May 10 2014

Information Security and ISO 27001-2013

Category: ISO 27kDISC @ 9:38 pm


The perfect introduction to the principles of information security management and ISO27001:2013

Most organizations implementing an information security management regime opt for systems based on the international standard, ISO/IEC 27001. This approach ensures that the systems they put in place are effective, reliable and auditable.

Up to date with the latest version of the Standard (ISO27001:2013), An Introduction to information security and ISO27001:2013 is the perfect solution for anyone wanting an accurate, fast, easy-to-read primer on information security from an acknowledged expert on ISO27001.

This pocket guide will help you to:

Make informed decisions

    By providing a clear, concise overview of the subject this guide enables the key people in your organization to make better decisions before embarking on an information security project.

Ensure everyone is up to speed

    Once you have decided to implement an information security project, you can use this guide to give the non-specialists on the project board and in the project team a clearer understanding of what the project involves.

Raise awareness among staff

    An Information Security Management System (ISMS) will make demands of the overall corporate culture within your organization. You need to make sure your people know what is at stake with regard to information security, so that they understand what is expected of them.

Enhance your competitiveness

    Your customers need to know that the information you hold about them is managed and protected appropriately. And to retain your competitive edge, you will want the identity of your suppliers and the products you are currently developing to stay under wraps. With an effective knowledge management strategy, you can preserve smooth customer relations and protect your trade secrets.

Download this pocket guide and learn how you can keep your information assets secure.



Tags: Information Security, Information Security Management System, isms, ISO/IEC 27001, Policy

Aug 07 2013

vsRisk – The Cyber Security Risk Assessment Tool

Category: ISO 27k,Security Risk AssessmentDISC @ 9:09 am

vsRisk – The Cyber Security Risk Assessment Tool


It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.

There’s just one risk assessment tool that IT Governance recommends; the vsRisk™ v1.7 – the Cybersecurity Risk Assessment Tool.

It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.

5 reasons why vsRisk is the definitive risk assessment tool:

  • This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
  • Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
  • Gives comprehensive best-practice alignment
  • It’s easy and straight-forward to use
  • Cost-effective route to assessing risks within your business

Download the definite risk assessment tool >>


Tags: Information Security, Information Security Management System, ISO/IEC 27001, Policy, Risk Assessment, Risk management, Security, Standards

Aug 11 2012

ISO 27001 Information Security Incident Management

Category: ISO 27k,Security IncidentDISC @ 10:37 pm
English: ISMS activities and their relationshi...

English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)

Section 13 of Annex A handle information security incident management. One of the important thing to know about this section is the difference between an event and an incident.

Information Securty Event: is an occurance of a system, service or netwrok state indicating a possible breach of information security policy or failure of safeguards.

Informtaion Security Incident: is indicated by a single or series of unwanted information security events that have a significant probability of compromising business operations.

IT Governance: An International Guide to Data Security and ISO27001/ISO27002

This video covers Section A.13 of ISO 27001. This refers to the reporting of information security events and weaknesses and the management of information security.

Tags: Information Security, Information Security Management System, ISO 27001 Lead Implementer, ISO/IEC 27001, Policy

Jan 11 2010

Long Awaited ISO/IEC 27004:2009

Category: ISO 27kDISC @ 12:49 pm

Security Metrics: Replacing Fear, Uncertainty, and Doubt

The long awaited international standard on Information Security Measurement, ISO/IEC27004:2009, is now available.

It’s a must have –
To Download a copy of ISO27004 – Information Security Metrics

Key Features and Benefits:

• Provides guidance on the development, implementation use of metrics to measure the effectiveness of an ISO 27001-compliant ISMS, controls or groups of controls. Helping you to quantify the payback to your organisation of implementing an ISMS.
• Covers not just the development, implementation and use of metrics, but also the communication of the results. Helping you to ensure management buy-in for future projects.
• The use of this standard provides opportunities to identify areas in need of improvement, facilitating continual improvement. Thus leading more secure information, cost savings and increases in efficiency.

If you have not claibrated the model with measurement, only one thing is certain: You will either overspend or under-protect.

Get your copy today >>
To Download a copy of ISO27004 – Information Security Metrics

Tags: Individual Standards, International Organization for Standardization, ISO, ISO 27004, ISO 27k, iso measurement, iso27004, Policy, Security, under-protect

May 06 2009

Rise of cybercrime and management responsibility

Category: Information Security,Information WarfareDISC @ 5:08 pm

ITIL Security Management
Image via Wikipedia
According to SF Chronicle article by Deborah Gage (May 8, 2009, c2) consumer reports magazine’s annual “State of the Net” survey finds that cybercrimes has held steady since 2004, with one out of five consumers becoming victims in last two years at a cost to economy of $8 billion. Consumer report can be found on at

Uncertain economic time brings new threats and scams and most of the security experts agree that there’s a possibility of increase in cybercrime for this year. Survey also found that around 1.7 million people were victims of identity theft and 1.2 million had replaced their computers because of infected software.

First why all the signs are showing uptick in cybercrimes and second what are we going to do about it.

Management should start considering security as total cost of ownership instead of wasting time on what is ROI of information security. If there is a security breach, somebody in the management should be held accountable not an IT or security personnel. Management will keep demonstrating lax attitude toward data protection and security in general unless there are serious consequences like spending time in jail for lack of security controls (basic due diligence) and not taking appropriate actions for the risks that posed a significant threat to the organization.

PCI, HIPAA and SOX compliance are a good start in a right direction for management to take information security into consideration, but these compliance initiatives don’t address the security of a whole organization. They address security risks of a business unit in an organization. If management is really serious about security then ISO 27002 code of practice is one of the option which should be considered to address the security of the whole organization and ultimately organization should achieve ISO 27001 certification which will build a comprehensive information security management system to manage ongoing risks.


Reblog this post [with Zemanta]

Tags: Information Security, International Organization for Standardization, isms, iso 27001, iso 27002, Operating system, Policy, Security

Apr 02 2009

Cloud computing and security

Category: Cloud computingDISC @ 5:55 pm
File:Cloud comp architettura.png

Cloud computing provide common business applications online that run from web browser and is comprised of virtual servers located over the internet. Main concern for security and privacy of user is who has access to their data at various cloud computing locations and what will happen if their data is exposed to an unauthorized user. Perhaps the bigger question is; can end user trust the service provider with their confidential and private data.

“Customers must demand transparency, avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms; and the level of testing that’s been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.”

Three categories of cloud computing technologies:

  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)

Cloud computing is offering lots of new services which increase the exposure and add new risk factors. Of course it depends on applications vulnerabilities which end up exposing data and cloud computing service provider transparent policies spelling out responsibilities which will increase end user trust. Cloud computing will eventually be used by criminals to gain their objectives. The transparent policies will help to sort out legal compliance issues and to decide if the responsibility of security breach lies on end user or service provider shoulders.

Complexities of cloud computing will introduce new risks and complexity is the enemy of security. The organizations and end users should be mindful of this security principle before introducing this new variable into their risk equation. As a consumer you need to watch out and research your potential risks before buying this service and consider getting a comprehensive security assessment from a neutral third party before committing to a cloud vendor.

Possible risks involved in cloud computing
Complete data segregation
Complete mediation
Separation of duties
Regulatory compliance (SOX, HIPAA, NIST, PCI)
User Access
Physical Location of data
Availability of data
Recovery of data
Investigative & forensic support
Viability and longevity of the provider
Economy of mechanism

Continue reading “Cloud computing and security”

Tags: Cloud computing, cloudcomputing, compliance, Computer security, iaas, IBM, Information Privacy, Infrastructure as a service, paas, Platform as a service, Policy, privacy, saas, Security, security assessment, Security Breach, Services