The benefits of standardization, and of implementation of one or more of the ISO 27000 series are wide and varied. Although they tend to differ from organization to organization, many are common.
The following is a list of potential benefits. As with many items on this website, this is an ongoing project. Please feel free to add further points via the comments option below.
Interoperability
This is a general benefit of standardization. The idea is that systems from diverse parties are more likely to fit together if they follow a common guideline.
Assurance
Management can be assured of the quality of a system, business unit, or other entity, if a recognized framework or approach is followed.
Due Diligence
Compliance with, or certification against, and international standard is often used by management to demonstrate due diligence.
Bench Marking
Organizations often use a standard as a measure of their status within their peer community. It can be used as a bench mark for current position and progress.
Awareness
Implementation of a standard such as ISO 27001 can often result in greater security awareness within an organization.
Alignment
Because implementation of ISO 27001 (and the other ISO 27000 standards) tends to involve both business management and technical staff, greater IT and Business alignment often results.
Saturday, August 18, 2007
ISO 27001: Frequently asked questions
Information Security, ISMS, and ISO/IEC 27001 (BS 7799)
- What is information security?
- What is an ISMS?
- Why should I certify my ISMS?
- What is the history and future of the standards?
- What are the main concepts of ISO/IEC 27001 (BS7799)?
- What is ISO/IEC 27001 (BS 7799), and how does an ISMS relate to it?
- Why does ISO/IEC 17799 (BS 7799 Part 1) matter?
- Why does ISO/IEC 27001 (BS 7799 Part 2) matter?
- How does ISO/IEC 27001 (BS 7799) relate to other management system standards (ISO 9001 and 14001)?
- Why should I invest in implementing an ISMS and certifying it using ISO/IEC 27001 (BS 7799-2)?
- How can I get a copy of the standards?
Risk Assessment and Risk Management
- What is risk assessment?
- What is risk management?
- Why are risk assessment and risk management relevant to information security?
- How is risk assessment related to ISO/IEC 27001 (BS 7799)?
- Does ISO/IEC 27001 (BS 7799) define the methodology for risk assessment?
- After implementation, must the organization re-assess risks?
Certification
- What is ISMS certification?
- What is a certification body (CB)?
- Who accredits certification bodies?
- What is the Certification Process?
- How long is a certificate valid?
- Will I be supervised by the certification body?
- Can a certificate be withdrawn?
- Can I return a certificate?
- How do I choose a CB?
- What expertise does atsec have in ISMS?
Implementing an Information Security Management System
There are key steps that every company implementing an Information Security Management System will need to consider:
Step1: Purchase the StandardBefore you can begin preparing for your application, you will require a copy of the standard. You should read this and make yourself familiar with it.
Step 2: Consider Training
There are training courses available to help you implement and assess your Information Security Management System.
Step 3: Assemble a team and agree your strategy
You should begin the entire implementation process by preparing your organizational strategy with top management. At this stage you should determine the Scope of your Registration - whether the system will be adopted company wide or by one or more departments.
Step 4: Review Consultancy Options
You can receive advice from independent consultants on how best to implement your information security management system.
Step 5: Undertake a Risk Assessment
During this phase you should undertake a review of all potential security breaches. This should not relate solely to IT systems, but should encompass all sensitive information within your organization.
Step 6: Develop a Policy Document
This will demonstrate management support and commitment to the Information Security Management System process.
Step 7: Develop Supporting Literature
Put together a Statement of Applicability and Procedures to support your security policy. This will cover a range of areas including asset clarification and control, personal security, physical and environmental security and business continuity management.
Step 8: Choose a registrar
The registrar is the 3rd party, like BSI, who come and assess the effectiveness of your information security management system, and issue a certificate if it meets the requirements of the standard. Choosing a registrar can be a complex issue as there are so many operating in the market. Factors to consider include industry experience, geographic coverage, price and service level offered. The key is to find the registrar who can best meet your requirements. A great place to start is by contacting us.
Step 9: Implement your Information Security Management System
The key to implementation is communication and training. During the implementation phase everyone begins operating to the procedures of the management system.
Step 10: Gain registration You should arrange your initial assessment with your registrar. At this point the registrar will review your Information Security Management System and determine whether you should be recommended for registration.
Step 11: Continual assessment
Once you have received registration and been awarded your certificate, you can begin to advertise your success and promote your business. Your ISMS will be periodically checked by your registrar to ensure that it continues to meet the requirements of the standard.
From : www.bsiamericas.com
Subscribe to:
Posts (Atom)