Aug 22 2014

Do it yourself solution for ISO27001 implementation

Category: ISO 27kDISC @ 3:16 pm


ISO 27001 Do It Yourself Package

This is the do-it-yourself solution for ISO27001 implementation

Cyber crime is increasing exponentially, and this trend will continue as more business activities move online and more consumers connect to the Internet. ISO/IEC 27001 is the only international information security management Standard that can help your organization protect its critical data assets, comply with legislation and regulations, and thrive as customer confidence in its data security practices increases.

This package is aimed at organisations that have substantial management system expertise (with ISO9001, or ISO20000, for instance) and an understanding of information security management, as well as the necessary available internal resources and a corporate culture of keeping overall external costs down by following a do-it-yourself approach to project management.


This package does not include certification fees which are paid directly to the certification body.


The ISO 27001 do-it-yourself package contains:

  • The ISO 27001:2013 Standard, which details the requirements against which you will be audited.
  • The ISO 27002:2013 Standard, which is the code of practice that provides supports for the implementation of information security controls for ISO27001.
  • The ISO 27000:2014 Standard, which contains the terms and definitions referenced in ISO27001.
  • IT Governance – An International Guide to Data Security and ISO27001/ISO27002, which details how to design, implement and deliver an Information Security Management System (ISMS) that complies with ISO27001.
  • Nine Steps to Success – An ISO 27001 Implementation Overview, which outlines the nine critical steps that mean the difference between ISO27001 project success and failure.

The standards set out the requirements for best-practice information security management. The implementation manuals provide you with detailed implementation advice based on practical experience, which you can access in your own time and at your own pace.

Based on your needs, you may also need: ISO27001-2013 Gap Analysis Tool

Tags: Corporate governance of information technology, data security, Information Security, Information Security Management System, International Organization for Standardization, isms, ISO/IEC 27001, Risk Assessment

Apr 12 2013

Exploding the myths surrounding ISO9000

Category: Information SecurityDISC @ 10:05 am


Exploding the myths surrounding ISO9000 (Adobe eBook)

Thousands of companies worldwide are reaping the benefits from implementing the ISO9000 Quality Management standard. However, there are many conflicting opinions about the best approach. Some companies have delayed applying the standard, or have chosen not to implement it at all. This might be because of a lack of time and resources to investigate it properly, or because of misunderstandings about the way it works. So, how do we know who and what to believe?

The secrets of successful ISO9000 implementation

In Exploding the Myths Surrounding ISO9000, Andrew W Nichols debunks many of the common misconceptions about the standard, and describes the many advantages it brings. Drawing on more than 25 years of hands-on experience, Andy gives clear, practical and up-to-date advice on how to implement ISO9000 to maximum effect. Full of real-life examples, this book will enable you to:
• read and interpret the ISO9000 documentation in order to realize its benefits for your company
• estimate your company’s implementation needs
• benefit from the results of this management system as positive change is effected throughout the company and down the supplier chain
• increase efficiencies and reduce waste
• grow sales as you understand and meet your customers’ needs

Read this unique book and make ISO 9000 work for you.


Tags: International Organization for Standardization, ISO 9000, Quality management, Quality management system

Nov 27 2012

New ISO27013 Standard helps integrate ISO27001 with ISO20000

Category: ISO 27kDISC @ 2:27 pm

IT Governance Ltd, the global leader in IT governance, risk management and compliance, has announced that the highly anticipated ISO27013:2012 Standard has been published and is now available to buy from the company’s online shop at ITG

ISO27013:2012 focuses exclusively on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 – two of the world’s leading and highly regarded standards. ISO/IEC 27001 deals with information security management systems (ISMS) and practically provides organisations with provides a powerful framework for sharing best practice and guidance on protection form cybercrime. ISO/IEC 20000-1:2011 is the international IT Service Management standard which enables organisations to ensure that their IT service management processes are aligned with the needs of the business.

The ISO27013:2012 Standard has been designed to help organisations implement both standards together, or implement one when one is already within the organisation. By doing this organisations can achieve increased customer satisfaction, competitive advantage, improved business operations and considerable cost-savings over time.

Organisations can purchase the ISO/IEC 20000-2:2012  and ISO 27013 from IT Governance .

Tags: Information Security Management System, International Organization for Standardization, isms, ISO 27013, ISO/IEC 20000, ISO/IEC 27001

Nov 19 2012

PCI view of Risk Assessment

Category: pci dss,Security Risk AssessmentDISC @ 11:02 pm
Information Security Wordle: PCI DSS v1.2 (try #2)


Organizations that need to comply with PCI-DSS need to create their own risk assessment methodology that works for their specific business needs, according to a new report by the Payment Card Industry Security Standards Council (PCI SSC).

PCI Risk Assessment Special Interest Group says When developing their own risk assessment methodology, organizations may consider adapting an industry-standard methodology that is most appropriate for their particular culture and business climate.

Key recommendations include:
• A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner
• Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls)
• Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization

PCI view of things: 

The announcement

And the V1 document (also attached)

Below is my post on Risk management from prespective of ISO 27001 which has an Expert guidance on planning and implementing a risk assessment and protecting your business information

Information Security Risk Management for ISO 27001

Tags: International Organization for Standardization, ISO/IEC 27001, Methodology, Payment card industry, Payment Card Industry Data Security Standard, Risk Assessment, Risk management

Oct 30 2012

Operation Procedures and ISMS

Category: ISO 27kDISC @ 11:18 am

In ISO 27001 Annex A control 10.1.1 makes it a requirement to identify all necessary operating procedures at policy level and then document these operating procedure based on the current environment. All of these operating procedures should be under strict document control meaning these procedures should be reviewed and updated at regular intervals based on the organization risk acceptance level. Also if your organization already has ISO20000 then the ISO20000 document control procedures are applicable to ISO 27001.

In ISO 27002 recommendation suggest the detail these operating procedures should address. The detailed work instructions will be directly proportional to the size of the organization and complexity of the task. The rule of thumb is another trained staff should be able to follow the instruction without much assistance. Also these procedures should have an input from cross functional team especially from security staff and the staff operating these procedures. The procedures should take into consideration vendor user manual instructions for all basic functions of the operations. The organizations which may outsource their IT and Security services need to specify the documentation requirement based on ISO 27001/ ISO 9000 in their contract and the relevant documents should be audited on regular basis to keep their required ISO certification

Below are some of the operating procedures.

  • Backup and restore procedures.
  • Handling of information based on the classification.
  • Contact list of all supporting staff including vendors to tackle unexpected events.
  • Detailed system restart and recovery procedures to tackle unexpected incidents

Tags: Information Security, Information Security Management System, International Organization for Standardization, ISO/IEC 27001, ISO/IEC 27002

Jan 11 2010

Long Awaited ISO/IEC 27004:2009

Category: ISO 27kDISC @ 12:49 pm

Security Metrics: Replacing Fear, Uncertainty, and Doubt

The long awaited international standard on Information Security Measurement, ISO/IEC27004:2009, is now available.

It’s a must have –
To Download a copy of ISO27004 – Information Security Metrics

Key Features and Benefits:

• Provides guidance on the development, implementation use of metrics to measure the effectiveness of an ISO 27001-compliant ISMS, controls or groups of controls. Helping you to quantify the payback to your organisation of implementing an ISMS.
• Covers not just the development, implementation and use of metrics, but also the communication of the results. Helping you to ensure management buy-in for future projects.
• The use of this standard provides opportunities to identify areas in need of improvement, facilitating continual improvement. Thus leading more secure information, cost savings and increases in efficiency.

If you have not claibrated the model with measurement, only one thing is certain: You will either overspend or under-protect.

Get your copy today >>
To Download a copy of ISO27004 – Information Security Metrics

Tags: Individual Standards, International Organization for Standardization, ISO, ISO 27004, ISO 27k, iso measurement, iso27004, Policy, Security, under-protect

May 06 2009

Rise of cybercrime and management responsibility

Category: Information Security,Information WarfareDISC @ 5:08 pm

ITIL Security Management
Image via Wikipedia
According to SF Chronicle article by Deborah Gage (May 8, 2009, c2) consumer reports magazine’s annual “State of the Net” survey finds that cybercrimes has held steady since 2004, with one out of five consumers becoming victims in last two years at a cost to economy of $8 billion. Consumer report can be found on at

Uncertain economic time brings new threats and scams and most of the security experts agree that there’s a possibility of increase in cybercrime for this year. Survey also found that around 1.7 million people were victims of identity theft and 1.2 million had replaced their computers because of infected software.

First why all the signs are showing uptick in cybercrimes and second what are we going to do about it.

Management should start considering security as total cost of ownership instead of wasting time on what is ROI of information security. If there is a security breach, somebody in the management should be held accountable not an IT or security personnel. Management will keep demonstrating lax attitude toward data protection and security in general unless there are serious consequences like spending time in jail for lack of security controls (basic due diligence) and not taking appropriate actions for the risks that posed a significant threat to the organization.

PCI, HIPAA and SOX compliance are a good start in a right direction for management to take information security into consideration, but these compliance initiatives don’t address the security of a whole organization. They address security risks of a business unit in an organization. If management is really serious about security then ISO 27002 code of practice is one of the option which should be considered to address the security of the whole organization and ultimately organization should achieve ISO 27001 certification which will build a comprehensive information security management system to manage ongoing risks.


Reblog this post [with Zemanta]

Tags: Information Security, International Organization for Standardization, isms, iso 27001, iso 27002, Operating system, Policy, Security

Feb 13 2009

Global economic insecurity and rise of insider threats

Category: Insider ThreatDISC @ 6:04 pm


According to BBC news article by Maggie Shiels (Feb 11, 2009) the world’s biggest software maker has warned companies to expect an increase in “insider” security attacks by disgruntled, laid-off workers. Microsoft said so-called “malicious insider” breaches were on the rise and would worsen in the present downturn.

Below are the high points:
• With 1.5 million predicted job losses in the US alone, there’s an increased risk and exposure to these attacks

• Insider threat is one of the most significant threats companies face. Said Microsoft Doug Leland

• The malicious insider is classed as the greatest security concern because they have access, and relatively easy access to corporate assets

• During economic insecurity people are motivated by revenge, fear or greed

• 88% of data breaches were caused by simple negligence on the part of staff

• Employees steal information to sell to a third party, to get back at a company for being laid off or demoted or to try and get a job at another company

• Even though Insiders attacks are lower in numbers but they could be more devastating because the employee knew where “the crown jewels” were kept – unlike a hacker who had to go on something of a “fishing expedition” to find a company’s valuable assets

• The outstanding, unsolved, unaddressed risk management problem that has existed for years is that everyone is focusing on the hacker

• Data loss prevention systems specialize in the detection of precisely these events

Here is the article: Malicious insider attacks to rise

To find the correct balance between data security and data availability, organizations are urged to buy a copy Data Breaches: Trends, costs and best practices.

Even in good time management focused on driving shareholder value by increasing revenue and profits. I think during this economic downturn information security will be the last thing on their mind which will not only compound the problem but gives an edge to a attacker and simply a bad business decisions considering the circumstances. It’s about time to start paying attention to regulatory compliance for sake of securing organization assets. Good place to start is to have some sort of baseline based on information security framework and come up with a strategy to improve that baseline. ISO assessment can be utilized to baseline the organization security posture and is a great first step towards ISO 27002 compliance or for that matter any compliance audit.

What do you think board rooms are appropriately prepared to tackle or perhaps slow down the wave of data breaches coming our way?

• Related article
Unstable Economy and Insider Threats
Economic Crisis Tops Security Threats to U.S

Detecting Insider Threats

Reblog this post [with Zemanta]

Tags: BBC, Consultants, Data loss prevention products, Information Security, International Organization for Standardization, iso 27002, Microsoft, Risk management, Security

Feb 12 2009

SB1386 and ISO27002

Category: ISO 27kDISC @ 7:08 pm

In April 20007, California state IT council adopted the information security program guide which help organizations to comply with SB 1386. The council advised the use of information security standard ISO 27002 framework to comply and meet the needs of SB 1386.

[Table = 13]

Which businesses are affected by SB 1386 law?
o If you have a business in California
o Outsourcing company who does business with a company in California or have customers in California
o Data centers outside of California which store information of California residents


Toolkits are designed to help organizations who need to comply with a law like SB 1386. SB 1386 and ISO 27002 implementation toolkit assist ISO 27002 compliance. Also help organizations who are interested in certification to lay in the ground work for (ISO 27001) certification that would demonstrate the conformance with world class information security management systems.

The Comprehensive SB1386 Implementation toolkit comprises of:
1. The SB 1386 Documentation Toolkit: a download with nearly 400 of densely packed pages of fit-for-purpose policies and procedures ensuring full compliance with SB 1386.
2. International IT Governance: An Executive Guide to ISO 17799/ISO 27001 (Soft Cover) This is the US version of the long established world leading manual on designing and implementing an Information Security Management System (ISMS) in line with the best practice guidance of ISO27001/ISO17799.
3. vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool which in summary:
o automates and delivers an ISO/IEC 27001-compliant risk assessment
o Uniquely, can assess confidentiality, integrity & availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001
o Comprehensive best-practice alignment
o Supports ISO 27001
o Supports ISO 27002 (ISO/IEC 17799)
o Conforms to ISO/IEC 27005
o Conforms to NIST SP 800-30
o The wizard-based approach simplifies and accelerates the risk assessment process;
o Integrated, regularly updated, BS7799-3 compliant threat and vulnerability databases.
4. Plus an electronic copy of the Information Security Standard ISO/IEC 27002: (formerly ISO 17799).

Buy The SB-1386 & ISO27002 Implementation Toolkit NOW!

ISO assessment is a great first step towards ISO 27002 compliance and toward the final goal of ISO 27001 certification audit or for that matter any compliance audit.

ISO 27002 Framework for Today’s Security Challenges

Reblog this post [with Zemanta]

Tags: Information Security, Information Security Management System, International Organization for Standardization, iso 27001, iso 27002, iso 27005, iso assessment, National Institute of Standards and Technology, sb 1386

Jan 30 2009

ISO 27k and CMMI

Category: Information Security,ISO 27kDISC @ 2:00 am

To become a successful business in today’s market, optimized information security controls may be the panacea for unmet security needs. One way to achieve optimized information security control is to perform ISO assessment and assess the organization security posture based on ISO 27002 code of practice and map each control with Capability Maturity Model Integration (CMMI) to find out the current CMMI level for each control. information The goal is to address the organization security needs as a whole, and assess how different departments and business functions are addressing the current business security requirements. The CMMI has five levels and evaluate security controls based on levels, not on specific objectives. Each level provides the basis for the next level where it is not possible to get to the next level without complying with previous level. ISO 27002 is a comprehensive framework which can be utilized to obtain the baseline upon which to build each level. For each control in ISO 27002, maturity levels are defined using maturity definition found in CMMI. In the assessment report maturity level of each control of ISO 27002 standard can be evaluated. Utilizing the color coded scheme provided by CMMI model, create a one page ISO control summary for executives which will not only help them to understand the current security posture but also can be instrumental for measuring progress and resource allocation.

The scope of the ISO27k standards includes various aspects of IT. The introduction to ISO 27002 states clearly: “Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post of using electronic means, shown on films, or spoken in conversation. Whatever form information takes, or means by which it is shared or stored, it should always be appropriately protected.”

Benefits of ISO 27k framework:
o Framework addresses the security issues for the whole organization and limit data breaches
o Address compliance with various regulations like (SOX, HIPAA, and PCI) without creating silos.
o Reduce total cost of security by decreasing total number of controls required
o Perception of your business that you are serious about information security not just compliance
o Enhance partners and vendors confidence to do business with your organization
o Future deciding factor for national and especially international partners for more business
o Internationally recognized standard which addresses security awareness for the whole organization


Assessment will give an organization a high level view of their current security posture and provide a road map for security strategy in a sense what needs to be addressed first utilizing risk based approach. This is also a good start if your organization is interested in the Information Security Management System (ISMS) or ISO 27001 certification. ISO 27001 is the standard for the certification which includes the set of requirements for ISMS. Justifiable scoping is the key to a quick and successful certification; organization may adjust their scope in a re-certification attempt. Perhaps in the first attempt you may need to include just a web portal in your scope and the entire infrastructure behind supporting that portal. Once the ISMS project scope is determined, here are some steps you can follow to prepare for ISO 27001 auditors.

1. Based on your scope, create an asset list
2. Find out asset threats and vulnerabilities and classify the asset based on CIA scale
3. Come up with risk matrix based on impact and likelihood of the risk
4. Create priorities based on impact and likelihood of the risk
5. Based on priorities, implement appropriate controls for risks which needs to be addressed
6. Do the risk assessment again, PDCA improve ISMS

“ISO27001 is a structured, technology-neutral, vendor-agnostic specification and code of practice for information security management in organizations of all sizes that should be adopted as part of an organization’s overall risk management strategy.”

This should give you a jump start to certification. You have already started the process of certification because most of the documentations in the risk assessment will become part of certification process later and will lead you to 12 steps which are part of PDCA cycle. ISMS certification process utilized Plan-Do-Check-Act (PDCA) cycle methodology which continually improve information security management system and meet the contractual, legal, and regulatory requirements for information security.

ISO assessment is utilized to analyze the current security posture of an organization where each control is defined and can be color coded using the base definition found in CMMI. Therefore ISO assessment is a great first step towards the final ISO 27001 certification audit or for that matter any compliance audit.


ISO 27k framework for today’s security challenges

Three useful titles on ISO 27k by Alan Calder

Tags: Capability Maturity Model Integration, CIA scale, Information Security, Information Security Management System, International Organization for Standardization, isms, iso 27001, iso 27002, ISO/IEC 27001, PCI, PDCA, Risk Assessment, Risk management, Security, SOX HIPAA, vsrisk

Jan 14 2009

Cyber warfare and possibility of cybergeddon

Category: Information WarfareDISC @ 1:56 am


Background and Risks Associated with Various SCADA Systems | Envista  Forensics

Cyber warfare poses a serious threat to critical infrastructure of a country. It has been a major challenge for DoD officials, cyber attackers have already stolen tera byte of data from their infrastructure.


Most of the security expert and FBI agree that cyber attacks pose biggest threat to US vital infrastructure. “Cybergeddon” our daily economy which depend on inter connected vital network infrastructure is hacked by cyber attacker.

SCADA (Supervisory Control and Data Acquisition – control power grids in all the utilities) “systems are used in industry to monitor and control plant status and provide logging facilities and are highly configurable“. SCADA system is a connection between control systems and the switches.

Cyber attackers have already led to multicity power outage outside of US. Recent attacks show that cyber attackers are getting more knowledgeable about SCADA system. In the past SCADA use to be exclusive system but now slowly getting integrated with the rest of the infrastructure and utilizing IP addressing scheme. Both introduce new threats and raise the risk of cyber attack.

Utilities are the most critical infrastructure in a sense because of other vital infrastructure dependency on power supply. Cyber attack on SCADA system has a potential of cybergeddon and should be protected as a very critical asset by both public and private sectors. Security through obscurity is not the answer for SCADA anymore.


In SCADA system, reasonable security can be achieved by embracing ISO 27k standard as a policy and eventually acquiring ISO 27001 (ISMS) certification. Organizations may start the certification process with limited scope (of critical processes) in the beginning, and increment the scope in each recertification attempt based on the resources available and management risk appetite. Information Security Management System (ISMS) can be a great value added process to manage ongoing monitoring, maintaining and for process improvement of SCADA. ISMS as a process in-place provides reasonable security safeguard to zero day attacks.


How do I prepare for a power outage?



“SCADA system has been poorly managed for decades”

Tags: Cyber-warfare, cybergeddon, Information Security Management System, Information Warfare, International Organization for Standardization, ira winkler, iso 27001, SCADA, Security