ISO 27001: A new standard for IT security Thursday July 27, 2006 (11:01 AM GMT) By: Mikael Vingaard
http://www.itmanagersjournal.com/article.pl?sid=06/07/26/1453251 Information security flaws can create havoc within your business operations. The ISO 27001 standard for information security management systems can help to locate existing security problems and prevent future threats before they prove harmful to your organization. ISO 27001 is the new international standard created by the International Standards Organization for Information Security Management Systems. An ISMS is a planned way to managing an organization's information so that it remains secure, by using the right methodology of people, processes, and IT systems. The best practices for ISMS includes a wide range of planning to ensure business continuity, minimize business damage, and maximize ROI and business opportunities. The standard sets out how the planning process should go and specifies the components that must be identified; people, processes, and pratices are essential. Official known as ISO/IEC 27001:2005, this standard, published last October, will replace the British BS7799-2 and the ISO 17799 standard; the latter may, however, be renumbered ISO 27002, but ISO has not made a final statement regarding ISO 17799 renumbering yet. Internationalization of these standards will create a demand for a recognised ISMS certification. Clients in the future may ask whether your organization have achieved ISO 27001 certification. Besides providing "marketing" value, it helps IT managers create a framework, based on a "Plan-Do-Check-Act" approach. If the Sarbanes-Oxley Act is relevant for your business, ISO 27001 could be your best way to get a framework. If SOX is not yet relevant -- if you live outside of the US, for instance -- you may be less interested in it. Successful certification requires a methodical approach, careful consideration of scope, and a thorough understanding of your organization information security needs. Achieving the ISO 27001 certification mitigates the risk of human error, by having sound procedures and regulations. The certification process involves several visits from certified external auditors, who review documents and processes. Any non-compliance must be corrected before their next visit. The time the certification process takes can differ greatly, as no two organizations are alike. There are clear relationships between ISO 27001 and the Sarbanes-Oxley Act's requirement to develop an information security management system that is integrated, comprehensive, and incorporates widely recognized best practices. ISO 27001 is a step toward effecting and demonstrating compliance with the SOX legislation. Getting the ISO 27001 certification also tells your clients that the requirements in SOX section 404 have been successfully passed. You can read the standard -- you may buy it online for $107 from Ansi.org, or for £90 from British Standards Online, among other places. If your organization is acting under the Sarbanes-Oxley Act or other security legislation, take a look at the ISO 27001 standard. As an international standard and framework for best pratices, it is very good. Any organization can benefit from its "Plan-Do-Check-Act" approach, even without planning to get the certification. Mikael Vingaard, CISSP, works at BSDConsult with the ISO standards and on support and education for the Open/FreeBSD OS. _______________________________________________ Infowarrior mailing list [email protected] https://attrition.org/mailman/listinfo/infowarrior
