|
IsecT consultants have grown up with the ISO/IEC 27000-series Information Security Management System (ISMS) standards (commonly known as “ISO27k”). We have used and in small measure contributed to the development of the standards for well over a decade. Our interest continues to this day through our ongoing involvement with ISO/IEC JTC1/SC27, the international committee responsible for the continued development of the standards:
-
The original Code of Practice for Information Security Management that became ISO/IEC 27002 in 2005 started out as a collection of good practice advice and a handful of “key controls”, based largely on an internal security policy manual used by the Royal Dutch/Shell Group. Recognising the value of the structured and comprehensive approach to securing information (not just IT) assets, we started actively using the Code of Practice around the time it was publicly released by the UK Government’s Department of Trade and Industry in the early 1990s.
-
ISO/IEC 27001, the Specification for an Information Security Management System, is the standard against which thousands of organizations worldwide have been certified compliant. The Big Idea of ‘27001 involves proactively managing information security as a cyclical plan-do-check-act process by means of which, in successive cycles, the organization systematically closes the gap between desired and actual information security risks. As the key processes within the ISMS gradually mature and improve, emerging information security risks are simultaneously identified and tackled.
-
Other ISO27k standards cover related aspects such as managing information security risks, developing and using information security metrics, ISMS auditing, ISMS implementation and sector-specific guidance. Through SC27, we are helping to develop new ISO27k standards and update the existing ones.
For more information on implementing the standards including the ISO27k FAQ and a free ISO27k Toolkit, visit our website ISO27001security.com.
By all means contact IsecT for consultancy assistance with the planning, design, development, implementation or auditing of your ISO27k-compliant Information Security Management System. Applying the accumulated experience of our consultants and partners, we will show you the most direct route to best practice, helping you for example to:
-
Undertake an independent audit of your current situation (“gap analysis”) to identify the key things your organization must do to be certified against ISO/IEC 27001;
-
Prepare a pragmatic project plan and help persuade management to fund and support it;
-
-
Initiate an information security awareness program to accompany the formal documentation, create a security culture and leverage the investment in technical, procedural, physical and legal controls;
-
Prepare for and facilitate third-party assessment by an accredited ISO/IEC 27001 certification body (the certification body and implementation consultants must not be related: we do not do certification);
-
Optimise the business value obtained from the ISO27k standards.
Finally, if are still not convinced about the value of implementing ISO27k, think about it as a tool to aide compliance with IT/information security-related laws, regulations and standards such as various privacy acts, PCI DSS, HIPAA, PIPEDA, computer misuse, copyright, freedom of information and many more. ISO27k compliance will also help meet the recommendations of the OECD Information Security Guidelines of 2002 and the Basel Committee paper “Sound Practices for the Management and Supervision of Operational Risk.” Done properly, ISO27k can take the organization well beyond the bare minimum security requirements in order to mitigate commercially-unacceptable risks and allow the business to flourish in areas that would otherwise be too risky.
|
