Search in ISMS Guides


Tuesday, August 14, 2007

Nine Steps to Success: an ISO 27001 Implementation Overview

Nine Steps to Success: an ISO 27001 Implementation Overview

This book is the ideal guide for anyone tackling - or about to tackle - ISO27001 for the first time. It gives a clear overview of:

  • how to get management and board buy-in;
  • how to get cross-organizational, cross functional buy-in;
  • the gap analysis: how much do you really need to do?
  • the relationship between ISO27001 and ISO17799;
  • how to integrate with ISO9001 and other management systems;
  • how to structure and resource your project;
  • use consultants or do it youself?
  • the PDCA cycle;
  • the timetable and project plan;
  • risk assessment methodologies and tools;
  • the documentation challenges;
  • how to choose a certification body;
  • and much more.

Read about and learn to apply the 6 secrets for a positive certification audit - and achieve the project goal painlessly!

Completely updated to reflect all the changes to both ISO 17799 and ISO 27001, this popular book is one you can't afford to be without!

Product Details

  • Paperback: 120 pages
  • Author: Alan Calder
  • Publisher: IT Governance Ltd (January 1, 2006)
  • Language: English.
  • Format: Soft Covers
  • ISBN-10: 1905356129
  • ISBN-13: 978-1905356126
  • Product Dimensions: 8.3 x 5.5 x 0.4 inches

Alan Calder, the author of "IT Governance: a Manager's Guide to Data Protection and BS7799/ISO17799" (now in its 3rd edition and the Open University's post graduate information security text book), led one of the first successful BS7799 certification efforts in the world. He is also a member of the certification committee of a global certification body. This book contains the experience and secrets drawn from many successful BS7799 implementations.

Order This Book


The PCI Data Security Standard was originally developed by Visa and MasterCard, and endorsed by other payment providers including American Express, Diner's Club and Discover. This Standard included the requirements of Visa's Cardholder Information Security Program (CISP) and MasterCard's Site Data Protection (SDP). Version 1 was withdrawn from 31 December 2006 and the new PCI DSS version 1.1(here's the download) is applicable and is controlled by the independent PCI Security Standards Council. Here is a Summary of Changes between the two versions of the standard.

The PCI Security Standards Council ('SSC') also defines qualifications for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs); and it trains, tests and certifies QSAs and ASVs.

QSAs (here is a current list) carry out inspections of PCI DSS implementations and determine a recommendation of compliance to the various payment brands. Each individual payment brand will separately determine whether to accept the recommendation of compliance and whether a detailed review of the report of compliance and compensating controls is warranted. .

The Standard basically requires merchants and member service providers (MSPs) who store, process or transmit cardholder data to:

* Build and maintain a secure IT network
* Protect cardholder data
* Maintain a vulnerability management program
* Implement strong access control measures
* Regularly monitor and test networks
* Maintain an information security policy

While the PCI Standard was not written to map specifically to BS7799, ISO17799, CobiT or any other existing framework, it sits clearly within the ISO 17799 framework and organizations that have implemented an ISO 17799 ISMS should be able, with minor additional work, to also demonstrate their conformance with the PCI standard. A document that maps the individual clauses of the PCI DSS v1.1 to the individual clauses of ISO/IEC 27001 Annex A/ISO 17799:2005 is available to subscribers. Subscribers can also access additional guidance on using ISO27001 as a PCI DSS management framework.

All existing merchants and MSPs were required to have complied with the standard by 30 June 2005.

What are the consequences to my business if I do not comply with the PCI DSS?
The PCI Security Standards Council encourages all businesses that store payment account data to comply with the PCI DSS to help lower their brand and financial risks associated with account payment data compromises. The PCI Security Standards Council does not manage compliance programs and does not impose any consequences for non-compliance. Individual payment brands, however, may have their own compliance initiatives, including financial or operational consequences to certain businesses that are not compliant. (FAQ from the PCI website)

PCI DSS Resources

Glossary - this document defines terms used in PCI DSS v 1.1 and the other resources available to ASVs and QSAs.

The PCI Self-Assessment Questionnaire (SAQ)

This is an important validation tool that is primarily used by smaller merchants and service providers to demonstrate compliance to the PCI DSS. The currently posted version of the SAQ is based on the Payment Card Industry (PCI) Data Security Standard (DSS) v. January 2005, and it will be valid until version 1.1 of the SAQ is released.

Payment Card Industry Self-Assessment Questionnaire (pdf)
PCI DSS Payment Card Industry Self-Assessment Questionnaire (locked Word)

The Security Audit Procedures document is designed for use by assessors conducting onsite reviews for merchants and service providers required to validate compliance with PCI DSS requirements. The requirements and audit procedures presented in this document are based on the PCI DSS.

PCI DSS Security Audit Procedures (pdf)
PCI DSS Security Audit Procedures (locked Word)

PCI Security Scanning Procedures. The purpose and scope of the PCI DSS Security Scan for merchants and service providers subject to scans to help validate compliance with the PCI DSS. ASVs also use this document to assist merchants and service providers in determining the scope of the PCI Security Scan.

PCI DSS Security Scanning Procedures

PCI DSS Validation Requirements for Qualified Security Assessors (QSAs) v 1.1.
To be recognized as a QSA by PCI SSC, QSAs must meet or exceed the requirements described in this document and execute the QSA Agreement with PCI SSC attached to this document as Appendix A.
PCI Qualified Security Assessor (QSA) Agreement
Sample QSA Feedback Form

PCI DSS Validation Requirements for Approved Scanning Vendors (ASVs)v 1.1
Recognition as an ASV by PCI SSC requires the ASV, its employees, and its scanning solution to meet or exceed the described requirements and execute the “PCI ASV Compliance Test Agreement” attached as Appendix A with PCI SSC. The companies that qualify are then identified on PCI SSC’s ASV list on PCI SSC’s web site in accordance with the Agreement.
PCI ASV Compliance Test Agreement
Sample ASV Feedback Form

PCI DSS Technical and Operational Requirements for Approved Scanning Vendors (ASVs) v 1.1
This document provides guidance and requirements applicable to ASVs in the framework of the PCI DSS and associated payment brand data protection programs. Security scanning companies interested in providing scan services as part of the PCI program must comply with the requirents in this document and must successfully complete the PCI Security Scanning Vendor Testing and Approval Process.

From :

Good Ebook

Risk Management Guide for Information Technology Systems
(NIST Special Publication 800-30)
Every organization has a mission. In this digital era, as organizations use automated information technology (IT) systems1 to process their information for better support of their missions, risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk.
An effective risk management process is an important component of a successful IT security program. The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.

Risk Management Guide for Information Technology Systems