Monday, March 31, 2008

Who needs ISO 27001?

If you hold your client’s classified or sensitive data as part of performing business with your client, you may want to get an ISO 27001 to offer ’security’ comfort to your clients. Get it? No.
Here is an example, if you hapenned to hold your clients’ source code or similar sensitive data as part of performing your business, your client will be concerned about the security of their sensitive data - specifically, they would like to know if your Information security department is reliable and sustainable. That is where ISO 27001 comes in. Not all companies benefit from ISO 27001. Right?

What does ISO 27001 offer that is different from what you have today? It is a measuring Framework. Framework which enables you to scale your policies and handle them appropriately as your grow.

Security policies in companies today are often abstract and gets close to the ‘terms of usage’ policy within a company. However, it is worth exploring an ISO security framework - ISO 27001. This enables you to formally enumerate policies, data classifications and provide an appropriate risk treatment and provide continuity.


Friday, March 28, 2008

ISO 27001 - What really matter is an ISMS.

Life would be simple if curing security headaches were just a matter of buying some new technology. In reality, good security requires fundamental organisational change, says Danny Bradbury

What constitutes good security today? Simply throwing a firewall at your system won't cut it, says Ross Anderson, professor of security engineering at Cambridge University's computer laboratory.

"It usually comes down to how people behave in institutions," he warns. "Managers optimise their own utility, rather than the shareholders'."

All too often, those in charge resort to buying equipment, plugging it in and declaring the problem solved. In reality, security must be part of the company's DNA at an operational level.
At the heart of the debate lies the disparity between the box-tickers, who do just enough to satisfy the regulators, and those who put in extra effort, says Mark Lobel, principal in advisory services at consultancy PricewaterhouseCoopers.

"There are two ways you can go about it. You can adopt a compliance-based approach and tick every box in the Sarbanes Oxley rule book, or you can take a risk-based approach," he says. "A risk-based approach is the way you should approach this."

That approach entails identifying and analysing real threats to the organisation. More mature companies may use some kind of risk matrix to quantify this, say, with the probability of risk on one axis, and impact to the organisation on the other.

"By identifying and starting with the business objectives, you make sure that you're properly aligned and focused," says Lobel.

But companies need a more detailed framework than this. David Cole, academy team leader and senior consultant at risk management consultancy DNV IT Global Services, thinks he has the answer.

"ISO 27001 is a standard on how to set up a management system," Cole says. "It tells you what is expected of an information security management system."

Read more at:,3800014480,39170493,00.htm

Monday, March 17, 2008

Become Confident in Your ISO 27001 Practices

Managers who claim that their organizations comply with ISO/IEC 27001:2005 but that they see no need to go through the bureaucracy of getting the ‘badge on the wall’ are only deceiving themselves. The reality, I suspect, is that the vast majority of organizations that won’t submit their Information Security Management Systems (ISMS) to an external audit against ISO 27001, fear that, when it comes to the push, their systems would fail the test.

Survey after survey tells a depressingly familiar information insecurity story. Most recently, the 10th annual CSI/FBI survey revealed that, amongst the security-conscious, information security control-focused members of the CSI, computer crime continued to have a significant financial impact. The average incident last year cost $204,000, and the top two security breaches were through virus attacks and unauthorized access - both of which are comprehensively controlled through the controls and management systems mandated by ISO 27001.

ISO27001 Effectively Manages Data Security

This evidence, combined with the findings of a recent survey carried out amongst UK-based organizations that ISO27001, suggests - somewhat contradictorily - that securing information is rarely the primary driver for achieving certification. The top reason was commercial advantage, summed up by one respondent who said that a certificate ‘gives customers confidence that our data security is well managed and certified by an independent source.’

And it’s that certification ‘by an independent source’ which is the real benefit of pursuing ISO 27001 in the first place. US regulators implicitly recognized the importance of external validation for information security effectiveness when they observed that: ‘the best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of boards and CEOs.’

Achieve High Security Standards through ISO 27001

There are sectors in which the ‘badge on the wall’ debate is already history, and in which certification is now becoming a basic business requirement. UK cheque printers, for instance, are required to comply with a sectoral version of ISO27001 and suppliers to the NHS are expected to be on track for certification (there is now a health sector version of ISO17799) - even if the NHS itself still has some way to go. Business Process Outsourcing companies are finding it much simpler to provide a copy of their ISO 27001 certificate in their tender documentation than to answer detailed information security questionnaires.


Monday, March 10, 2008

New ISO standard for IT disaster recovery published

A new ISO International Standard which focuses on IT continuity is now available. ‘ISO/IEC 24762:2008, Information technology – Security techniques – Guidelines for information and communications technology disaster recovery services’ aims to ‘offer guidance on the information and communications technologies and services necessary for disaster recovery as part of business continuity management’.

According to ISO/IEC 24762:2008, business continuity management is an integral part of any holistic risk management process and involves:* Identifying potential threats that may cause adverse impacts on an organization’s business operations, and associated risks * Providing a framework for building resilience for business operations * Providing capabilities, facilities, processes, action task lists, etc., for effective responses to disasters and failures.

With this new standard, organizations will be able to build resilience into their information and communications technology infrastructure critical to their key business activities. This will complement their business continuity management and information security management initiatives.