Aug 08 2008

ISO27k and compliance

Category: Information Security,ISO 27kDISC @ 2:42 am

Security review is performed to identify and analyze risks and weaknesses in the current security posture of an organization. An ISO assessment is performed utilizing international standard ISO 27002 and company security policy, the purpose of the review is to evaluate the information security posture of an organization based on international standard. The level of compliance will indicate how close your organization is to meeting the key objectives for each 133 controls defined within 11 security control clauses collectively containing a total of 39 main security categories and one introductory clause introducing risk assessment and treatment.

It is important to not only assess the control for completeness (all relevant areas are addressed) and comprehensiveness (each individual area is covered completely), but also this balanced framework serves as the basis for both measuring an organization’s effectiveness in addressing risk and structuring an organization’s overall security program. Because ISO 27002 requirements are largely a superset of other major regulations, achieving ISO 27002 compliance positions most organizations to be well on their way to meeting the requirements of SOX, HIPAA and GLBA.

To achieve ISO compliance, thorough assessment utilizing all 133 controls will provide mitigating solution guidelines for gaps. To give your business an edge, conduct a security review based on ISO controls, if you would like to compare your security practices with international standard.
The result of the assessment will not only establish and maintain security policy, but also validates the policy’s completeness, design new controls and provide a road map to mitigate risks. An assessment of risks will determine what issues need to be addressed and provide a guideline to meet security regulations and a road map to build a world class ISMS (Information Security Management System).

ISO27001 is an international standard which is considered as an information security best practice or due diligence and is part of the security controls and audit controls specification document. ISO27002 is a code of practice which recommends guidelines for information security management systems and is closely linked to ISO 27001. ISO27001 continues to provide comprehensive best-practice advice and guidance to private and public organizations around the globe on how to design and implement a compliant information security management system ISMS.
An ISMS is not simply a set of documents. Maintaining and improving ISMS allows it to grow over time to address new business requirements. An ISMS is simply a system which addresses information security risks facing an organization and identifies the level of organization compliance with applicable regulations.

Reblog this post [with Zemanta]

Tags: glba, Health Insurance Portability and Accountability Act, hipaa, Information Security, Information Security Management System, isms, iso 27002, iso assessment, iso compliance, ISO/IEC 27001, ISO/IEC 27002, sox