ISO27001.
  • The ISO 27000:2014 Standard, which contains the terms and definitions referenced in ISO27001.
  • IT Governance – An International Guide to Data Security and ISO27001/ISO27002, which details how to design, implement and deliver an Information Security Management System (ISMS) that complies with ISO27001.
  • Nine Steps to Success – An ISO 27001 Implementation Overview, which outlines the nine critical steps that mean the difference between ISO27001 project success and failure.

The standards set out the requirements for best-practice information security management. The implementation manuals provide you with detailed implementation advice based on practical experience, which you can access in your own time and at your own pace.

Based on your needs, you may also need: ISO27001-2013 Gap Analysis Tool

Related articles

Tags: Corporate governance of information technology, data security, Information Security, Information Security Management System, International Organization for Standardization, isms, ISO/IEC 27001, Risk Assessment

Jun 20 2014

ISO27001 2013 ISMS Gap Analysis Tool

Category: ISO 27kDISC @ 12:09 pm

Gap Assessment Tool

To transition from ISO27001:2005 to ISO27001:2013 you may need a Gap Assessment Tool to prioritize your implementation plan.

ISO27001 2013 ISMS Gap Analysis Tool, which quickly and clearly identify the controls and control areas in which an organization does not conform to the requirements of the standard.

Available for immediate dispatch/download from IT Governance, this tool will further your understanding of ISO27001 and identify where you are and why you are not meeting the requirements of ISO27001.

ISO27001 2013 high level review for making the transition

Related articles

Tags: Gap assessment tool, Information Security Management System, ISO/IEC 27001, Risk Assessment

May 15 2014

Cyber Resilience Implementation Suite

Category: BCP,Information Security,ISO 27kDISC @ 11:15 am

CyberResilience

Cyber security is not enough – you need to become cyber resilient

 

The document toolkits – created by experienced cyber security and business continuity professionals – provide you with all the document templates you’ll need to achieve compliance, whilst the supporting guidance will make sure you find the fastest route to completing your project.

Whether you know it or not, your organization is under cyber attack. Sooner or later, a hacker or cyber criminal will get through, so you need to ensure that you have the systems in place to resist such breaches and minimize the damage caused to your organization’s infrastructure, and reputation.

You need to develop a system that is cyber resilient – combining the best practice from the international cyber security and business continuity standards ISO22301 and ISO27001.

This specially-priced bundle of eBooks and documentation toolkits gives you all the tools you need to develop a cyber-resilient system that will both fend off cyber attacks, and minimize the damage of any that get through your cyber defenses.

The books in this suite will provide you with the knowledge to plan and start your project, identify your organization’s own requirements and help you to apply these international standards.

The document toolkits – created by experienced cyber security and business continuity professionals – provide you with all the document templates you’ll need to achieve compliance, whilst the supporting guidance will make sure you find the fastest route to completing your project.

Download your copy today

This suite includes:

Related articles

Tags: business continuity, Computer security, Cyber Resilience, cyberwarfare, ISO/IEC 27001

May 10 2014

Information Security and ISO 27001-2013

Category: ISO 27kDISC @ 9:38 pm

ISO270012013

The perfect introduction to the principles of information security management and ISO27001:2013

Most organizations implementing an information security management regime opt for systems based on the international standard, ISO/IEC 27001. This approach ensures that the systems they put in place are effective, reliable and auditable.

Up to date with the latest version of the Standard (ISO27001:2013), An Introduction to information security and ISO27001:2013 is the perfect solution for anyone wanting an accurate, fast, easy-to-read primer on information security from an acknowledged expert on ISO27001.

This pocket guide will help you to:

Make informed decisions

    By providing a clear, concise overview of the subject this guide enables the key people in your organization to make better decisions before embarking on an information security project.

Ensure everyone is up to speed

    Once you have decided to implement an information security project, you can use this guide to give the non-specialists on the project board and in the project team a clearer understanding of what the project involves.

Raise awareness among staff

    An Information Security Management System (ISMS) will make demands of the overall corporate culture within your organization. You need to make sure your people know what is at stake with regard to information security, so that they understand what is expected of them.

Enhance your competitiveness

    Your customers need to know that the information you hold about them is managed and protected appropriately. And to retain your competitive edge, you will want the identity of your suppliers and the products you are currently developing to stay under wraps. With an effective knowledge management strategy, you can preserve smooth customer relations and protect your trade secrets.

Download this pocket guide and learn how you can keep your information assets secure.

 

 

Related articles

Tags: Information Security, Information Security Management System, isms, ISO/IEC 27001, Policy

Apr 24 2014

Competitive advantage with ISO 27001

Category: ISO 27kDISC @ 12:36 pm

ISO 27001 2013

Gain a competitive advantage with ISO 27001

by Neil Ford

We often talk of the operational benefits that conformance to ISO27001’s specifications will bring your organization, from the cost-saving advantages of increased efficiency to the peace of mind that a robust information security management system (ISMS) provides, but it’s important to remember that compliance with the standard also gives you a distinct competitive advantage, and will enable you to win new business as well as retain your existing clients.

Having the edge over your competitors is always beneficial, and when tendering for new contracts you want the best chance of success that you can get. Here’s how ISO27001 can help win you more business:

» ISO27001 is recognized in every country and every market in the world as the mark of highest competency in information security management. Prospective customers recognize this, and will often choose a supplier that holds an ISO27001 certificate over one that doesn’t.

» In the UK, requests for quotations and tender requests from public sector organizations including the MoD, the NHS and local authorities will ask that the supplier be compliant with ISO27001 or, if it is not, demonstrate the required information security measures by completing a long questionnaire or submitting to an inspection. Conformance to ISO27001 saves considerable time and money in the required due diligence of tender applications. (To be accepted by the MoD as an approved Enhanced Learning Credit (ELCAS) training provider, IT Governance Ltd was asked to be fully compliant to ISO27001.)

» ISO27001 itself recommends that compliant organizations maintain supply chain relationships with ISO27001-compliant suppliers. If you are looking to form trading relationships with larger ISO27001-certified commercial enterprises, you will need to be compliant with ISO27001 too.

» In the IT service industry, where the protection of data is paramount to winning and maintaining the trust of customers, an ISO27001 certificate is the only credible demonstrable of effective information security.

The implementation of an ISO27001 ISMS brings numerous recognized long-term benefits for your organization, and will pay for itself several times over in the extra business you win as a result of your certification. IT Governance supplies a wide range of ISO27001 products and services to help you achieve that end.

Related articles

Apr 03 2014

Is privacy a dependency of information security

Category: Information Privacy,ISO 27kDISC @ 10:59 am
Privacy

Privacy (Photo credit: g4ll4is)

Is privacy a dependency of information security?

by Jamie Titchener

If you read the news on a regular basis, you will find that most of the cyber security or data protection articles play heavily on the fear of an individual’s privacy being compromised.

But what many people don’t seem to realize is that privacy is in fact a dependency of information or cyber security. Only by having in place adequate information or cyber security policies and procedures can an organization ensure the privacy of their stakeholders, including customers, staff, suppliers, etc.

Whilst there are some unique challenges faced in the area of privacy relating to governmental legislation such as the UK Data Protection Act, organizations can start to effectively address many of the privacy concerns that their stakeholders have by adopting an approach such as implementing an ISMS that complies with ISO/IEC 27001/2.

By combining the right mix of people, process and technology in an ISMS, organizations can effectively manage many of the privacy risks that people are concerned about.

Find out more about ISO/IEC 27001 in An Introduction to ISO/IEC 27001 2013.

Related articles

Tags: Corporate governance of information technology, Information Security Management System, iso 27001, privacy

Jan 06 2014

IT Governance Top 5 Bestsellers of 2013

Category: Information Security,ISO 27kDISC @ 11:24 am

With 2013 coming to a close, ITG is reflecting on what a year it’s been for the IT governance, risk management and compliance (IT-GRC) industry. In 2013  we’ve seen the highly-awaited release of ISO 27001:2013, the requirements for PCI DSS v3.0 and the Adobe breach which affected at least 38 million users.
Throughout it all, IT Governance has been there to serve IT professionals in America and assist them in implementing management systems, protecting their organizations and making their IT departments run more efficiently by implementing IT-GRC frameworks.
Below we have listed the top 5 IT Governance USA bestsellers from 2013:

ISO IEC 27001 2013 and ISO IEC 27002 2013
ISO 27001

Cyber Risks for Business Professionals: A Management Guide
CyberRisks

No 3 Comprehensive ISO27001 2005 ISMS Toolkit

ISMS toolkit

The True Cost of Information Security Breaches and Cyber Crime

Security Breaches

ITIL Foundation Handbook (Little ITIL) – 2011 Edition

ITIL

 

 

 

 

Related articles

Tags: Corporate governance of information technology, Information Security Management System, Information Technology Infrastructure Library, ISO 27001 2013

Dec 09 2013

Nine Steps to Success – An ISO 27001 2013 Implementation Overview

Category: ISO 27kDISC @ 1:17 pm

ISO 27001 2013-Perfect-Nine-Steps-Locked.indd

Nine Steps to Success – An ISO 27001(2013) Implementation Overview, Second Edition

Completely up to date with ISO 27001:2013, this is the new edition of the original no-nonsense guide to successful ISO27001 certification. Ideal for anyone tackling ISO 27001 for the first time, Nine Steps to Success outlines the nine essential steps to an effective ISMS implementation. Download your copy today!.

 

Step-by-step advice for ISO 27001 2013 project success

Based on his many years of first-hand experience with ISO27001, Alan Calder covers every single element of the ISO 27001 project in simple, non-technical language, including:

  • how to get management and board buy-in;
  • how to get cross-organizational, cross functional buy-in;
  • the gap analysis: how much you really need to do;
  • how to integrate with ISO9001 and other management systems;
  • how to structure and resource your project;
  • whether to use consultants or do it yourself;
  • the timetable and project plan;
  • risk assessment methodologies and tools;
  • the documentation challenges;
  • how to choose a certification body.

 

About the Author

Alan Calder is the Founder and Executive Chairman of IT Governance Ltd, an information, advice and consultancy firm that helps company boards tackle IT governance, risk management, compliance and information security issues. He has many years of senior management experience in the private and public sectors.

 

Related articles

« Previous PageNext Page »