Search in ISMS Guides


Wednesday, October 3, 2007

Executive Briefing On ISO 17799:2005 & ISO 27001:2005

Pdf File
22 Page
Source :

• What is Information Security?
• What is Information Security Management?
• Why is Information Security Management Needed?
• What is an Information Security Management System?
• How does ISO 17799 and IS0 27001 fit into the picture?
• ISO 17799 & ISO 27001 summarized
• What are the benefits of ISO 27001 certification?
• ISO 27001 certification scheme
• How does an organization achieve certification?
• Worldwide trends in ISO 27001 certification
• Market considerations
• Where to go from here?
• The bottom line
• More Information

The benefits of ISO 27001:2005

The reputation of ISO and the certification against the internationally recognized ISO 27001:2005 enhances any company’s credibility. It clearly demonstrates the validity of your information and a real commitment to upholding information security. The set up and certification of an ISMS can also transform your corporate culture both internally and externally, opening up new business opportunities with security conscious customers/clients, in addition to improving employee ethics and the notion of confidentiality throughout the workplace. What’s more, it allows you to enforce information security and reduce the possible risk of fraud, information loss and disclosure.

Source :

Information Technology Risk Assessment

Information Technology Risk Assessment
An Information technology risk assessment tries to identify the risks, human and natural, that an information technology asset is exposed to. These range from earthquake, storms, and fire to human error, fraud, disgruntled employees, and external intrusion. In addition, an ESTec information technology risk assessment assesses the vulnerabilities and countermeasures already in place. The examination will then rank the threats and vulnerabilities, and identify additional countermeasures appropriate to protect the sensitivity, criticality, and reliability associated with the information technology asset.

To keep your expenses to a minimum and your protection to a maximum, ESTec establishes a cost value for every type of impact on your information technology asset. The event probability gives management an insurance value for each type of event and each asset involved, allowing your management to justify the expenditures for the countermeasures for potential events and interruptions of service. That way, you get the most bang for your buck.

Information Technology Risk assessment is an integral part of ISO 17799 / ISO 27001 information security management systems. ESTec can provide training for internal information technology risk assessment and risk management personnel as well as outside information technology risk assessment services. A standards based information security management system includes a formal risk management plan for the organization. Risks must be identified, and dealt with by countermeasures, or contracted out to a third party or in some cases accepted by the organization as part of the normal business risk.

Sample Case Risk Assessment
Customer: West Coast Utility
Services: Information Technology Risk Assessment
Problem: A new client information system was to be implemented. Management wanted a justification for the budget requests for the project.
Solution: An ESTec consultant worked with the IT department to develop a detailed risk assessment for the project's assets.
Results: The company was able to control and direct expenses to do the greatest good, and ended up saving a high percentage of the original allocation of funding for this protection.

Source :

A Business Case for ISO 27001 / ISO 17799 / BS 7799

The business value of ISO17799

A case study by

This case study concerns an IT services company that decided to implement ISO17799, the Code of Practice for Information Security Management, and gained significant business advantages as a result. The case reveals some surprising linkages between information security management and general business management, and several indirect benefits that are seldom mentioned.

Business situation
“ServiceCo” [not its real name] is a supplier of IT services, hardware and software to corporate clients. Having gained its ISO 9002 certificate nearly ten years ago, staff were used to working in a consistent manner using documented quality procedures and guidelines. A couple of years ago, however, the atmosphere within the company had turned sour. Management decisions were mostly being made instinctively on “gut-feel” with little real analysis. With staff turnover increasing, senior management recognised the need to change and took a long hard look at the organization’s strengths and weaknesses.

ServiceCo management decided to implement ISO17799. According to a senior ServiceCo director, “Implementing ISO17799 made business sense. Securing ServiceCo’s internal information would reduce the risk and hence the cost of serious breaches. ISO17799 is a known security framework developed by some of the worlds leading companies (BT, HSBC, Shell International and Unilever, amongst others), so it gave us the means to implement best practice security controls.”

Benefits of implementing ISO17799
The director told us “ISO17799 is not just about information security or IT – it actually helps the organisation save and make money.” He identified the following business benefits of ISO17799:
Direct benefits

Increased reliability and security of systems:
“Like all businesses ServiceCo is reliant upon information systems. ISO17799 has ensured that we now have controls in place that maintain system availability and reduce the risk of vulnerabilities being exploited. Post-certification ‘surveillance visits’ and re-certification audits to ISO17799 ensure the business keeps up-to-date with the latest vulnerabilities and best practices.”

Increased profits:
“Sales and margins are up, and clients’ perceptions of our business have improved. Our BS7799 Part 2 certificate demonstrates that we can be trusted to secure our customers’ data, as well as our own. Our customers not only understand that our investment in ISO17799 has given them benefits, but they are prepared to spend a little more for a secure IT infrastructure. Since gaining ISO17799, we have already seen a marked increase in our bottom line profit and some new customers are telling us they prefer to trade with companies who have a recognised security certification. Additionally, we are now seeing more Invitations To Tender from business that list ISO17799-compliance as a pre-requisite. And, by the way, our employees are wasting less time surfing the Internet for sites not related to work!”

Cost-effective and consistent information security:
“We have implemented cost-effective security matched to our business needs. ServiceCo had many technical safeguards throughout the organisation, but the risk assessment highlighted that some of our safeguards offered little or no business benefit and would provide a better return off investment if they were reconfigured to protect assets that required a higher level of protection. All divisions and departments within ServiceCo had previously developed their own security guidelines. ISO17799 helped us develop a consistent approach to security by creating uniform policies incorporating industry best practise. Where necessary, employee compliance with the policies is supported by an enforceable disciplinary process.”

Systems rationalisation:
“Analysing our information and information security requirements properly means we spend our money wisely. We were able to cut about 50% of our systems and data when we realised they were not worth keeping, and we actually relaxed controls on some low-risk systems.”

Compliance with legislation:
“Implementing ISO17799 forced us to comply with UK legislation in areas such as data protection and software copyright.”
Indirect benefits

Improved management control:
“Managers have more control over the organisation, and better quality information with which to manage it - management effort is therefore reduced.”

Better human relations:
“Clear policies, procedures and guidelines make things easier for our staff – the atmosphere has improved and staff turnover has reduced. ISO17799 has made ServiceCo different from our competitors and provided the company with a unique selling point, leading to a better working environment for all of our staff. Employees now recognise that their earning potential is dependant on how customers perceive the company brand and that any negative publicity could affect them. Professionalism has improved throughout the company. Given that so much of security relies on internal controls, we needed to look more carefully at who we were employing. Through ISO17799 we introduced more through recruitment processes that reduce the risk of employing people unsuitable to the position or who could potentially put our business at risk. We now know who is working for us!”

Improved risk management and contingency planning:
“Through the ISO17799 certification process, ServiceCo identified its vulnerabilities, threats and potential impacts to the business. As a result of this and implementing controls from ISO17799, ServiceCo now has a more structured approach to risk management. For example, we now have a rational process to decide which risks to transfer to our insurers. We also now have a business continuity plan that suits the business, not just the IT department. The risk assessment identified information assets that are critical to the success of the business. This enabled us to produce a business continuity plan that prioritised these assets and reduces our potential exposure to financial loss or negative publicity.”

Enhanced customer and trading partner confidence:
“With the heightened sensitivity to security breaches, trading partners, customers and vendors were looking evidence of security. ISO17799 certification has provided this assurance. In any industry you have to stand out from your competitors. Being the first IT Value Added Reseller in the world to obtain ISO17799 is a bold statement that will always be unique to ServiceCo. Having the ISO17799 logos on our company literature is a continual reminder to potential and existing customers that we are a professionally-run organisation who take the confidentially, integrity and availability of their and our information seriously.”

“Despite what people say, the costs of implementing ISO17799 are very modest. The main cost element was the pain of cultural change (we had to ‘let a couple of our people go’ for not complying with our policies and procedures). The regular compliance reviews to maintain our certification only costs us about £3k [$5k] p.a. so ISO17799 is very cost-effective. We are now talking to our assessors about combining the ISO17799 and ISO 9002 reviews to save time and money.”

For more information
To find out more about this case study or for help to assess the business value of ISO17799 to your organization, contact IsecT Ltd.

Source :