Thursday, October 9, 2008

ISO-27001 Quick Reference

I waffle on about this thing a lot - because I like it.

The fundamental triangle of all ISO business standards now rests upon ISO9001, ISO14001 and ISO27001. The documentation is meant to be structured in such a way that the “01″ document is the standard and the “02″ document is the guide. So ISO27001 is the standard and ISO27002 is the guide to that standard (neat).

Here’s a handy spider diagram that gives you all the headings from ISO27002. I use it as a quick tick list to guide people towards making a “scope of applicability” for their business security needs.

Note that the headings go from (4) to (15)…there is no (1) to (3)…this is one of the great unfathomable mysteries of ISO. We are unworthy of controls (1) to (3), perhaps in an afterlife these ultimate truths will be revealed to us…or maybe they just forget to include them, I dunno…

Anyway, I hope some folk find this useful

Source: http://ipvideo.ie/


Posted by at 3 comments:

Friday, October 3, 2008

ISO 27000 Serie Update!

The ISO/IEC 27000-series numbering (“ISO27k”) has been reserved for a family of information security management standards, similar to the very successful ISO 9000 family of quality assurance standards and derived from a British Standard called BS 7799.
  • The following standards are either already published (shown in red) or works in progress:
    ISO/IEC 27000 - will provide an overview/introduction to the ISO27k standards as a whole plus the specialist vocabulary used in ISO27k. Once approved by the members of ISO/IEC JTC1/SC27, it should be published later this year.
  • ISO/IEC 27001:2005 is the Information Security Management System requirements standard (specification) against which over 4,700 organizations have been certified compliant.
  • ISO/IEC 27002:2005 is the code of practice for information security management describing a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.
  • ISO/IEC 27003 will provide implementation guidance for ISO/IEC 27001.
  • ISO/IEC 27004 will be an information security management measurement standard to help improve the effectiveness of your ISMS.
  • ISO/IEC 27005:2008 is a new information security risk management standard released in June 2008.
  • ISO/IEC 27006:2007 is a guide to the certification or registration process for accredited ISMS certification or registration bodies.
  • ISO/IEC 27007 will be a guideline for auditing Information Security Management Systems.
  • ISO/IEC TR 27008 will provide guidance on auditing information security controls.
  • ISO/IEC 27010 will provide guidance on sector-to-sector interworking and communications for industry and government, supporting a series of sector-specific ISMS implementation guidelines starting with ISO/IEC 27011.
  • ISO/IEC 27011 will be information security management guidelines for telecommunications (also known as X.1051) and will be released soon.
  • ISO/IEC 27031 will be an ICT-focused standard on business continuity.
  • ISO/IEC 27032 will be guidelines for cybersecurity.
  • ISO/IEC 27033 will replace the multi-part ISO/IEC 18028 standard on IT network security.
  • ISO/IEC 27034 will provide guidelines for application security.
  • ISO 27799, although not strictly part of ISO27k, provides health sector specific ISMS implementation guidance.
  • Other ISO27k is a holding page with preliminary information on more ISO27k standards including sector/industry-specific ISMS implementation guidelines whose scopes and ISO27k numbers have not yet been determined.

The names and content of as-yet unpublished standards may well change prior to their publication, especially the early drafts.

Source: http://www.iso27001security.com

Posted by at 1 comment:

Wednesday, September 24, 2008

1st ISO 27001 certification in France for security audits of IT systems

Solucom, leading player in IT security, has just received certification to ISO/IEC 27001:2005 for its auditing services of the security of IT systems.

This internationally recognized certification guarantees the implementation of a management system and both organizational and technical security measures. It involves a regular reassessment of risks and facilitates continuous improvement. Solucom’s auditing service was audited and certified by LSTI[1], which is accredited by COFRAC[2].

Laurent Bellefin, Director of Security Operations at Solucom states that, “This is the first 27001 certification in France for security audits of IT systems[3]. We carry out more than a hundred audits annually, which involves handling sensitive client data. The certification and the regular, independent follow-up inspections are our clients’ guarantee that we are outstanding in the protection of the data they provide us.”

Obtaining the certification also enhances what Solucom has to offer in risk management consulting. Gérôme Billois, Security Manager, adds, “This certification demonstrates our commitment to ISO 27001 and our skill in implementing it. It is yet a further proof of our ability to support our major account clients in their own plans for certification or implementation of the standard.”

In France ISO 27001 is eliciting major interest among big companies. “Implementing the standard lets you formalize your security initiatives and ensure you are on top of the risks and constantly improving, which are essential points in today’s governance,” adds Gérôme Billois.
Posted by at No comments:

Tuesday, September 23, 2008

eHosting DataFort Achieves ISO 27001

Region's Leading Service Provider Enhances Customer Confidence by Implementing International Security Standard Across Business Units

Dubai: 23 September, 2008 - eHosting DataFort (EHDF), the region's leading IT outsourcing service and consulting services provider and a member of TECOM Investments, today announced its internal business units have successfully implemented the ISO 27001 Information Security Management System (ISMS), an international standard for addressing information security concerns.
The decision to implement the management system across all departments including its Data Centres and security operations confirms eHosting Datafort's continual commitment towards its customers by improving the security of business information, making it the first ever service provider in the region and among a select few worldwide to implement such a system throughout the organization.

Implementing ISO 27001 comes as part of eHosting DataFort's certification process in establishing a Corporate Governance and Management System (CGMS) program which includes a host of international standard certifications including the ISO 20000, ISO 9000 and BS 25999. These certifications will be effective across business units at eHosting DataFort shortly.

Mohamed Fouz, CEO of eHosting DataFort, said: "Information security is a critical component of our business. Protecting business information through a robust security management system using effective security controls is a key management responsibility."

eHosting DataFort's initiative comes as a proactive response to providing customers a more agile and secure infrastructure through establishing the Corporate Governance and Management System program, considering the recent security breaches that have affected businesses across the region.

"Implementing ISO 27001 and complying with international standards will enhance the customers overall confidence in eHosting DataFort," added Fouz.

Ahmed Baig, Manager, Security Consulting at eHosting DataFort, said: "Many organizations believe that securing their IT systems will guarantee the security of critical information. But as many organizations have realized, security breaches are the result of absence of governance including processes and controls. eHosting DataFort is not only committed to raising the level of security standards in the region, but also firmly believes in living up to its commitment of providing reliable and secure services to its customers."

eHosting DataFort's consulting team has also successfully implemented ISO 27001 at Dubai Aluminum Company (DUBAL), Kuwait National Petroleum Company (KNPC), and more recently, at the Emirates Identity Authority (EIDA).

Committed to promoting information security within the region, the team at eHosting DataFort manages a 24/7 Security Operation Centre for monitoring and managing the security of leading organizations across the MENA region.

In fact their Corporate Social Responsibility (CSR) objective focuses on spreading awareness of information security and technology amongst the community focusing on Schools, Universities and Government/Public sectors through the Marifaty (My Knowledge) and Muthabara (Persistence) programmes.

eHosting DataFort offers consulting and advisory services in Information security, IT service management, business continuity and quality management systems.
Posted by at 1 comment:

Health information security standard issued

In an effort to help protect personal health care information, the International Organization for Standardization (ISO) has published a new standard that specifies controls for managing health information security and utilizing best practices.

According to an ISO statement, the new standard - ISO 27799:2008 - applies to all health information in “whatever form the information takes, whatever means are used to store it and whatever means are used to transmit it.”

This new standard, announced in late August, addresses the use of internet and wireless technologies to share personal medical information, and the need to better protect confidentiality and keep data private.

 “An important consideration was the adaptability of the guidelines, bearing in mind that many health professionals work as solo health providers or in small clinics that lack dedicated IT resources to manage information security,” the statement said.

Richard Rushing, CSO at wireless security firm AirDefense, told SCMagazineUS.com on Wednesday that the standard shows that many organizations have the same issues and that similar guidelines should be followed.

“If followed, it would make information more secure,” Rushing said, “but there is usually nothing that specifically states that it is to be followed, except for maybe an audit that may have occurred sometime in the past.”

The ISO standard will do things that Health Insurance Portability and Accountability Act (HIPAA)-related laws cannot do, said Rani Osnat, vice president for marketing with Sentrigo, a database security company.

“HIPAA protects privacy, but it is not an IT standard,” Osnat told SCMagazineUS.com. “It doesn't do anything to protect data from an IT standpoint. This ISO [standard] will provide a much-needed benchmark for health organizations to follow to encourage better IT security.”

Source: http://www.scmagazineus.com
Posted by at No comments:

Monday, September 22, 2008

Press Release - New Brand

New York, September 22th – Axur and Realiso Corp. announce that from this date, Axur ISMS solution has a new brand and is called Real ISMS, property of Realiso Corp.

Please update your bookmark. Get access to Real ISMS site at www.realiso.com/realisms   

For more information please contact us at contact@realiso.com


Realiso Corp.

626, Glenn Curtiss Blvd - Uniondale

New York, USA
Posted by at No comments:

Monday, September 15, 2008

Innominds software Receives ISO 27001 Certification

United States of America (Press Release) September 15, 2008 -- Innominds Software, a leading provider of Software Product Engineering Services has received the ISO 27001:2005 Certification for its information security management system from Certification International UK, accredited by United Kingdom Accreditation Service (UKAS). These certificates validate that the services and security management of Innominds adheres to the highest standards in the world. With this, Innominds is among the few companies globally to be awarded the ISO 27001:2005 accreditation.

ISO 27001 is a management system that identifies, manages and minimizes a range of threats to business information. It provides guidelines for implementing a constructive risk management process, setting up policies, and ensuring a secure infrastructure is in place. This standard shows that a business has taken preventative measures to protect clients' data, and demonstrates to customers and prospects that the business is observing a duty of care.

Commenting on the accreditation Mr. Divakar Tantravahi, MD, Innominds said, “Receiving ISO 27001:2005 certification is an important milestone for our global business. As a Product Engineering service company, its imperative we have robust process in place to protect the Intellectual Property (IP) of our customers and this process helps us to ensure the confidentiality, integrity and availability of information and information processing infrastructure to protect the interests of all the stakeholders and also the physical, environmental, data and network security for our premises”

“This certification is important as it generates client confidence in the solution provider. As Innominds gears to deliver more services from its offshore locations in India, it is important that it generates confidence in handling data securely.” he adds.

About Innominds:
Ranked among Global Software 500 (source: Software Magazine 2005), Innominds Software is a specialized Software Product Engineering Services provider based out of San Jose, CA with offshore development center in Hyderabad. Innominds is ISO 9001: 2000 certified and its development methodology directly addresses the toughest challenges faced by the product engineering management who are aspiring to fuel innovation and mitigate business, financial and technology risks. For more information, visit the company's website www.innominds.com

Posted by at No comments:
Subscribe to: Posts (Atom)