Thursday, June 19, 2008

ISO 27005 will assist organizations in their information security risk management

The FINANCIAL -- Organizations of all types are very concerned by threats that could compromise their information security and managing this aspect has become a primary concern for their information technology (IT) departments.

The new International Standard ISO/IEC 27005:2008, which describes the information security risk management process and associated actions, will help them to manage risks.

Threats may be deliberate or accidental, and may relate to either the use and application of IT systems or to IT's physical and environmental aspects. These threats may take any form from identity theft, risks of doing business on-line, denial of service attacks, remote spying, theft of equipment or documents through to a seismic or climatic phenomenon, fire, floods or pandemic problems. These threats may result in various business impacts, for example, financial loss or damage, loss of essential network services, loss of customer confidence through to loss power supply or failure of telecommunication equipment.

"A risk is a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event. Risk assessment quantifies or qualitatively describes the risk and enables managers to prioritize risks according to their perceived seriousness or other established criteria." ISO reports.

ISO/IEC 27005:2008, Information technology – Security techniques – Information security risk management, provides guidelines for information security risk management and supports the general concepts specified in ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements.

The new standard is designed to assist the implementation of ISO/IEC 27001, the information security management system standard, which is based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002: 2005, Information technology – Security techniques – Code of practice for information security management, is important for a complete understanding of this International Standard.

The information security risk management process consists of:

  • context establishment
  • risk assessment
  • risk treatment
  • risk acceptance
  • risk communication,
  • risk monitoring and
  • review.
However, ISO/IEC 27005:2008 does not provide any specific methodology for information security risk management. It is up to the organization to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.

Edward Humphreys, convener of the ISO/IEC working group that developed the standard comments: “Today, most organizations recognize the critical role that information technology plays in supporting their business objectives and with the advent of the Internet and the prospect of performing business online, IT security has been in the forefront. ISO/IEC 27005:2008 is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities.”


Wednesday, June 11, 2008

DoF participates in ISO meeting in Japan

DoF's participation - the first-ever by a governmental organisation from the GCC region - reflects its commitment to adopting the latest total quality standards at all levels of Governmental practice, especially in the information security. 

This is in line with DoF's preparations to acquire the ISO 27001 Certificate by the end of this year. 

The participants in the Kyoto meeting discussed several topics related to information security systems, including applied standards and universal measurements set by ISO in this sector. 

The participants brought up issues pertaining to information security management for critical infrastructure and information security governance. 

'Our participation comes in line with the directives of DoF's top management represented by H.H. Sheikh Mohammed Bin Khalifa Al Nahyan, Chairman; H.E. Hamad Al Hurr Al Suwaidi and H.E. Mohammed Sultan Al Hameli, Executive Director, to enhance the level of IT performance and security. DoF has achieved several milestones in implementing its IT infrastructure and now works to add more value and to enhance overall quality standards,' said Salem Al Rumaithi, Head of the IT Directorate at DoF. 

The discussions at Kyoto focused on a series of standards that will help in establishing and maintaining an efficient information management system, using a constant improvement approach. Putting these standards into practice will help attain the security control objectives through a recommended range of specific security controls. 

Butti Al Rumaithi, Head of Information Security Office, said: 'We are committed to improving the performance of IT systems and information security procedures by adopting International best practices in this field. During the meeting, we exchanged ideas about ways of managing information systems and enhancing their security. We also shared views concerning the implementation of international standards related to data protection and risk management. We look forward to leveraging the department's participation in specialised International meetings, as we consider that developing the overall performance and enhancing security of our IT systems is one of our top priorities.' 

DoF recently launched its Strategic Plan for 2008-2012 which included priorities that call to develop state-of-the-art IT technologies to support the future role and activities of the Department.