Friday, March 28, 2008

ISO 27001 - What really matter is an ISMS.

Life would be simple if curing security headaches were just a matter of buying some new technology. In reality, good security requires fundamental organisational change, says Danny Bradbury

What constitutes good security today? Simply throwing a firewall at your system won't cut it, says Ross Anderson, professor of security engineering at Cambridge University's computer laboratory.

"It usually comes down to how people behave in institutions," he warns. "Managers optimise their own utility, rather than the shareholders'."

All too often, those in charge resort to buying equipment, plugging it in and declaring the problem solved. In reality, security must be part of the company's DNA at an operational level.
At the heart of the debate lies the disparity between the box-tickers, who do just enough to satisfy the regulators, and those who put in extra effort, says Mark Lobel, principal in advisory services at consultancy PricewaterhouseCoopers.

"There are two ways you can go about it. You can adopt a compliance-based approach and tick every box in the Sarbanes Oxley rule book, or you can take a risk-based approach," he says. "A risk-based approach is the way you should approach this."

That approach entails identifying and analysing real threats to the organisation. More mature companies may use some kind of risk matrix to quantify this, say, with the probability of risk on one axis, and impact to the organisation on the other.

"By identifying and starting with the business objectives, you make sure that you're properly aligned and focused," says Lobel.

But companies need a more detailed framework than this. David Cole, academy team leader and senior consultant at risk management consultancy DNV IT Global Services, thinks he has the answer.

"ISO 27001 is a standard on how to set up a management system," Cole says. "It tells you what is expected of an information security management system."

Read more at:,3800014480,39170493,00.htm

No comments: