Nine Steps to Success â An ISO 27001 Implementation
DISC InfoSec
#InfoSecTools and #InfoSectraining
Aug 26 2021
What is ISMS
Implementing an ISMS
There are numerous ways of approaching the implementation of an ISMS. The most common method to follow is a âPlan Do Check Actâ process.
ISO 27001 is the international security standard that details the requirements of an ISMS.
ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS.
A certified ISMS, independently audited by an approved certification body, can serve as the necessary reassurance to customers and potential clients that the organization has taken the steps required to protect their information assets from a range of identified risks.
The strength of an ISMS is based on the robustness of the information security risk assessment, which is key to any implementation.
The ability to recognize the full range of risks that the organization and its data may face in the foreseeable future is a precursor to implementing the necessary mitigating measures (known as âcontrolsâ).
ISO 27001 provides a list of recommended controls that can serve as a checklist to assess whether you have taken into consideration all the controls necessary for legislative, business, contractual, or regulatory purposes.
ISO 27001 Risk Assessment and Gap Assessment
Oct 21 2019
6 Essential Pillars for InfoSec Prioritization
It may be time to Think Differently in security.
Do you know which of your vulnerabilities are critical, those which can wait a day, vs ones that are just noise? Read this handy guide to get the 6 essential pillars for comprehensive InfoSec prioritization:
The Five Laws of Cybersecurity | Nick Espinosa | TEDxFondduLac
httpv://www.youtube.com/watch?v=_nVq7f26-Uo
Your 5 Year Path: Success in Infosec
httpv://www.youtube.com/watch?v=Uv-AfK7PkxU
Top 20 Security Controls for a More Secure Infrastructure
Subscribe to DISC InfoSec blog by Email
Oct 14 2019
The best practice guide for an effective infoSec function
The best practice guide for an effective infoSec function: iTnews has put together a bit of advice from various controls including ISO 27k and NIST CSF to guide you through whatâs needed to build an effective information security management system (ISMS) within your organization.
This comprehensive report is a must-have reference for executives, senior managers and folks interested in the information security management area.
Practice Guide
Open a PDF file The best practice guide for an effective infoSec function.
How to Build a Cybersecurity Program based on the NIST Cybersecurity Framework
httpv://www.youtube.com/watch?v=pDra0cy5WZI
Beginners ultimate guide to ISO 27001 Information Security Management Systems
httpv://www.youtube.com/watch?v=LytISQyhQVE
Conducting a cybersecurity risk assessment
Subscribe to DISC InfoSec blog by Email
Feb 05 2019
ISO 27001 ISMS Documentation Toolkit Bolt-on
Combine with the ISO 9001:2015 QMS Documentation Toolkit and/or the ISO 14001:2015 EMS Documentation Toolkit to create an ISO 27001- compliant integrated management system (IMS).
DISC InfoSec 🔒 securing the business 🔒 Cyber Security Awareness
â Grab this Headline Animator
Nov 14 2016
Implementing an ISMS: where should you start?
With the number of ISO 27001 certifications rising fast in the US, organizations will be looking to implement an ISO 27001-compliant information security management system (ISMS) quickly, before any of their competitors.
However, the hardest part of achieving ISO 27001 certification is providing the documentation for the ISMS. Often – particularly in more complex and larger businesses â the documentation can be up to a thousand pages. Needless to say, this task can be lengthy, stressful and complicated.
IT Governance Publishingâs (ITGP) ISO 27001 toolkits offer this documentation in pre-written templates, along with a selection of other tools to:
- Help save you months of work as all the toolkits contain pre-written templates created by industry experts that meet ISO 27001:2013 compliance requirements.
- Reduce costs and expenses as you tackle the project alone.
- Save the hassle of creating and maintaining the documents yourself.
- Accelerate your management system implementation by having all of the tools and resources you need at your disposal.
- Ensure nothing is left out of your ISMS documentation.
When an organization’s need help with their ISMS projects, theyâre normally at a loss.
The two major challenges they face are creating supporting documentation and performing a risk assessment.
With wide range of fixed-price toolkits, these toolkits can provide you with the official ISO 27000
- Do you know how to implement an ISMS?
- What steps should you take?
- How long will it take?
Nov 09 2014
When to use tools for ISO 27001/ISO 22301 and when to avoid them
If youâre starting to implement complex standards like ISO 27001 or ISO 22301, youâre probably looking for a way to make your job easier. Who wouldnât? After all, reinventing the wheel doesnât sound like a very interesting job.
So, you start looking for some tool to help you with these information security and business continuity standards, but beware â not every tool will help you: you might end up with a truck wheel that doesnât fit the car youâre driving.
Types of tools
Letâs start first with what types of tools youâll find in the market that are made specifically for ISO 27001 and ISO 22301:
a) Automation tools â these tools help you semi-automate part of your processes â e.g., performing the risk assessment, writing the business continuity plans, managing incidents, keeping your documentation, assisting in measurement, etc.
b) Tools for writing documentation â these tools help you develop policies and procedures â usually, they include documentation templates, tutorials for writing documentation, etc.
Pros and cons of automation tools
Automation tools are generally useful for larger companies â for example, using spreadsheets for assessing risks can be a problem if you have, e.g., 100 departments, because when you have to merge those results this becomes very difficult. Or, if you have 50 different recovery plans and you want to change the same detail in each of them, using a tool is probably much easier.
However, applying such automation tools to smaller companies can prove to be very expensive â most of these tools are not priced with smaller companies in mind, and even worse â training employees for using such tools takes too much time. Therefore, for smaller companies, performing risk assessment using Excel or writing business continuity plans in Word is a very quick and affordable solution.
There are some tools for which I personally see no purpose â for example, tools for keeping ISO documentation. For that purpose, larger companies will use their existing document management system (e.g., SharePoint), while smaller companies can upload the documentation to shared folders with defined access rights â it doesnât have to be any more sophisticated than that.
Can you automate everything?
One important fact needs to be emphasized here: automation tools cannot help you manage your information security or business continuity. For instance, you cannot automate writing your Access control policy â to finalize such a document, you need to coordinate your CISO, IT department and business side of the organization, and only after you reach an agreement can you write this policy. No automation can do that for you.
Yes, you can semi-automate the measurement of success of particular controls, but again a human needs to interpret those results to understand why the control was performing well or poorly â this part of the process cannot be automated, and neither can the decision on which corrective or preventive actions need to be taken as a result of gained insight.
What to watch out for when looking for documentation writing tools
You wonât need tools for writing your policies, procedures, and plans if you already developed your documentation based on a framework that it similar to ISO 27001 â e.g., COBIT, Cybersecurity Framework, or NFPA 1600. Also, if you hired a consultant, then it will be his duty to write all the documents (see also: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant).
In other cases you will find documentation writing tools (i.e., documentation templates) quite useful because they will speed up writing your policies and procedures. The main question here is how to choose the right ones â here are a couple of tips:
- Are they appropriate for your company size? If you are a small company and the templates are made for big companies, they will be overkill for you, and vice versa.
- Which kind of help do you receive for writing documents? Are there any guidelines, tutorials, support, or anything similar that comes with the templates?
- Experience of the authors? It would be best if the author has experience in both consulting and auditing, so that the templates are practical for daily operations, but also acceptable for the certification audit.
So, to conclude: yes â in most cases tools can help you with your ISO 27001 and ISO 22301 implementation. Since there are many tool providers in the market, make sure you perform thorough research before you decide to use one.
Author: Dejan Kosutic, Expert at 27001Academy, is the author of a documentation tool aimed at small and mid-sized companies: ISO 27001 & ISO 22301 Documentation Toolkit .
Related articles
Aug 22 2014
Do it yourself solution for ISO27001 implementation
ISO 27001 Do It Yourself Package
This is the do-it-yourself solution for ISO27001 implementation
Cyber crime is increasing exponentially, and this trend will continue as more business activities move online and more consumers connect to the Internet. ISO/IEC 27001 is the only international information security management Standard that can help your organization protect its critical data assets, comply with legislation and regulations, and thrive as customer confidence in its data security practices increases.
This package is aimed at organisations that have substantial management system expertise (with ISO9001, or ISO20000, for instance) and an understanding of information security management, as well as the necessary available internal resources and a corporate culture of keeping overall external costs down by following a do-it-yourself approach to project management.
This package does not include certification fees which are paid directly to the certification body.
The ISO 27001 do-it-yourself package contains:
- The ISO 27001:2013 Standard, which details the requirements against which you will be audited.
- The ISO 27002:2013 Standard, which is the code of practice that provides supports for the implementation of information security controls for ISO27001.
- The ISO 27000:2014 Standard, which contains the terms and definitions referenced in ISO27001.
- IT Governance â An International Guide to Data Security and ISO27001/ISO27002, which details how to design, implement and deliver an Information Security Management System (ISMS) that complies with ISO27001.
- Nine Steps to Success â An ISO 27001 Implementation Overview, which outlines the nine critical steps that mean the difference between ISO27001 project success and failure.
The standards set out the requirements for best-practice information security management. The implementation manuals provide you with detailed implementation advice based on practical experience, which you can access in your own time and at your own pace.
Based on your needs, you may also need: ISO27001-2013 Gap Analysis Tool
Related articles
May 10 2014
Information Security and ISO 27001-2013
The perfect introduction to the principles of information security management and ISO27001:2013
Most organizations implementing an information security management regime opt for systems based on the international standard, ISO/IEC 27001. This approach ensures that the systems they put in place are effective, reliable and auditable.
Up to date with the latest version of the Standard (ISO27001:2013), An Introduction to information security and ISO27001:2013 is the perfect solution for anyone wanting an accurate, fast, easy-to-read primer on information security from an acknowledged expert on ISO27001.
This pocket guide will help you to:
Make informed decisions
- By providing a clear, concise overview of the subject this guide enables the key people in your organization to make better decisions before embarking on an information security project.
Ensure everyone is up to speed
- Once you have decided to implement an information security project, you can use this guide to give the non-specialists on the project board and in the project team a clearer understanding of what the project involves.
Raise awareness among staff
- An Information Security Management System (ISMS) will make demands of the overall corporate culture within your organization. You need to make sure your people know what is at stake with regard to information security, so that they understand what is expected of them.
Enhance your competitiveness
- Your customers need to know that the information you hold about them is managed and protected appropriately. And to retain your competitive edge, you will want the identity of your suppliers and the products you are currently developing to stay under wraps. With an effective knowledge management strategy, you can preserve smooth customer relations and protect your trade secrets.
Download this pocket guide and learn how you can keep your information assets secure.
Related articles
Mar 30 2014
The Protection of Personal Information Act (POPI) in South Africa â Benefits and Challenges
In South Africa the Protection of Personal information Act (POPI) aims to regulate how companies secure the integrity and confidentiality of their data assets by taking technical and organisational measures to prevent the loss of, and damage and unauthorised access to, personal information. POPI was signed into law on 26th November 2013 but the commencement date is yet to be announced; companies have been given a year to achieve compliance with the Act. Penalties for failing to comply with the Act include prosecution, with possible prison terms of up to 12 months, and fines of up to R10 million. I believe that POPI will make life easier for IT organisations in South Africa.
Why is it so important for organizations to keep personal information safe?
Data breaches, and the resultant loss of information assets, can lead to huge financial losses for companies as well as the reputational damage and a loss of customer trust. The lack of robust Information Security Management Systems (ISMS) can leave organisations of any size and sector open to data breaches. POPIâs objective is to regulate the way personal information is collected and stored by organizations, which will in turn increase customer confidence in the organizations. The Act will apply to all organizations, regardless of size or sector, whether public or private, including the Government. As a reminder of the importance of data security, the City of Johannesburg suffered a massive data breach in August 2013 which allowed anyone to read citizensâ personal billing information on the Councilâs website, including full names, account numbers, addresses, and contact details. Anything could have happened to that information, including targeted phishing attacks, and the production of fake ID books and proof of residence, which could have been used for terrorist purposes.
POPIâs challenges
The major challenge of POPI is that companies will have to change the way they collect and store customer information as soon as possible: organizations have been given only a year to be compliant before the Act is enforced. Given the extent of changing business processes and employeesâ attitudes it will be a serious challenge to reach compliance in only a year.
PwCâs âjourney of implementationâ report found that the majority of organizations in South Africa believe it will take several years to achieve compliance with POPI.
Source: PwC âThe journey to implementationâ
One way for South African organizations to make compliance with POPI easier would be to implement the international information security standard ISO27001, which sets out the requirements against which an organizationâs information security management system can be independently audited and certified. Implementing the standard will help South African businesses fulfil the compliance requirements of any related legislation (including the Protection of Personal Information Act). Moreover, by implementing ISO27001, businesses ensure that they have effective controls in place to manage risk and protect personal information.
How to prepare for POPI
IT Governance SA has developed a wide range of ISO27001 books, training and tools to help organisations with weak information security management system, and recommends that companies look at the useful information about ISO27001 available on the companyâs website.
Related articles
Dec 04 2013
ISO27001 2013 high level review for making the transition
ISO 27001 2013 high level review for making the transition from ISO 27001 2005
The Case for ISO 27001 (2013) Second Edition (Download the latest book in Adobe)
Itâs been several months now that highly anticipated release of the latest information security standard ISO 27001 2013 for the organization who have vested interest due to previous compliance or certification in ISO 27001 2005. ISO 27001 2013 has 114 controls defined within 14 security control clauses (domains) collectively containing a total of 35 main security categories and introductory clauses including introduction, scope, normative references.
0. Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
The new standard no longer require organizations to adopt the Plan-Do-Check-Act (P-D-C-A) model to develop and introduce the ISMS, but leave it to each organization to determine and adopt a continual improvement model (corrective action) that works for them.
The scope in new standard requires every organization to make sure the external and internal issues, (vendor assessment) and information security requirements of these parties are addressed in the contract. This clause will ensure that an ISMS is relevant to the organizationâs activity which include external partners and provides an assurance that appropriate controls are in place for external parties as well. In risk assessment area, risks are treated and residual risk accepted by risk owners rather than asset owners, which may require organizations to build a risk register, which will ultimately become an auditable document.
There is another important requirements relating to the setting of information security objectives (strategy), which include the evaluation of the information security performance and measuring the effectiveness of the ISMS.
Annex A has also been restructured into fewer controls (114) and three new domains
A.5. Information security policies
A.6. Organisation of information security
A.7. Human resources security
A.8. Asset management
A.9. Access control
A.10. Cryptography – new
A.11. Physical and environmental security
A.12. Operations security – new
A.13. Communications security
A.14. System acquisition, development and maintenance
A.15. Supplier relationships – new
A.16. Information security incident management
A.17. Information security aspects of business continuity management
The Standard now covers what was previously referred to as âcontrol of documentsâ and âcontrol of recordsâ under the description of âdocumented informationâ.
There is no longer a summary of the mandated documents required by the Standard in this section, relying on the organization to identify the requirements for what is now referred to as âdocumented informationâ for itself. They are listed below
The scope (4.3)
The information security policy (5.2 e)
The information security risk assessment process (6.1.2)
The information security risk treatment process (6.1.3)
Statement of Applicability (6.1.3 d)
The information security objectives (6.2)
Evidence of competence (7.2)
That documentation âdetermined by the organisation as being necessary for the effectiveness of the information security management systemâ (7.5.1 b)
The documentation necessary to have confidence that the processes required for operational planning and control have been carried out as planned (8.1)
The results of information security risk assessments (8.2)
The results of information security risk treatment (8.3)
Evidence of the information security performance monitoring and measurement results (9.1)
Internal audit programme(s) and the audit results (9.2 g)
Evidence of the results of management reviews (9.3)
Evidence of the nature of the non-conformities and any subsequent actions taken, and the results of any corrective actions (10.1)
Summary of new controls in ISO 27001 2013 Annex A
A.6.1.5 â Information security in project management
All projects will address information security, regardless of the nature of the project. This ensures that information security is dealt with from the bottom up.
A.14.2.1 â Secure development policy
Rules for development of software and systems are established and applied to developments. This acts as a sort of precursor control to 14.1.1 and 14.1.3, which relate to controlling the data and applications developed under this control.
14.2.6 â Secure development environment
The organisation ensures an appropriately secure development environment for system development and integration, across the whole development lifecycle. This is deliberately broad to allow input from the earliest stages of the ISMS (identifying the nature of the organisation), rather than restrictively demanding measures that may not be relevant.
14.2.8 â System security testing
The organisation establishes acceptance testing programs and related criteria for new information systems, upgrades and new versions.
15.1.3 â Information and communication technology supply chain
This control requires agreements with suppliers to address information security risks associated with information and communications technology services and products supply chain.
16.1.4 â Assessment of and decision on information security events
Information security events are examined and assessed to determine whether they qualify as information security incidents. This control applies an additional step in the incident management process.
Contact DISC for a Free Gap Assessment for any domain of your choice based on location
Start your ISMS project with ISO27001 2013 Documentation Toolkit
Mapping of ISO/IEC 27001:2013 to ISO/IEC 27001:2005 for $6.99 
Â
 Download ISO27000 family of information security standards!
âąÂ ISO 27001 2013 ISMS Requirement (Download now)
âą ISO 27002Â 2013 Code of Practice for ISM (Download now)
Related articles
Nov 27 2012
New ISO27013 Standard helps integrate ISO27001 with ISO20000
IT Governance Ltd, the global leader in IT governance, risk management and compliance, has announced that the highly anticipated ISO27013:2012 Standard has been published and is now available to buy from the companyâs online shop at ITG
ISO27013:2012 focuses exclusively on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 – two of the worldâs leading and highly regarded standards. ISO/IEC 27001 deals with information security management systems (ISMS) and practically provides organisations with provides a powerful framework for sharing best practice and guidance on protection form cybercrime. ISO/IEC 20000-1:2011 is the international IT Service Management standard which enables organisations to ensure that their IT service management processes are aligned with the needs of the business.
The ISO27013:2012 Standard has been designed to help organisations implement both standards together, or implement one when one is already within the organisation. By doing this organisations can achieve increased customer satisfaction, competitive advantage, improved business operations and considerable cost-savings over time.
Organisations can purchase the ISO/IEC 20000-2:2012Â and ISO 27013 from IT Governance .
Related articles
- Operation Procedures and ISMS (deurainfosec.com)
- Separation of Duties and ISO 27001 (deurainfosec.com)
- Why are the ISO 27000 Standards Important to Organizations? (infocus.emc.com)
Jun 19 2012
Achieve Best Practice & Win New Business with International IT Standards
International IT Standards help organizations achieve best practice systems and management of their IT processes. Certification against standards can help organizations protect their critical assets, rebuff cyber attacks, help win new business and achieve compliance against regulatory requirements.
ISO27001: Cyber Security Standard (Cheapest price on the web)
ISO27001 helps businesses create a best in class Information Security Management System (ISMS), safeguarding its information assets, protecting its reputation
.
ISO22301: Business Continuity Standard (Published last Month)
ISO22301 sets out the requirements for a Business Continuity Management System (BCMS) and helps organizations ensure they are prepared should an disruptive incident occur, and more importantly, continue trading and return to business as usual as quickly as possible
ISO20000: IT Service Management Standard (Best Seller)
ISO20000 enables IT organizations (whether in-house, outsourced or external) to ensure that their IT service management processes are aligned. This standard specifies the requirements for an service management system (SMS). This standard will help you develop, implement, establish an SMS.
Mar 26 2012
IT Governance helps SMEs protect themselves from cybercrime
IT Governance Ltd, the global provider of cyber security management solutions, has announced a value-add offer in March. Organisations that buy the No3 ISO27001 Comprehensive Toolkit before the end of March will receive the Cybersecurity Self Assessment Tool free, making double savings on resource and time.
The No3 ISO27001 Comprehensive Toolkit contains highly practical books, document templates and risk assessment tool, also providing a 100% return on investment. It helps organisations tackle cybersecurity issues quickly and efficiently, whilst considerably improving their cybersecurity defences.
The recent Symantec Threat Awareness Survey uncovered that over 50% of the 1,900 SMEâs interviewed, thought that they were immune to cybercrime because they were too small.
However, Symantecâs report found that since 2010 40% of all attacks were on SMEâs. Ross Walker, Symantec director of small business for Symantec UK, commented “hackers are going after ‘low hanging fruits’ these are the companies who are less security aware and do not have the proper defences in place”.
Alan Calder, CEO of IT Governance, says âThe best way to build robust and effective cyber defences is by implementing ISO27001, the worldâs cybersecurity standard. An ISO27001-compliant Information Security Management System (ISMS) promotes customer confidence, helps vendors win new business and improves organisational efficiencyâ.
The easiest way to implement an ISO27001-compliant ISMS, especially for SMEs, is with the No 3 Comprehensive ISMS ISO27001 Toolkit. It provides organisations with all the tools they will need for the implementation of an information security management system (ISMS).
The No 3 Comprehensive ISMS ISO27001 Toolkit includes copies of the three key standards (ISO27001, ISO27002 and ISO27005), the Risk Assessment Tool (vsRiskâą), the Documentation Template Toolkit and manuals that describe in practical detail how each aspect of the ISMS should be tackled.
One user of the Toolkit said: “Using the templates was the only way that we could deliver a first edition ISMS in under six months. Our deliverable was a work in progress, but miles ahead of where they would have been without the templates”.
Organisations that buy the No 3 Comprehensive ISMS ISO27001 Toolkit before the end of March will receive the Cybersecurity Self Assessment Tool free. It enables any organisation to quickly assess and demonstrate which areas of the organisation are up to scratch and where more attention is required.
Organisations can purchase the ISO27001 Comprehensive Toolkit here!
Jul 13 2011
Do US companies do enough for their cyber security?
IT Governance Ltd, the ISO27001 and information security experts have reported that they are making a number of free resources available for download from their US website to help US companies meet the challenges of increased cyber crime.
July 12, 2011 /24-7PressRelease/ — IT Governance Ltd, the ISO27001 and information security experts have reported that they are making a number of free resources available for download from their US website (www.itgovernanceusa.com) to help US companies meet the challenges of increased cyber crime. This week the company has published a white paper on cyber security which can be downloaded from here http://www.itgovernanceusa.com/cyber-security.aspx
Cyber security has become an issue for every nation in the world. In the US over the last 3 months there have been data breaches against high-profile organizations including Fox, Sony, Gmail, the IMF (International Monetary Fund) and major government departments. Two weeks ago, the Arizona State Police again became the victim of a cyber attack. The hack was announced on Twitter less than a week after a previous attack from Lulz Security.
US companies need to do their utmost in order to defend themselves form hackers and protect their information assets. At present, key changes in the US legislation are being discussed, and sooner or later, it is likely that strict data security measures will be imposed on organizations, which they will need to comply with. Organizations who do not act now may face serious fines in the future or even become the subject of a class action lawsuit, if the loss of customer’s data is established. Such was the case with Sony in April when a Canadian Play Station Network (PSN) user claimed damages in excess of $1 billion. This followed another lawsuit filed by an American PNS user. The consequences for companies compromising customers’ data can be severe, leading to both big financial implications and reputation damage.
IT Governance, which specializes in cyber security and compliance solutions, has published a white paper on their US website that provides information on some of the key developments US companies and their directors or IT managers need to be aware of in order to protect their business from cyber attacks. The white paper can be downloaded for free here: http://www.itgovernanceusa.com/cyber-security.aspx
Alan Calder, CEO of IT Governance, comments, “There are a few essential steps that organizations should be following if they are to implement an effective security strategy. Most organizations would only take certain measures if they are given the reasons why they should be doing this and know that their investment of time and money is worth. What is a more convincing reason than the data breaches we all witness? At IT Governance, we not only advise customers what should be done, but also provide guidance and solutions to their problems. We have the most comprehensive range of resources across a number of areas, from books and toolkits through to e-learning and software tools.”
US companies can be doing more than taking partial measures to fight cyber crime. Implementing best practice in information security management has become the most popular approach to tackling cyber security; demonstrating to both customers and business partners that an organization is working to the highest standard. Accredited certification to ISO27001 gives an organization internationally recognized and accepted proof that its system for managing information security – its ISMS or cyber security readiness – is of an acceptable, independently audited and verified standard. Everything US companies need to know about ISO27001 is explained on this website: http://www.27001.com
May 06 2009
Rise of cybercrime and management responsibility
- Image via Wikipedia
Uncertain economic time brings new threats and scams and most of the security experts agree that thereâs a possibility of increase in cybercrime for this year. Survey also found that around 1.7 million people were victims of identity theft and 1.2 million had replaced their computers because of infected software.
First why all the signs are showing uptick in cybercrimes and second what are we going to do about it.
Management should start considering security as total cost of ownership instead of wasting time on what is ROI of information security. If there is a security breach, somebody in the management should be held accountable not an IT or security personnel. Management will keep demonstrating lax attitude toward data protection and security in general unless there are serious consequences like spending time in jail for lack of security controls (basic due diligence) and not taking appropriate actions for the risks that posed a significant threat to the organization.
PCI, HIPAA and SOX compliance are a good start in a right direction for management to take information security into consideration, but these compliance initiatives donât address the security of a whole organization. They address security risks of a business unit in an organization. If management is really serious about security then ISO 27002 code of practice is one of the option which should be considered to address the security of the whole organization and ultimately organization should achieve ISO 27001 certification which will build a comprehensive information security management system to manage ongoing risks.
[TABLE=2]
Related articles by Zemanta
- The 2009 U.S. Stimulus Bill and Future of Global Healthcare Privacy (blogs.sun.com)
- Tenzing Joins Elite Rank of ISO 27001 Certified Service Providers (newswire.ca)
![Reblog this post [with Zemanta]](https://img.zemanta.com/reblog_e.png?x-id=1119f164-7e48-4ad2-b112-d80cd3808a1d)
Jan 30 2009
ISO 27k and CMMI
To become a successful business in todayâs market, optimized information security controls may be the panacea for unmet security needs. One way to achieve optimized information security control is to perform ISO assessment and assess the organization security posture based on ISO 27002 code of practice and map each control with Capability Maturity Model Integration (CMMI) to find out the current CMMI level for each control. 
The goal is to address the organization security needs as a whole, and assess how different departments and business functions are addressing the current business security requirements. The CMMI has five levels and evaluate security controls based on levels, not on specific objectives. Each level provides the basis for the next level where it is not possible to get to the next level without complying with previous level. ISO 27002 is a comprehensive framework which can be utilized to obtain the baseline upon which to build each level. For each control in ISO 27002, maturity levels are defined using maturity definition found in CMMI. In the assessment report maturity level of each control of ISO 27002 standard can be evaluated. Utilizing the color coded scheme provided by CMMI model, create a one page ISO control summary for executives which will not only help them to understand the current security posture but also can be instrumental for measuring progress and resource allocation.
The scope of the ISO27k standards includes various aspects of IT. The introduction to ISO 27002 states clearly: âInformation can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post of using electronic means, shown on films, or spoken in conversation. Whatever form information takes, or means by which it is shared or stored, it should always be appropriately protected.â
Benefits of ISO 27k framework:
o Framework addresses the security issues for the whole organization and limit data breaches
o Address compliance with various regulations like (SOX, HIPAA, and PCI) without creating silos.
o Reduce total cost of security by decreasing total number of controls required
o Perception of your business that you are serious about information security not just compliance
o Enhance partners and vendors confidence to do business with your organization
o Future deciding factor for national and especially international partners for more business
o Internationally recognized standard which addresses security awareness for the whole organization
Assessment will give an organization a high level view of their current security posture and provide a road map for security strategy in a sense what needs to be addressed first utilizing risk based approach. This is also a good start if your organization is interested in the Information Security Management System (ISMS) or ISO 27001 certification. ISO 27001 is the standard for the certification which includes the set of requirements for ISMS. Justifiable scoping is the key to a quick and successful certification; organization may adjust their scope in a re-certification attempt. Perhaps in the first attempt you may need to include just a web portal in your scope and the entire infrastructure behind supporting that portal. Once the ISMS project scope is determined, here are some steps you can follow to prepare for ISO 27001 auditors.
1. Based on your scope, create an asset list
2. Find out asset threats and vulnerabilities and classify the asset based on CIA scale
3. Come up with risk matrix based on impact and likelihood of the risk
4. Create priorities based on impact and likelihood of the risk
5. Based on priorities, implement appropriate controls for risks which needs to be addressed
6. Do the risk assessment again, PDCA improve ISMS
âISO27001 is a structured, technology-neutral, vendor-agnostic specification and code of practice for information security management in organizations of all sizes that should be adopted as part of an organization’s overall risk management strategy.â
This should give you a jump start to certification. You have already started the process of certification because most of the documentations in the risk assessment will become part of certification process later and will lead you to 12 steps which are part of PDCA cycle. ISMS certification process utilized Plan-Do-Check-Act (PDCA) cycle methodology which continually improve information security management system and meet the contractual, legal, and regulatory requirements for information security.
ISO assessment is utilized to analyze the current security posture of an organization where each control is defined and can be color coded using the base definition found in CMMI. Therefore ISO assessment is a great first step towards the final ISO 27001 certification audit or for that matter any compliance audit.
[TABLE=2]
ISO 27k framework for today’s security challenges
httpv://www.youtube.com/watch?v=yRFMfiLbNj8
Three useful titles on ISO 27k by Alan Calder
Related articles by Zemanta
- vsRisk and security risk assessment (deurainfosec.com)
- Open Network and Security (deurainfosec.com)
- ISO 27001: Information Security (futurehealthit.com)
Nov 26 2008
Cyber threats and overall security assessment
- Image via Wikipedia
In the past when senior management (execs) needed to understand the financial implication of cyber threats and their exposures, they turned their questionnaires toward IT for relevant answers. In other words IT risk assessment was the answer in the past to understand the financial implications of cyber threats. The IT risk assessment is not the comprehensive or overall assessment of the company to understand the total implications of cyber threats. The overall assessment will not only include IT but also other departments like HR and legal etc… Basically cyber threats are neither IT issue and nor a legal or HR issue any more, itâs simply an enterprise management issue.
In old days the firewall was used as a major defense against potential cyber threats. The new cyber threats are sophisticated enough to demand better defense. New threats (virus, adware, worms, Trojan, spyware, spam, phishing) use modern techniques to bypass defenses. The potential risks of these new threats demand an immediate attention (of CFO or higher) and approval for resource allocation to protect against cyber threats. To make a solid business case for security ROI, senior level execs need to know the overall risk they are reducing, and their highest priority.
[TABLE=12]
ANSI and ISA have jointly released a document to assist senior management to prepare for financial implications for cyber threats. Basic essence of the guide is to provide a tool to execs to understand the financial implications of potential cyber threats to their organizations.
âThe 40 page guide was put together by task force of risk management execs from more than two dozen organizations. The new guide offered by ANSI and the ISA recommends that CFO ask their various teamâs questions about the biggest threats to data confidentiality, integrity and availability,â to get to know the existing controls in place and any relevant mitigation plan. Risk analysis of this information can help execs to map the cyber threats risks into correct financial terms and make better resource allocation.
The senior execs who want to implement information security as a process in their organization should consider ISO 27001 (ISMS) as a best practice, which provides a reasonable on-going due diligence to protect and safeguard organization data.
![Reblog this post [with Zemanta]](https://img.zemanta.com/reblog_e.png?x-id=2b18960c-caaa-4f56-a227-a5ede7b55594)
Nov 04 2008
Open Network and Security
Open networks are heterogeneous environment where users like to use all the applications and systems at any given time. In a heterogeneous environment, each department run different hardware and software, but you can control the protocols which will work on this environment.
Universities are famous for open network. Most Universities network is comprised of a Bank (To give loan to students), a restaurant, and a bookstore which have credit card processing ability. Students, alumni, researchers, employee and staff need access to utilize resources. Now how would you control access if same person assume all the roles mentioned above. Universities are basically transient communities, where users come back and plug-in their new devices and expect an immediate access to all the resources. Where the reputation of openness is challenge at every step of the way, now the question is how can they maintain reputation and yet control the environment based on security policies.
Reasonable security can be accomplished by focusing on a process rather than adding yet another security control. The process is based on risk assessment program where you assess your critical assets based on threat and vulnerability pair and measure the likelihood and impact of a threat if a given vulnerability is exploited.
The process start with knowing your assets â Network registration will detect when you plug-in your new equipment. Before you get an access, it detects a hardware address and username. You can also control common misconfigurations and noncompliance issues with network registration process. Some vulnerability management systems discover assets and perform vulnerability and security configuration assessment to proactively identify and prioritize risks. New vulnerabilities are accessed from trusted site on a regular basis and when vulnerabilities are identified, the management system needs to have an ability to remediate to comply with the information security policy.
Most of the departments in an open network contains different systems and applications and basically have different security appetite. Distributed IT Governance can address this issue where you develop policies and procedures which fit their needs and hand it over to the department to comply.
Open network requires pretty much open borders, Instead of securing the network/system emphasis should be on data protection.
[TABLE=9]
Recent news from AT&T to make its network open where customers can use any handset of their choice, perhaps a reaction to in response to recent moves from Verizon and Google to promote open network. Specifically Verizon announced that it would allow âany deviceâ and âany applicationâ to operate on its network. These open networks does provide flexibility for customers but at the same time burden lies on the shoulders of the corporations to provide right balance of security and privacy with availability of the network.
In an open network, reasonable security can be achieved by embracing ISO 27k standard and eventually acquiring ISO 27001 (ISMS) certification. Information Security Management System (ISMS) can be a great value added process to manage ongoing monitoring, maintaining and for process improvement of an open network. ISMS as a process in-place provides reasonable security safeguard to your information and certainly help to minimize the liability in the court of law.
End-to-End Network Security: Defense-in-Depth by Omar Santos
httpv://www.youtube.com/watch?v=zTJSMjYd9c4
(Free Two-Day Shipping from Amazon Prime). Great books
![Reblog this post [with Zemanta]](https://img.zemanta.com/reblog_e.png?x-id=2590b94c-4c68-4b01-a367-028d2bdde031)
Next Page »
