Thursday, January 31, 2008

The 2007 ISO 27001 Benchmark Study

Research from Wolcott Group, "The 2007 ISO 27001 Benchmark Study," shows that many organizations have significant gaps in how they manage information security. While most organizations have mature or developing controls for information security, many still have immature processes for key issues like security policy training, access control, asset management, business continuity, IT compliance auditing, and more.

Highlights of Immature Controls and Processes:

  • 57% have immature processes for classifying the value of their information assets
  • 56% have immature employee training programs on information security policies and procedures
  • 47% have an immature approach to managing information security
  • 45% have immature business continuity processes
  • 36% have immature IT compliance auditing processes

Interested parties can visit Download The 2007 ISO 27001 Benchmark Study to register to download a complimentary copy of the benchmark study.

Tuesday, January 29, 2008

How to apply ISO 27002 to PCI DSS compliance

The PCI Data Security Standard (PCI DSS) consists of 12 mandatory high-level requirements for all organizations that store, transmit, or process payment cards. These 12 requirements are further subdivided into sections, describing activities that organizations must engage in while managing their networks, administering their systems, and, in general protecting the payment card data with which they have been entrusted.

While PCI DSS details compliance requirements in most areas, its directives make only passing reference (if at all) to an overall security framework into which the required actions must fit. If organizations simply follow the PCI DSS blindly, they may not achieve the overall security goals.

ISO 27002, also known as ISO 17799, is a security standard of practice. In other words, it is a comprehensive list of security practices that can be applied -- in varying degrees -- to all organizations. The benefit of such a standard to organizations attempting to comply with the PCI-DSS is twofold. First, it provides a framework that allows organizations to achieve their PCI security goals along with those from other sources, like industry or governmental regulations. Second, it provides guidance on how to fit some of PCI's governance and policy requirements into an organization's compliance program.

For example, ISO 27002 discusses the necessity of involving business, management, human resources and technology representatives in the security program. It also provides references for high-level policies for important areas such as data classification, data handling and access control. While PCI DSS describes specific technical practices and organizational activities, it doesn't talk about the overall program in which these activities exist or the specific policies that require these activities.

When a company establishes a program based on a broad standard like ISO 27002, it can treat the PCI-DSS requirements as a subset of those required by the ISO. Further, a program structured according to ISO 27002 will require organizations to employ critical support systems required by many regulations (and PCI DSS in particular). For example, ISO 27002 requires change control in network administration, system configuration, policy management, procedure management and software development. PCI DSS calls out the need for accurate diagrams and documentation for its network and systems as well as change control processes to ensure discipline in administration of the PCI DSS-related components.

ISO 27002's broad requirements for change control associated with all aspects of administration encourage a consistent approach across an enterprise. This kind of approach, when applied to PCI DSS, would help improve both the consistency, effectiveness and efficiency of change control across a company and increase the likelihood that an auditor would find a company's practices acceptable.

Another benefit of combining the structure of ISO 27002 and the specific requirements of PCI DSS is that the PCI DSS helps organizations define three of the most challenging aspects of ISO compliance: scope of compliance, data classification and data handling. Armed with these constraining requirements, organizations can define policies and procedures that are consistent with best practice as specified by ISO and directly address PCI DSS compliance. For example, PCI DSS defines what aspects of credit card data are sensitive. It describes access control requirements for credit card information, encryption requirements for transmission and storage, and even the testing necessary to verify effectiveness of controls. These specific requirements allow organizations to state how systems must be configured, how employees must treat data and how an organization monitors the effectiveness of its controls.

A growing number of organizations are building security programs according to standard frameworks like ISO 27002. These frameworks are allowing organizations to factor compliance with multiple regulations and contracts into their security programs in a consistent and effective manner.

The beauty of using the ISO standard with specific regulations is that the regulations fill in the necessary details that the framework lacks while the framework provides structure to address multiple sets of requirements consistently. The two concepts work hand in hand and provide effectiveness, efficiency and auditability.

About the author:Richard E. "Dick" Mackey is regarded as one of the industry's foremost authorities on security and compliance. He is a frequent speaker and contributor to magazines and online publications. He has advised leading financial firms on compliance with PCI, GLBA and SOX. He has also provided guidance to a wide range of companies on enterprise security architectures, identity and access management and security policy and governance.

Thursday, January 24, 2008

ISMS Standards

New ISO series of 27000 standards

  • ISO/IEC 27000 Fundamentals and vocabulary
  • ISO/IEC 27001 ISMS - Requirements (revised BS 7799 Part 2:2005) - Published 15th Oct 2005
  • ISO/IEC 27002 Code of practice for information security management as from April 2007 -currently ISO/IEC 17799:2005, published 15th June 2005
  • ISO/IEC 27003 ISMS implementation guidance (under development)
  • ISO/IEC 27004 Information security management measurement (under development)
  • ISO/IEC 27005 Information security risk management (based on and incorporating
  • ISO/IEC 13335 MICTS Part 2) (under development)
  • ISO/IEC 27006 Requirements for bodies providing audit and certification of information security management systems - Published 15th February 2007
  • ISO/IEC 27007 Guidelines for information security management systems auditing (under development)

ISMS Specifications

  • ISO/IEC 27001:2005 ISMS - Requirements (revised version of BS 7799-2:2002 Information security management systems – specification with guidance for use.)
  • ISO 9001:2000 Quality Management Systems – Requirements

Auditing Standards

  • ISO 19011:2002, Guidelines on Quality and/or Environmental Management Systems Auditing

Accreditation Standards

  • ISO/IEC 17021 Conformity Assessment – Requirements for bodies providing audit and certification of management systems
  • ISO/IEC 27006 Requirements for bodies providing audit and certification of information security management systems

Control Standards

  • ISO/IEC 27002:2005 Code of practice for information security management

From: TQMC

Tuesday, January 15, 2008

From now on, Axur Blog will be published only in English!

From now on, we decide to post only in english. English will be our official language. Why to do so?

1-) We believe ISO 27001 is a worlwide stuff. It's very important to share our experience in ISO 27001 implementation and management with all consultants around world.

2-) Starting march, Axur ISMS will be delivered in English, and we need to communicate with our clients.

3-) English is an universal language. Looks like a kind of "successfully Esperanto".

Axur Team!