Apr 03 2014

Is privacy a dependency of information security

Category: Information Privacy,ISO 27kDISC @ 10:59 am
Privacy

Privacy (Photo credit: g4ll4is)

Is privacy a dependency of information security?

by Jamie Titchener

If you read the news on a regular basis, you will find that most of the cyber security or data protection articles play heavily on the fear of an individual’s privacy being compromised.

But what many people don’t seem to realize is that privacy is in fact a dependency of information or cyber security. Only by having in place adequate information or cyber security policies and procedures can an organization ensure the privacy of their stakeholders, including customers, staff, suppliers, etc.

Whilst there are some unique challenges faced in the area of privacy relating to governmental legislation such as the UK Data Protection Act, organizations can start to effectively address many of the privacy concerns that their stakeholders have by adopting an approach such as implementing an ISMS that complies with ISO/IEC 27001/2.

By combining the right mix of people, process and technology in an ISMS, organizations can effectively manage many of the privacy risks that people are concerned about.

Find out more about ISO/IEC 27001 in An Introduction to ISO/IEC 27001 2013.

Related articles

Tags: Corporate governance of information technology, Information Security Management System, iso 27001, privacy

Jan 06 2014

IT Governance Top 5 Bestsellers of 2013

Category: Information Security,ISO 27kDISC @ 11:24 am

With 2013 coming to a close, ITG is reflecting on what a year it’s been for the IT governance, risk management and compliance (IT-GRC) industry. In 2013  we’ve seen the highly-awaited release of ISO 27001:2013, the requirements for PCI DSS v3.0 and the Adobe breach which affected at least 38 million users.
Throughout it all, IT Governance has been there to serve IT professionals in America and assist them in implementing management systems, protecting their organizations and making their IT departments run more efficiently by implementing IT-GRC frameworks.
Below we have listed the top 5 IT Governance USA bestsellers from 2013:

ISO IEC 27001 2013 and ISO IEC 27002 2013
ISO 27001

Cyber Risks for Business Professionals: A Management Guide
CyberRisks

No 3 Comprehensive ISO27001 2005 ISMS Toolkit

ISMS toolkit

The True Cost of Information Security Breaches and Cyber Crime

Security Breaches

ITIL Foundation Handbook (Little ITIL) – 2011 Edition

ITIL

 

 

 

 

Related articles

Tags: Corporate governance of information technology, Information Security Management System, Information Technology Infrastructure Library, ISO 27001 2013

Dec 09 2013

Nine Steps to Success – An ISO 27001 2013 Implementation Overview

Category: ISO 27kDISC @ 1:17 pm

ISO 27001 2013-Perfect-Nine-Steps-Locked.indd

Nine Steps to Success – An ISO 27001(2013) Implementation Overview, Second Edition

Completely up to date with ISO 27001:2013, this is the new edition of the original no-nonsense guide to successful ISO27001 certification. Ideal for anyone tackling ISO 27001 for the first time, Nine Steps to Success outlines the nine essential steps to an effective ISMS implementation. Download your copy today!.

 

Step-by-step advice for ISO 27001 2013 project success

Based on his many years of first-hand experience with ISO27001, Alan Calder covers every single element of the ISO 27001 project in simple, non-technical language, including:

  • how to get management and board buy-in;
  • how to get cross-organizational, cross functional buy-in;
  • the gap analysis: how much you really need to do;
  • how to integrate with ISO9001 and other management systems;
  • how to structure and resource your project;
  • whether to use consultants or do it yourself;
  • the timetable and project plan;
  • risk assessment methodologies and tools;
  • the documentation challenges;
  • how to choose a certification body.

 

About the Author

Alan Calder is the Founder and Executive Chairman of IT Governance Ltd, an information, advice and consultancy firm that helps company boards tackle IT governance, risk management, compliance and information security issues. He has many years of senior management experience in the private and public sectors.

 

Related articles

Dec 04 2013

ISO27001 2013 high level review for making the transition

Category: ISO 27kDISC @ 3:06 pm

ISO 27001 2013

ISO 27001 2013 high level review for making the transition from ISO 27001 2005

The Case for ISO 27001 (2013) Second Edition (Download the latest book in Adobe)

It’s been several months now that highly anticipated release of the latest information security standard ISO 27001 2013 for the organization who have vested interest due to previous compliance or certification in ISO 27001 2005. ISO 27001 2013 has 114 controls defined within 14 security control clauses (domains) collectively containing a total of 35 main security categories and introductory clauses including introduction, scope, normative references.

0. Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

The new standard no longer require organizations to adopt the Plan-Do-Check-Act (P-D-C-A) model to develop and introduce the ISMS, but leave it to each organization to determine and adopt a continual improvement model (corrective action) that works for them.

The scope in new standard requires every organization to make sure the external and internal issues, (vendor assessment) and information security requirements of these parties are addressed in the contract. This clause will ensure that an ISMS is relevant to the organization’s activity which include external partners and provides an assurance that appropriate controls are in place for external parties as well. In risk assessment area, risks are treated and residual risk accepted by risk owners rather than asset owners, which may require organizations to build a risk register, which will ultimately become an auditable document.

There is another important requirements relating to the setting of information security objectives (strategy), which include the evaluation of the information security performance and measuring the effectiveness of the ISMS.

Annex A has also been restructured into fewer controls (114) and three new domains
A.5. Information security policies
A.6. Organisation of information security
A.7. Human resources security
A.8. Asset management
A.9. Access control
A.10. Cryptography – new
A.11. Physical and environmental security
A.12. Operations security – new
A.13. Communications security
A.14. System acquisition, development and maintenance
A.15. Supplier relationships – new
A.16. Information security incident management
A.17. Information security aspects of business continuity management

The Standard now covers what was previously referred to as ‘control of documents’ and ‘control of records’ under the description of ‘documented information’.

There is no longer a summary of the mandated documents required by the Standard in this section, relying on the organization to identify the requirements for what is now referred to as ‘documented information’ for itself. They are listed below

The scope (4.3)
The information security policy (5.2 e)
The information security risk assessment process (6.1.2)
The information security risk treatment process (6.1.3)
Statement of Applicability (6.1.3 d)
The information security objectives (6.2)
Evidence of competence (7.2)
That documentation ‘determined by the organisation as being necessary for the effectiveness of the information security management system’ (7.5.1 b)
The documentation necessary to have confidence that the processes required for operational planning and control have been carried out as planned (8.1)
The results of information security risk assessments (8.2)
The results of information security risk treatment (8.3)
Evidence of the information security performance monitoring and measurement results (9.1)
Internal audit programme(s) and the audit results (9.2 g)
Evidence of the results of management reviews (9.3)
Evidence of the nature of the non-conformities and any subsequent actions taken, and the results of any corrective actions (10.1)

Summary of new controls in ISO 27001 2013 Annex A

A.6.1.5 – Information security in project management
All projects will address information security, regardless of the nature of the project. This ensures that information security is dealt with from the bottom up.
A.14.2.1 – Secure development policy
Rules for development of software and systems are established and applied to developments. This acts as a sort of precursor control to 14.1.1 and 14.1.3, which relate to controlling the data and applications developed under this control.
14.2.6 – Secure development environment
The organisation ensures an appropriately secure development environment for system development and integration, across the whole development lifecycle. This is deliberately broad to allow input from the earliest stages of the ISMS (identifying the nature of the organisation), rather than restrictively demanding measures that may not be relevant.
14.2.8 – System security testing
The organisation establishes acceptance testing programs and related criteria for new information systems, upgrades and new versions.
15.1.3 – Information and communication technology supply chain
This control requires agreements with suppliers to address information security risks associated with information and communications technology services and products supply chain.
16.1.4 – Assessment of and decision on information security events
Information security events are examined and assessed to determine whether they qualify as information security incidents. This control applies an additional step in the incident management process.

Contact DISC for a Free Gap Assessment for any domain of your choice based on location

Start your ISMS project with ISO27001 2013 Documentation Toolkit

Mapping of ISO/IEC 27001:2013 to ISO/IEC 27001:2005 for $6.99  

  

 Download ISO27000 family of information security standards!
• ISO 27001 2013 ISMS Requirement (Download now)
ISO 27002 2013 Code of Practice for ISM (Download now)

 

Related articles

Tags: Information Security Management System, isms, ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit, iso 27001 certification, ISO 27001 Lead Implementer

Dec 01 2013

ISO27001 2013 ISMS Standalone Documentation Toolkit

Category: ISO 27kDISC @ 9:53 pm

ISO27001 2013

Start your ISMS project with ISO27001: 2013

With the publication of the new version of the ISO27001 standard, there has never been a better time to start an ISMS implementation project to look after your information security.

 

ITGP toolkits – ISO27001: 2013 ISMS Documentation Toolkit

This new Toolkit provides you with a comprehensive set of pre-written ISMS documents compliant with the newly released ISO27001: 2013 Standard, built from the necessary policies, procedures, work instructions and records that will save you months of work as you get your information security system up to speed, including:

* Information Security Manual

* Visio Documentation Map and Structure

* Information Security Policy

* vsRisk risk assessment tool Integration Templates (not vsRisk itself)

* Business Continuity Management for information security

* Gap analysis ISO27001: 2013 and ISO27002: 2013 Audit tool

* Asset Management documentation templates such as, Asset Inventory, Information Hardware Assets, Software log, etc.

* Supplier Relationships documentation templates such as, External Parties Information Security Procedure and Third Party Service Contracts

* Operations and Communications Security document templates dealing with, Anti-Virus Software, Vulnerability Management, Systems Auditing, System Planning & Acceptance, etc.

 

Benefits of the ISO27001: 2013 ISMS Documentation Toolkit:

  • Fully customisable and editable templates inclusive of:
    7 Policies, 55 Procedures, 23 Work Instructions, 25 Records, guidance documents as well as Blank Templates that will enable you to bring in your exisitng documentation in-line with a consistent management system
  • Pre-written to be compliant with the standard
  • Saves you time on research
  • Saves you time on writing
  • Provides document guidance as you go
  • Cheaper than one day of consultancy
  • After sales support service
  • 12 months of automatic updates

 

Related articles

Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit

Nov 05 2013

When can we become certified to ISO/IEC 27001:2013?

Category: ISO 27kDISC @ 8:39 pm

ISO 27001

ISO27001:2013

 ISO27001: 2013 – order your copy today >>>

When can we become certified to ISO/IEC 27001:2013?

by Lewis Morgan @ ITG

At this moment in time, we can only provide an estimate which is based on the insight provided by Chair of the UK ISO/IEC 27001 User Group and Director of consultancy at IT Governance Ltd, Steve Watkins. Considering Steve’s position, we believe his estimates to be the best guidelines an organization can follow.

The following is directly taken from the ISO27001:2013 Transition Webinar by Steve Watkins

“It’s likely that as of 1st January 2014, certification bodies will be able to start the transition to the 2013 version of ISO27001 standard. If that is indeed the case, it’s likely to be that as of 30th September, no new ISO27001:2005 certificates can be issued. This means that by the end of September 2016 all ISO27001:2005 certificates should have transitioned to the 2013 version of the standard”

The image below further illustrates what Steve discussed on the webinar, including his suggestions in terms of what organizations should do next.

ISO27k timeline

Related articles

Tags: Information Security Management System, ISO, ISO/IEC 27001

Sep 25 2013

Be the first to receive ISO/IEC 27001:2013

Category: ISO 27kDISC @ 6:25 pm

ISO 27001

ISO27001:2013 Now Available!

Be the first to receive ISO27001: 2013 – order today >>>

ISO27001: 2013 is the new standard that details the requirements for an information security management system (ISMS).

ISO270012013

ISO/IEC 27001 2013 (ISO27001 ISO 27001) ISMS Requirements

There a several updates to the new standard including:

• Terms and definitions are now referenced from ISO27000:2012 (with the terminology of ISO27000 also being updated)
• Risk assessment requirements are less prescriptive and are now aligned with ISO 31000 – the international standard for risk management.
• The PDCA cycle is no longer mandated as the approach for reviewing and improving an ISMS. You can use the PDCA or any other approach.
• The requirements for management commitment have been overhauled and are largely contained presented in the Leadership clause
• The requirements for a statement of applicability in the 2013 edition have been enhanced
• The risk treatment process makes it easier to adopt control frameworks other than Annex A
• Annex B has been deleted, and Annex A has also been revised and restructured
Be the first to receive the new ISO27001:2013 standard.

The Code of Practice for Information Security Controls, ISO27002 has also been updated.
ISO/IEC 27002:2013 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.
Order ISO27002:2013 today >>>

Related articles

Aug 07 2013

vsRisk – The Cyber Security Risk Assessment Tool

Category: ISO 27k,Security Risk AssessmentDISC @ 9:09 am

vsRisk – The Cyber Security Risk Assessment Tool

httpv://www.youtube.com/watch?v=M8acvay4FmU

It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.

There’s just one risk assessment tool that IT Governance recommends; the vsRisk™ v1.7 – the Cybersecurity Risk Assessment Tool.

It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.

5 reasons why vsRisk is the definitive risk assessment tool:

  • This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
  • Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
  • Gives comprehensive best-practice alignment
  • It’s easy and straight-forward to use
  • Cost-effective route to assessing risks within your business

Download the definite risk assessment tool >>

 

Related articles

Tags: Information Security, Information Security Management System, ISO/IEC 27001, Policy, Risk Assessment, Risk management, Security, Standards

Jul 12 2013

Final Draft of New ISO 27001 Standards Now Available

Category: ISO 27kDISC @ 9:55 am

The ISO/IEC announced this week that the latest ISO 27001 and ISO 27002 Standards have entered the Final Draft stage (FDIS). This means that the standard is almost ready for publication, with no, or only minor changes to be made in the final approval stage.

IT Governance is offering you the chance to get ahead of the game and purchase copies of these new ISO 27001 standards today.

 

ISO/IEC FDIS 27001 2013

ISO/IEC FDIS 27001 2013

Price: $160

Buy Now

ISO/IEC FDIS 27002 2013

ISO/IEC FDIS 27002 2013

Price: $240

Buy Now
Related articles

Jun 25 2013

Risk management – ISO 27005 could be the cure

Category: ISO 27k,Risk AssessmentDISC @ 9:30 am

English: ISMS activities and their relationshi...

English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)


 
 
 
 
 
 
 
 
 
 
 
 
 
 

By Catherine Thornley @ ITG

Risk management in information security management and how ISO/IEC 27005 can help you tackle it effectively.

Risk is arguably one of the most commonly used words in business, but what does it actually mean?

There are many English dictionary definitions, many centered around “a situation involving exposure to danger” and whilst some people talk about up-side or positive risk, it is generally accepted that in business, the risk is all about the chance that something will go wrong, and how badly.

But of course there is uncertainty in everything we do; and therefore risk. Sometimes there is uncertainty about whether something good will happen, but that just means that there is also a chance that it won’t; which is bad.

Risk and corporate governance

The big thing about risk in business today is corporate governance. People responsible for running companies are simply not allowed, when something goes wrong, to say “we didn’t think of that”, or “it never happened before”. Those are two quite common responses both when something has gone wrong and also when it hasn’t; when senior managers are asked to do something about risk management.

For many, when they do finally look at risk, thinking switches immediately from chance to result. The likely impact of a risk dominates thinking where previously it was the probability of a threat materialising that was the dominant factor.

Many organisations assess risk intuitively; that is to say they simply decide whether an activity, or situation, is very risky, not very risky, or somewhere in between.

This intuitive approach can be applied to information security risk – but it can be very difficult to evaluate risk effectively in this area. The challenge is two-fold; understanding what information security actually is and knowing how to assess and respond to the related risks in a logical way, that will stand scrutiny should the worst happen.

Information security managers, and those doing the job as part of a broader role, often need some help in identifying the most effective way to manage this specific set of risks, which is where ISO 27005 can help.

How ISO 27005 can help

Where ISO 27001 presents a broad blueprint for dealing with information security, ISO 27005 takes it much further and delivers the detail of information security risk assessment, in a way that the results integrate easily into an ISO 27001 compliant information security management system (ISMS).

ISO 27005 provides a detailed and valuable insight into effective information security risk management. And since ISO 27001 calls for a risk based approach, there cannot be a better basis for it!

 5 reasons why vsRisk v1.6 is the definitive risk assessment tool

Related articles

May 20 2013

A Guide to Data Security and ISO27001/ISO27002

Category: ISO 27kDISC @ 1:39 pm

ITGovernance

IT Governance 5: An International Guide to Data Security and ISO27001/ISO27002

This manual provides clear, unique guidance for both technical and non-technical managers. It details how to design, implement and deliver an ISMS that complies with ISO 27001.

Now in its fifth edition, this title has been fully updated to take account of the latest regulatory and technological developments, and the International Board for IT Governance Qualifications

 

Related articles

Tags: Corporate governance of information technology, Information Security, Information Security Management System, ISO, ISO/IEC 27001, Risk Assessment

Apr 03 2013

IT Governance 5 top tips for Implementing successful ISO27001

Category: ISO 27kDISC @ 11:06 am

Nine Steps to ISO27001

  1. Get a copy of the standard! There are a few people out there that purchase the standard half way through implementation (or even not at all) but the truth of the matter is, this is one of the first things you should do. It will help confirm suspicions and will be the core backbone as to what you do from now on.
  2. Get management buy in. This is critical for supporting your ISO27001 project and making it a success
  3. Read, read, read! There’s a wealth of free information out there on the web to help you get stuck in to your ISO27001 project. From white papers to Linkedin groups, you’re sure to find what you’re looking for.
  4. Use all the available tools and resources out there. This will make implementation a lot easier, saving you lots of head scratching, late nights and hours spent staring out the window! Documentation toolkits really help simplify the process and can also lessen the time it takes you to reach certification
  5. Communication is at the heart of the ISO27001 process. It allows you to keep your Board and the rest of your organisation updated with regular progress reports and key measurements to indicate the success of the project so far.

 

Nine Steps to Success: an ISO 27001 Implementation Overview This is the ideal guide for anyone tackling   – or about to tackle – ISO27001 for the first time.
Related articles

Mar 02 2013

Forward-thinking books on information security

Category: Information Security,ISO 27kDISC @ 8:01 pm

unto the breach

Forward-thinking books on information security help organisations understand current challenges in the sector

/EINPresswire.com/ Keeping up-to-date with information security issues and responding to new cybersecurity challenges can be time-consuming. However, it is essential that anyone concerned with information security, from IT professionals through to the Board members, dedicates time to learning and understanding these issues.

Last week, for example, the UK’s National Audit Office highlighted a severe lack of skilled cybercrime fighters in the UK. Cybercrime is costing the UK economy an estimated £18-27 billion each year.

So, is there a fast route to getting up to speed with what’s happening and what the modern means are to fight cybercrime?

Information security experts at IT Governance advise there is an easy way to catch up with the latest developments and fill in the knowledge gap. They recommend three essential books that can greatly improve everyone’s understanding of information security, data protection and risk management, whilst providing them with enjoyable and useful reading.

Once more unto the Breach – Managing information security in an uncertain world is based on a typical year in the life of an information security manager. The book examines how the general principles can be applied to all situations and discusses the lessons learnt from a real project. The book can be purchased as softcover and eBook from >> Once more unto the Breach – Managing information security in an uncertain world 

IT Governance – An International Guide to Data Security and ISO27001/ISO27002 is the definitive guide to implementing an ISO27001 compliant Information Security Management System (ISMS). Written by industry experts, Alan Calder and Steve Watkins, it contains clear guidance on all aspects of data protection and information security. Book reviewers describe it as ‘unparalleled’, a critical source when preparing and managing the ISMS’ and ‘a comprehensive guide as to actions that should be taken’. The book can be ordered online at >> IT Governance – An International Guide to Data Security and ISO27001/ISO27002

Managing Information Security Breaches – Studies from real life provides a general discussion of, and a source of learning about, what information security breaches are, how they can be treated and what ISO27001 can offer in that regard, spiced with a number of real-life stories of information security incidents and breaches. This book is highly relevant and will help every team to prepare a strategic framework for handling information security breaches. Buy a softcover or eBook from >> Managing Information Security Breaches – Studies from real life

 

Related articles

Feb 25 2013

PENETRATION TESTING & ISO27001

Category: ISO 27k,Pen TestDISC @ 10:38 pm

penetration testing

Penetration testing (often called “pen testing” or “security testing”) establishes whether or not the security in place to protect a network or application against external threats is adequate and functioning correctly. It is an essential component of most ISO27001 and UK public sector contracts.

Why would my company need penetration testing services?

In a world where attacks on networks and applications are growing in number at an exponential rate, and the penalties incurred by organisations for failing to defend against such attacks are becoming ever steeper, effective penetration testing is the only way of establishing that your networks and applications are truly secure. Penetration testing is also an essential component in any ISO27001 ISMS – from initial development through to on-going maintenance and continual improvement.

How does penetration testing fit into my ISO27001 ISMS project?

There are three specific points in your ISMS project at which penetration testing has a significant contribution to make:

1. As part of the risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.

2. As part of the Risk Treatment Plan ensuring controls that are implemented do actually work as designed.

3. As part of the on-going corrective action/preventive action (CAPA) and continual improvement processes; ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.

The Basics of Hacking and Penetration Testing
This guide will show you how to undertake a penetration test or as it is sometimes known an ethical hack. This book focuses on how to hack one particular target, this allows you to see how the tools and phases of the pen test relate. to get your copy of The Basics of Hacking and Penetration Testing
ITG | eBay | Amazon

Penetration Testing – Protecting Networks and Systems
An essential guide to penetration testing and vulnerability assessment, which can be used as a Certified Penetration Testing Engineer Exam Prep Guide. to get your copy of your Penetration Testing – Protecting Networks and Systems
ITG | eBay | Amazon

Related articles

Tags: Information Security, Information Security Management System, ISO/IEC 27001, Penetration test

Feb 12 2013

Why ISO 27001 certification should be a priority

Category: ISO 27kDISC @ 10:34 pm

ISO 27001

Why ISO 27001 certification is unavoidable

Now a days, the ISO27001 standard has become an almost unavoidable factor in the field of information security. Compliance is unavoidable because most industries are heavily regulated. Seems like more legislations are on our way to redefine our actions on the internet. Because ISO 27001 requirements are largely a superset of other major standars and regulations, achieving ISO 27001 certification positions most organizations to be well on their way to meeting the requirements of PCI, SOX, HIPAA and GLBA.

Six main benefits of Information Security Management System based on ISO 27001 specifications

1. Business managers of the organizations will make informed decisions regarding potential risk and should be able demonstrate compliance with standards and regulations such as SOX, GLBA, HIPAA, DPA to their critical information on regular basis.

2. An ISMS is a defensive mechanism to any APT (advanced persistent threat) to minimize the impact from these external threats of various cybercrime.

3. Informed information security decisions will be made based on risk assessment to implement technical, management, administrative and operational controls, which is the most cost effective way of reducing risk. Highest priority risks are tackled first to attain best ROI in information security.

4. Information security is not an IT responsibility; In general everybody in an organization is responsible for protecting information assets and more specifically business manager. The business manager may delegate their responsibility.

5. Organization will improve credibility and trust among internal stakeholder and external vendors. The credibility and trust are the key factors to win a business.

6. ISMS raises awareness throughout the business for information security risks, involve all employees throughout an organization and therefore lower the overall risk to the organization.

Related Books, Standards and Tools you may need to achieve ISO 27001 certification

Nine Steps to Success: an ISO 27001 Implementation Overview“It’s like having a $300/hr consultant at your elbow as you consider the aspects of gaining management support, planning, scoping, communication, etc…” Thomas F. Witwicki (amazon.com review)

IT Governance: An International Guide to Data Security and ISO27001/ISO27002
Covers simply everything you need to know about information security and ISO27001. It is also the UK’s Open University’s post-graduate information security textbook. All aspects of data protection / information security are covered including viruses, hackers, online fraud, privacy regulations, computer misuse, investigatory powers etc.

ISO27000 Standards
Official standards available in hardcopy and downloadable formats.

Standalone ISO 27001 ISMS Documentation Toolkit
This toolkit contains all the documents, procedures and templates you need to massively simplify your progress to certification. It will save you months of work, help you avoid costly trial-and-error dead-ends and ensure everything is covered to the current ISO 27001 standard.

Related articles

Tags: Corporate governance of information technology, Information Security, Information Security Management System, ISO/IEC 27001, Risk Assessment

Jan 31 2013

New Draft ISO27001 and ISO27002 Standards

Category: ISO 27kDISC @ 2:26 pm

Check out the ITG site for details

Industry Update

New Draft ISO27001 and ISO27002 Standards

It has been announced that new Drafts of the two international information security standards ISO27001 (ISMS Requirements) and ISO27002 (Code of Practice) have been published.

These Drafts have been published for the purpose of public consultation. As these are international standards, the consultation process operates internationally, via national standards bodies.

Anyone can comment on the proposed standard and all the comments will then be assembled and reviewed by the committee. The public consultation period closes on 23 March 2013.

To help you understand the proposed changes and implications of these new draft standards we have created an information page.

Click here to read in full about the ISO27001/ISO27002: 2013 Draft Standards

You can also purchase your own copies of the draft standards here:

We will keep you updated with the progress of these standards. Once the new standards are officially published, the existing standards will be withdrawn, however there will be a transition timetable that enables organisations to move from the existing standard to the new one.

Click here to read in full about the ISO27001/ISO27002: 2013 Draft Standards

Related articles

Tags: Information Security Management System, International standard, ISO, ISO/IEC 27001, ISO/IEC 27002

Jan 24 2013

Controls against Mobile Code

Category: ISO 27k,Mobile SecurityDISC @ 12:16 pm

ISO 27002 control A 10.4.2 of the standard requires that mobile code execution should be restricted to an intended environment to support an authorized organization mobile code policy.

What is a mobile code so let’s first start with the definition: ‘Program or a code that can execute on remote locations without any modification in the code can travel and execute from one machine to another on a network during its lifetime.’ Some of the computer languages used for mobile code include but not limited to Java, JavaScript, Active x, VB script, C++, C#, ASP.NET, macros and postscripts.

Mobile code could be use for some benign to a very malicious activity which basically depend on coder intentions. Malicious activities may include collection of personal and private information, patient healthcare information, introducing Trojans & worms, and sometime used to modify or destroy information.

Different mobile code languages are used to achieve various goals by the the coder, most pop-ups are coded in JavaScript, Active x for downloading apps and patches. Only If a coder/hacker is enable to execute a mobile code on an organization infrastructure (PC, router, switch, server..) will make it possible to download, collect personal and private information and for that matter any other malicious activity.

example, if one window or frame hosted on one server tries to access the properties of a window or a frame that contains a page from a different server, then the policy of the browser comes into play and restricts that type of action from happening. The idea behind such restrictions is to prevent hackers from putting their pages inside the original page and extract unauthorized information where codes inside their pages are written for that purpose

Protections for Mobile Code
One of the solutions to secure the JavaScript from using it to write a mobile code and run it on the client-side is to perform parsing of the code before execution. If the code can be parsed before execution i.e. having access to the stack, where control over the execution of the code can be achieved the malicious virus can be prevented.

The best and the easiest way to block mobile code is to have an authorized policy to ban or restrict the mobile code into your organization. To implement this policy, an organization can build a rule set on their firewall to block all the mobile code at the perimeter and stop entering into the organization. At the same this may not be feasible for many organizations since languages like JavaScript and active x are used heavily in building website to add bells and whistles. This takes us back to familiar risk assessment question, how much and what mobile code should be allowed into the organization. Organization should assess the related risk to each mobile code and allow or disallow based on the risk it pose to business. If there’s an exception make sure the business owner sign off the exemption form.

Ongoing user awareness to mobile code policy and risk assessment process will be necessary to minimize risk. Block mobile code should be monitored or scanned based on the policy and appropriate measures should be taken if rogue mobile code is detected.

Do you check your verdors or partners are not downloading malicious mobile code on your website?

To know more about Mobile Code….
Titles on eBay
Titles on DISC InfoSec Store

Related articles

Tags: ActiveX, Business, ISO/IEC 27002, Java, JavaScript, Mobile code, Personal computer, VBScript

Jan 17 2013

Project Planning outline for (ISO 27001) ISMS

Category: ISO 27kDISC @ 11:55 am

The project planning process includes steps to estimate the size of the project, estimate the scope of the effort and resources, assess project risks, and produce an acceptable schedule after negotiating with control owner.

Steps below provide a bullet list of project plan outline phases and action items of ISMS (ISO 27001). This is not the project plan, but rather a description of the project plan, so the detail is high level. However, this document defines the project and requires formal sign-off; therefore, be accurate as possible, any variations may require a formal project change, which adds to schedule and cost.

A generic ISO 27001 project outline includes the following:
Project Initiation, Scope of the Project,Risk Assessment Methodology, Asset Register, Risk Assessment, Risk Treatment Plan, Statement of Applicability relevant to risk, Management approval for the Project outline. These steps are outlined in the figure above.

When an individual is assigned as project manager for a project, their success is determined by the complexity of a given project. Due to lack of necessary skills, sometime project manager are changed during the middle of the project. So what are those necessary skills which will determine the success of the project manager? Below are some of the necessary skills to run a successful ISO 27001 project.

• To posse’s an outstanding communication skills for all the stakeholders involved
• Be highly organized and an effective team leader
• Know how to negotiate between cross functional teams
• Resource oriented, problem solver and understand the relevant infrastructure

Must Read Project Management Books
1. A guide to the Project Management body of Knowledge 5th edition

2. The Concise Prince2

3. 50 Top IT Project Management Challenges

4. Prince 2 2009 manual

Related articles

Tags: Information Security Management System, ISO/IEC 27001, Project Management, Project manager, Project plan, Project planning, Risk Assessment, Scope (project management)

Jan 15 2013

Management System Toolkits

Category: BCP,ISO 27kDISC @ 11:19 am

For 10 years IT Governance has been helping businesses build robust cyber defences, deliver improved IT services and comply with international and regulatory standards.

ITG understand that information technology is at the heart of every modern organisation. That is why ITG source, create and deliver IT products and services that meet the real world needs of today’s organisations, managers and practitioners.

ITG toolkits help small and medium organizations quickly adapt best management practice in technology governance, risk management and compliance. You don’t have to take ITG word for it. Download the demo and see if it fits your organizational needs.

ITG offer free trials of all our best-selling toolkits. These toolkits contain all the documents, templates and tools to help organizations quickly and cost-effectively implement a management system or IT standard.

Take a free toolkit demo today

ISO22301 Business Continuity Management System Documentation Toolkit

ISO27001 Cyber Security ISMS Documentation Toolkit

ITSM, ITIL & ISO20000 Implementation Toolkit

ISO9001 Quality Management System Documentation Toolkit

Business Transformation Toolkit

Dec 11 2012

Monitoring and reviewing third party InfoSec services

Category: ISO 27k,Vendor AssessmentDISC @ 12:25 pm

Control A10 of ISO 27001 mandates for outsourcing organization to monitor and review the performance of third party service provider on regular basis which includes the contractor working on critical assets within the scope. Service level Agreement (SLA) or Operation level Agreement (OLA) are the binding legal agreement which includes all the important services to fullfil the information security and compliance requirements of an organization.

Contract with service provider should require the need of standard reports on regular basis which should be reviewed at least monthly and attended by staff and management responsible for services. In these meetings, management should ensure that contractual requirements have been met by the service provider

Key management responsibilities should include but not limited to the followings:

    Outsourcing organization should decide which key metrics will be created to monitor the performance of service provider which will ensure that contractual clauses are met consistanly.
    For information security related services, reviewing all incidents for sepcified period (at least once a month) to make sure thay have been included in an organization treatment plan for appropriate corrective actions based on an organization risk priorty.


Related Articles and Info.

ISO 27001 is the litmus test for information security
Live Webinars feed for Governance, Risk and Compliance

Tags: Contract, Information Security, ISO/IEC 27001, Operational-level agreement, Service-level agreement, SLA

« Previous PageNext Page »