Search in ISMS Guides


Thursday, August 30, 2007



The British Institute has suggested the Plan Do Check Act methodology for implementation of the ISO 27001 standard. INFOAMN has developed a unique methodology for implementation of ISO 27001 controls by breaking down the entire PDCA cycle in 5 distinct phases. Starting with Security Profiling which identifies the gaps in security vis-à-vis BS 7799/ISO 27001 standard, followed by Security Prescription which suggest the security measures; Security Treatment, where the security measures are implemented; Security Vigil, where the implementation is monitored to ensure that the security measures are effective in mitigating the risks and ensuring security of the information assets. Successful implementation of these phases leads to the final phase of Security Certification.


ISO 27001, the Code of Practice for Information Security Management describes a management framework within which an organization can examine and improve its security health. ‘End-to-End’ security is required and the controls must reflect this. Under each domain, there are defined objectives and related controls. Infoamn’s role is to understand the applicable controls based on the risk assessment and formulate policies and procedures. ISO 27001 contains a comprehensive set of security controls to improve the level of security within any organization. Even if formal certification is not a strategic objective, efforts to comply with the principles of ISO 27001 bring many tangible benefits such as reduced exposure to wide range of threats, creation of more secure operational environment, assurance that security practice is in line with the industry best practice, improvement in user security awareness and prioritizing security needs. An Information Security GAP Analysis as per ISO 27001 Standard helps organizations to know their state of security and thereby deciding the future roadmap.


Outsourcing selected managed security services (MSS) by forming a partnership with a MSS provider is often a good solution for transferring information security responsibilities and operations. Contracting a MSS provider allows it to share risk management and mitigation approaches. INFOAMN manages the information security issues so that the organization can concentrate on its key performing areas.


Application Security Testing involves analyzing a custom application for vulnerabilities. This can be done either by way of 'black box' i.e. without access to the source code, or 'white box' i.e. with access to the source code. An application security test ensures that any customized application being used is secure and doing exactly what it is supposed to do.


The technical security audit modules broadly consist of auditing the perimeter devices, network devices, desktop PCs, Servers and the applications and databases. The overall network security architecture is also reviewed keeping in view the business requirements and goals, its connectivity with the trading partners, its connectivity to the Internet etc. Also adequate security solutions & technical controls are recommended to mitigate the risks.


Penetration testing and Vulnerability assessment are two different and complimentary pro-active approaches to assess the security posture of the information systems networks. Penetration testing is the testing of the security posture from the hacker's perspective, whereas the Vulnerability Assessment is done to test the security posture of the Information Systems as an internal attacker. Comprehensive methodology is recommended to fix the identified vulnerabilities. INFOAMN has a proven track record of finding known and new threats.


Leakage of critical data through emails and loss of productive time and bandwidth are major concerns for the organization. Spam emails are increasing by the day. INFOAMN offers MIME sweeper content filtering & antispam solution helps organizations in protecting critical data by enforcing security policies that also increase overall productivity.


With the increased popularity of remote working in recent years, wireless networks have become more common. However, when many of the Wireless networks were deployed, not a lot was known about the security risks. A Wireless LAN needs to be audited like the internal network. The systems available through cordless devices are more vulnerable to attack if not monitored and properly secured.


Inherent weaknesses and design flaws in the network architecture from security perspective are detected, which can lead to compromise of confidentiality, integrity or availability of the system. The mitigation strategy is suggested. The proposed network architecture is designed and delivered. Network architecture is backbone of any secure information systems network. INFOAMN follows a structured approach to network security design often within the client's existing infrastructure or by recommending additional best-of-the-breed security components.


Securing desktop workstations and laptops is a significant part of your network and information-security strategy because of the sensitive information often stored on workstations and their connection to the networked world. Many security problems can be avoided if the workstations and network are appropriately configured. Default hardware and software configurations, however, are set by vendors who tend to emphasize features and functions more than security. Since vendors are not aware of your security needs, the workstations should be configured to as per the security policy of the organization.

Source :

Infoamn Consulting is the Iran's leading provider of services and solutions for information security, business continuity and risk management. We offer a complete, end-to-end portfolio encompassing: Consultancy, Testing, Implementation, Training, Managed services Infoamn Consulting is the first Iranian Company who has applied for BS 7799/ISO 27001 certificaiotn

1 comment:

ISO 27001 Certification said...

We are providing the ISO 22000 Certification awareness and auditor training kit with more than 300 slides in ppt and trainer handouts for easy understanding to the client. In Our kit more than 350 audit questions on ISO 27001 is given to prepare auditors own ISO 27001 audit checklist for quick auditing the system. Our product is editable and delivery is given by ftp download as per demo given in our web site. Also workshops and case study is given to evaluate the auditors. The sample ISO 27001 auditor certificate is given in the package and on successful completion of this work shops auditors can get the training certificate.