ISO 27001 Certification FAQ

What is certification?
ISO/IEC 27001 certification is the process by which an organization’s ISMS is examined against the ISO/IEC 27001 specification by an accredited certification body.

What is a certification body?
A certification body (also called a registration body, assessment and registration body, or registrar) is a third party that assesses and certifies that the ISMS of an organization meets the requirements of the standard.

Who accredits certification bodies?
Accreditation organizations accredit the competence of certification bodies to perform services in the areas of product and management system approval. These accreditation organizations are often, but not always national in scope.

What is the certification process?
The certification process includes:

1. Part 1 audit (also known as a desktop audit). Here the CB auditor examines the pertinent documentation.
2. Taking action on the results of the part 1 audit.
3. Part 2 audit (on site audit). Here the CB sends an audit team to examine your implementation of the reviewed, documented ISMS.
4. Correction of audit findings. Agreeing to a surveillance schedule.
5. Issuance of certificate. (Depending on the CB this can take a few weeks to several months.)

Following initial certification, the ISMS is subject to surveillance as specified by the CB, and then requires re-certification after three years.

From: www.atsec.com

ISO 27001 CERTIFICATION EXPLAINED

Contrary to common belief, certification is applicable against ISO 27001, rather than ISO 17799. The certification itelf is international, in that National Accreditation Bodies have a mutual recognition model in place enabling certifications granted in one territory to be recognized in another. Clearly, this is essential for an international standard.

Common reasons to seek certification include: Organisational assurance; trading partner assurance; Competitive advantage (market leverage); reduction or elimination of trade barriers; reduced regulation costs; and so on.

To meet the certification requirements, an organization's ISMS must be audited by a 'Certification Body' (or strictly speaking, an assessor who works for a Certification Body). There is a clear segregation of dutues here: the assessor must be independent of consultancy and training.

A Certification Body must have been accredited by the National Accreditation Body for the territory in question (eg: UKAS in the UK). This helps ensure that the Certification Bodies meet national and international standards for their services, and ensure consistency. In respect to ISO 27001, this is typically a document called EA-7/03 (‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’).

The following diagram may clarify this process:



Different certification bodies tend to adopt slightly different approaches to the exercise, with some being more 'hands on' than others. However, the following six step process is a fairly common one:

1 - Questionnaire (the Certification Body obtains details of your requirements)
2 - Application for Assessment (you complete the application form)
3 - Pre-assessment Visit or a ‘Gap Analysis’ (optional).
4 – The Stage 1 Audit (a ‘Document Review’). This is the first part of the audit proper.
5 - The Stage 2 Audit (otherwise called the ‘Compliance Audit’)
6 – Ongoing Audits

New Risk Assessment Tool for ISO27001 Consultants Simplifies and Accelerates Compliance Process for Clients

Following the successful launch of the vsRisk ISO27001 compliance tool at Infosecurity Europe 2007, Vigilant Software has launched a complementary software tool for IT consultants and information security specialists. vsRisk Consultant Edition (vsRCE) is a powerful new software product that will enable information security consultants to deploy vsRisk as their preferred risk assessment tool in up to 10 different clients.

Targeted at specialist consultants dealing with ISO27001 compliance, vsRCE is an affordable and intuitive risk assessment management tool for the IT consultant community that allows consultants the ability to directly support their clients' risk assessment activity from an off-site location. vsRCE allows clients to create and export risk assessment files that can be analysed on the consultants' own workstations or laptops, and then re-imported into the client's own software.

vsRCE allows IT consultants to manage up to ten separate risk assessments or risk assessment in up to ten different organisations, each of which must have purchased its own copy of vsRisk. By working in harmony with its sister application vsRisk, vsRCE will dramatically reduce the time and effort it takes for companies to achieve ISO27001 compliance, transferring an important element of the work to the consultant and ensuring that the work of the project team can be monitored more closely.

In addition to supporting ISO/IEC27001, vsRCE supports ISO/IEC27002 (17799); complies with BS7799-3:2006; conforms to ISO/IEC TR 13335-3:1998 and NIST SP 800-30; and complies with the UK's Risk Assessment Standard.

Vigilant Software is a joint venture between IT Governance Limited, the one-stop-shop for books, tools and information on ISO27001 compliance, and Top Solutions (UK) Limited, an award-winning developer of risk management software tools.

Alan Calder, Chief Executive of IT Governance, commented, "vsRCE is the perfect complement to vsRisk and offers a major enhancement to vsRisk users. By employing a consultant who uses vsRCE, companies can simplify and speed the process of achieving ISO27001 compliance. For consultants, it offers a means of providing greater added value and is therefore a powerful competitive advantage."

Source: compliancehome.com

Managing Risk in Information Technology

As information technology increasingly falls within the scope of corporate governance, so management must increasingly focus on the management of risk to the achievement of its business objectives.

There are two fundamental components of effective management of risk in information and information technology: the first relates to an organization’s strategic deployment of information technology in order to achieve its corporate goals, the second relates to risks to those assets themselves. IT systems usually represent significant investments of financial and executive resources. The way in which they are planned, managed and measured should therefore be a key management accountability, as should the way in which risks associated with information assets themselves are managed.

Clearly, well managed information technology is a business enabler. Every deployment of information technology brings with it immediate risks to the organization and, therefore, every director or executive who deploys, or manager who makes any use of, information technology needs to understand these risks and the steps that should be taken to counter them.

ITIL has long provided an extensive collection of best practice IT management processes and guidance. In spite of an extensive range of practitioner-orientated certified qualifications, it is not possible for any organization to prove - to its management, let alone an external third party - that it has taken the risk-reduction step of implementing best practice.

More than that, ITIL is particularly weak where information security management is concerned - the ITIL book on information security really does no more than refer to a now very out-of-date version of ISO 17799, the information security code of practice.

The emergence of the international IT Service Management ISO 27001 and Information Security Management (ISO20000) standards changes all this. They make it possible for organizations that have successfully implemented an ITIL environment to be externally certificated as having information security and IT service management processes that meet an international standard; organizations that demonstrate - to customers and potential customers - the quality and security of their IT services and information security processes achieve significant competitive advantages.

Information Security Risk

The value of an independent information security standard may be more immediately obvious to the ITIL practitioner than an IT service management one. The proliferation of increasingly complex, sophisticated and global threats to information security, in combination with the compliance requirements of a flood of computer- and privacy-related regulation around the world, is driving organizations to take a more strategic view of information security. It has become clear that hardware-, software- or vendor-driven solutions to individual information security challenges are, on their own, dangerously inadequate. ISO/IEC 27001 (what was BS7799) helps organizations make the step to sytematically managing and controlling risk to their information assets.

IT Process Risk

IT must be managed systematically to support the organization in achieving its business objectives, or it will disrupt business processes and undermine business activity. IT management, of course, has its own processes - and many of these processes are common across organizations of all sizes and in many sectors. Processes deployed to manage the IT organization itself need both to be effective and to ensure that the IT organization delivers against business needs. IT service management is a concept that embraces the notion that the IT organization (known, in ISO/IEC 20000Regulatory and Compliance Risk

All organizations are subject to a range of information-related national and international legislation and regulatory requirements. These range from broad corporate governance guidelines to the detailed requirements of specific regulations. UK organizations are subject to some, or all, of:

- Combined Code and Turnbull Guidance (UK)
- Basel2
- EU data protection, privacy regimes
- Sectoral regulation: FSA (1) , MiFID (2) , AML (3)
- Human Rights Act, Regulatation of Investigatory Powers Act
- Computer misuse regulation

Those organizations with US operations may also be subject to US regulations such as Sarbanes Oxley and SEC regulations, as well as sectoral regulation such as GLBA (4), HIPAA (5) and USA PATRIOT Act. Most organizations are possibly also subject to US state laws that appear to have wider applicability, including SB 1386 (California Information Practice Act) and OPPA (6) . Compliance depends as much on information security as on IT processes and services.

Many of these regulations have emerged only recently and most have not yet been adequately tested in the courts. There has been no co-ordinated national or international effort to ensure that many of these regulations - particularly those around personal privacy and data protection - are effectively co-ordinated. As a result, there are overlaps and conflicts between many of these regulations and, while this is of little importance to organizations trading exclusively within one jurisdiction, the reality is that many enterprises today are trading on an international basis, particularly if they have a website or are connected to the Internet.

Management Systems

A management system is a formal, organized approach used by an organization to manage one or more components of their business, including quality, the environment and occupational health and safety, information security and IT service management. Most organizations - particularly younger, less mature ones, have some form of management system in place, even if they’re not aware of it. More developed organizations use formal management systems which they have certified by a third party for conformance to a management system standard. Organizations that use formal management systems today include corporations, medium- and small-sized businesses, government agencies, and non-governmental organizations (NGOs).

Standards and Certifications

Formal standards provide a specification against which aspects of an organization’s management sytsem can be independently audited by an accredited certification body and, if the management system is found to conform to the specification, the organization can be issued with a formal certificate confirming this. Organizations that are certificated to ISO 9000 will already be familiar with the certification process.

Integrated Management Systems

Organizations can choose to certify their management systems to more than one standard. This enables them to integrate the processes that are common - management review, corrective and preventative action, control of documents and records, and internal quality audits - to each of the standards in which they are interested. There is already an alignment of clauses in ISO 9000, ISO 14001 (the environmental management system standard) and OHSAS 18001 (the health and safety management standard) that supports this integration, and which enables organizations to benefit from lower cost initial audits, fewer surveillance visits and which, most importantly, allows organizations to ‘join up’ their management systems.

The emergence of these international standards now enables organizations to develop an integrated IT management system that is capable of multiple certification and of external, third party audit, while drawing simultaneously on the deeper best-practice contained in ITIL. This is a huge step forward for the ITIL world.

Sources:

(1) Financial Services Authority
(2) Markets in Financial Instruments Directive
(3) Anti-money laundering regulations
(4) Gramm-Leach-Bliley Act
(5) Health Insurance Portability and Accountability Act
(6) Online Personal Privacy Act

About the Author

Alan Calder is an international authority on IT Governance and information security management. He led the world’s first successful implementation of BS 7799, the information security management standard upon which ISO 27001 is based, and wrote the definitive compliance guide for this standard, IT Governance: A Manager’s Guide to Data Security and BS7799/ISO17799. The 3rd edition of this book is the basis for the UK Open University’s postgraduate course on Information Security. He has just written, for BSI, a management guide on integrating ISO 27001 and ISO 20000 Management Systems, drawing heavily on ITIL best practice. He is a consultant to companies around the world, including Cisco. as in ITIL, as the “service provider”) exists to deliver services to business users, in line with business needs, and to ensure the most cost-effective use of IT assets within that overall context. ITIL, the IT Infrastructure Library, emerged as a collection of best practices that could be used in various organizations. ISO/IEC 20000, the IT service management standard, provides a best-practice specification that sits on top of the ITIL.

Thinking Through Your 2008 Security Budget

By Ed Moyle
E-Commerce Times

For some people, November is all about festivity: turkey, cranberry sauce and the start of the long ramp-up to the December holidays.

However, that's not always the case if you happen to be in IT security Webroot AntiSpyware 30-Day Free Trial. Click here..

If you are, you know that November can be anything but festive -- unless your idea of "festive" includes end-of-the-year network See the HP StorageWorks All-in-One Storage System. Click here. freezes, the inevitable holiday malware, spam out the wazoo, and (worst of all) the 2008 budget. Yup, 'tis the season -- the season for guessing at what you might need in the future and (most likely) won't get.

Every year, we're asked to do the same thing: Request the funding that we need for the upcoming year to keep the organization "secure." Like programming a universal remote control, it's one of those things that sounds simple enough until you actually try to do it.

Aside from being impossible (there's no such thing as "secure" -- just "secure enough"), there's also the fact that we're being asked to foresee the unforeseeable. How much malware will there be next year? How many application vulnerabilities will we find in the new accounting system See the HP Proliant DL380 G5 Server with Systems Insight Manager – Click here.? How many patches will come out for the hundreds of software products we support? These are just a few of the myriad things impacting budgetary requirements which simply cannot be precisely determined ahead of time.

However, rather than give up and submit another year's budget dripping with irony, let's look to see if there aren't a few strategies that we can use to help us bring some sanity to an otherwise insane process.
Planning for the Unforeseeable

When it comes to planning for your security operations budget, there are two types of information security organizations: those that have usable metrics and those that don't. If you're in the first category, you probably have a historical record of past events -- and you probably have some idea of what each of those events costs.

For example, you might know the number of malware events that occurred over the past 12 months and (depending on how long you've been keeping track) you might have some idea about the relative rate of increase of those events year-over-year. The same is true of security incidents, forensic investigations, IDS (intrusion detection system) alerts, applications reviewed, etc.

Now, I don't mean to suggest that metrics are the complete solution to your budgetary woes, but the budgeting process is the one area where you're likely to see quite a bit of return on your metrics initiative. If you're measuring, you can come up with a reasonable (or at least logical) estimate of future activity based on historical trends. Add in a margin of error and it's not unreasonable to put together a ballpark figure for what those future events might cost. Heck, you can even create milestones of how much you expect to spend month-over-month and use unspent dollars to invest in making everything more efficient. Of course, times being what they are, you might not get everything you ask for, but at least you'll know the impact of that ahead of time.

If you don't have metrics yet but you think they might help you with your budget, the challenge is to get them in place so that you can use them. Since you probably won't get any reliable metrics in place in time to use them in planning for this year's budget (hats off to you if you decide to try), the goal is to get them there in time to use them next year.

Don't assume that obtaining this information is going to be "free" though -- it won't be. So plan for the expense and account for the spending in your 2008 spending (after all, now's the time). If your decision-making process isn't currently based on some kind of concrete information like realistic metrics, one of your strategic goals (maybe your No. 1 strategic goal) should be improving the data coming in and making use of it.
Investing in the Program

So, maybe you have a reasonable idea about what operations spending looks like for 2008 -- or if you don't, you at least have it as a goal to get to a point where you can estimate (more) accurately. How about overall spending? After all, keeping to the "status quo" -- estimating what it'll cost next year to do the same thing as last year -- shouldn't be your final goal. Even if you're getting more efficient over time, there are still more things that you could be doing. No, there's another piece to the puzzle: Where should you invest in 2008 to operate in a more repeatable, organized and "mature" way? That's where program maturity comes in.

Your information security "program," or -- depending on the terminology you choose -- your ISMS (information security management system) is something to be thinking about as well when putting together your 2008 budget. Your ISMS should be your overarching framework for managing information security within your organization -- it's your opportunity to think about how you'll move away from tactical decision-making ("putting out fires") and move toward a model based on analyzing and treating risk, keeping track of your security processes and how they perform, both in terms of efficiency as well as effectiveness.

In other words, think about having a structured, well thought-out program as your road map to a better life.

Assuming that you want to come up with a more structured way of doing things, how can you get there? First, start by analyzing what your program does and doesn't already account for -- tools like ISO 27001 (International Organization for Standardization) help you identify what your program should have in place and areas that you should be looking into for program management.

Need to do a gap analysis to see where your program falls short? Account for that in your budget.

Already have a gap analysis that tells you where you need to improve? Account for those areas in your budget.

Granted, you might not get everything on your request list, but if you can demonstrate why this is valuable and candidly discuss with your management how you'd like to improve, you're probably likely to get some funding for doing this. Especially if you believe (as I do) that a structured, repeatable and mature program saves money over the long term.

Source : http://www.ecommercetimes.com/story/Thinking-Through-Your-2008-Security-Budget-60445.html

Demand for ISO 27001 Grows

For the first time the survey collected information on ISO 27001, a standard for assessing information security management systems (ISMS).

The survey reports 5,800 certificates issued in 64 countries. Japan accounts for 65% of these certificates.

Australia ranked 9th with 59 ISMS certificates. New Zealand recorded just one certificate.

Implementing an Information Security Management System (ISMS) — LRQA Guidance

Type : White Paper
Length : 5
Format : PDF
By : LRQA

Overview Implementing an Information Security Management System (ISMS) — LRQA Guidance

- Why is ISO/IEC 27001 good for you?
- Introduction to Implementing an ISMS
The OECD (Organization for Economic Co-operation and Development) Guidelines
- Getting started
- Planning for success
- Understanding the standard
- Where next...?
- Management processes
- Define the scope
- ISMS policy
- Risk assessment and risk management
- Risk treatment
- Certification

View This White Paper

ISO 27001 Internal Audit Case Study

This is a case study of Dionach carrying out an ISO 27001 internal audit for a public organisation based in the Republic of Ireland. Some of the information has been changed or omitted to maintain confidentiality.

Background

The client is certified to the international standard ISO 27001. Part of the standard specifies that planned, objective and impartial internal ISMS audits should take place. The audits shall determine whether the ISMS:

• Conforms to the standard
• Conforms to the information security requirements specified
• Is effective and well maintained
• Performs as expected

The organisation felt that it could not resource the audit personnel from within the organisation, and so commissioned Dionach to carry out the internal audits.

Internal Audit

The organisation decided to split the auditing of the ISMS into several stages throughout the year. The scope of the initial audit was the following areas:

• Risk Assessment
• Information Handling
• Physical Security and Incident Reporting

Prior to the audit, Dionach requested relevant copies of the ISMS and other related documentation from the organisation. Dionach consultants spent a significant amount of familiarising themselves with the organisation's documentation, and finding out more about the organisation in general. Dionach produced a detailed schedule of tasks and interviews over four days to spend with the organisation, providing two consultants to carry out the audit. The schedule was agreed with the organisation.

On site at the organisation, the consultants liaised with the organisation's ISMS Manager, starting with a tour of the site. The tour also gave a preview of the physical security of the site, and a chance to meet some of the staff.

The Dionach consultants followed guidelines for auditing as specified in ISO19011 during the course of the audit, using the following principles: ethical conduct, fair presentation, due professional care, independence, and an evidence-based approach.

After taking notes from documentation, observations and interviews, the consultants gave feedback at the end of every day to the organisation's ISMS Manager on any likely non-conformances or comments.

On the last day in the closing meeting, Dionach presented a draft report with non-conformances; each graded either as major, minor or just a comment. There were no major non-conformances within the scope of the audit, several minor non-conformances, and two comments. The minor non-conformances ranged from easily corrected ISMS documentation inconsistencies, to issues that would need to be discussed at length in the organisation's Information Security Forum.

In the closing meeting the organisation agreed to have a list of corrective actions for each of the non-conformances by a certain date.

Dionach provided the organisation with a final version of the audit report, and now looks forward to carrying out the next part of the internal audit process.

Source : www.dionach.com

Executive Briefing On ISO 17799:2005 & ISO 27001:2005

Pdf File
22 Page
Source : http://sqm-advisors.com
http://sqm-advisors.com/downloads/Executive_Briefing_on_ISO_27001_3_07.pdf

• What is Information Security?
• What is Information Security Management?
• Why is Information Security Management Needed?
• What is an Information Security Management System?
• How does ISO 17799 and IS0 27001 fit into the picture?
• ISO 17799 & ISO 27001 summarized
• What are the benefits of ISO 27001 certification?
• ISO 27001 certification scheme
• How does an organization achieve certification?
• Worldwide trends in ISO 27001 certification
• Market considerations
• Where to go from here?
• The bottom line
• More Information

The benefits of ISO 27001:2005

The reputation of ISO and the certification against the internationally recognized ISO 27001:2005 enhances any company’s credibility. It clearly demonstrates the validity of your information and a real commitment to upholding information security. The set up and certification of an ISMS can also transform your corporate culture both internally and externally, opening up new business opportunities with security conscious customers/clients, in addition to improving employee ethics and the notion of confidentiality throughout the workplace. What’s more, it allows you to enforce information security and reduce the possible risk of fraud, information loss and disclosure.

Source : www.itworks.lu

ISMS Implementation Guide

By Vinod Kumar Puthuseeri
Information Security Consultant

Objective
This paper can serve as a guideline for the implementation of ISMS practices using BS7799 / ISO 27001 standards. To give an insight and help those who are implementing this for the first time and for those who will be coordinating with external consultants for ISMS implementations in their organizations.

Scope
This document will cover the requirements from an audit point of view, methods and tips on implementing ISMS practices.

Standard
BS7799 / ISO 27001
BS7799 is a British Standard that addresses Information Security in all areas including Physical Security. BS7799 was incorporated with some of the controls from ISO 9000 and the latest version is called ISO 27001.

There are 11 chapters in the ISO 27001 version.

Table of Contents

Objective
Scope
Standard
- BS7799 / ISO 27001
- The CIA triad
- PDCA Model
- Benefits
Management
- Management Commitment
- Case Study
Implementation Process
- The team
- Define the Scope
- Risk Assessment
Asset e Inventory
Asset e Value
Risk Value
Business Impact Analysis (BIA)
Probability of Occurrence
Risk Assessment Tools
Why identify the risk value
- Risk Management
Deciding Assets for Risk Mitigation
Different Methods of Handling Risks
- Statement of Applicability (SOA)
Business Continuity Plan & Disaster Recovery (BCP & DR)
- Process
- Business Impact Analysis
Audit
- Pre-Assessment Audit (Adequacy Audit)
- Document Review
- On Floor Audit
- Internal Audit
Desktop Audit
User Awareness Audit
Technical a Audit
Social a Engineering
Physical Security
Post Audit Check
User Awareness
- Train the trainer approach
- Without train the trainer approach
- Training Materials
Reference
Declaration
Disclaimer
Copyright
Contact
GNU Free Documentation License

Link : http://www.infosecwriters.com/text_resources/pdf/ISMS_VKumar.pdf

How does the BS7799 / ISO 27001 certification audit process actually work?

Before the audit:
The greatest mistake that organizations ever make is that they are not properly prepared for an audit. Many organizations who want to undergo a certification audit fail at the first stage because they have not properly prepared for it.

Some examples I have encountered are below:
A classic case of this was the organization that desk dropped their approved information security policy on all staff desks on the weekend before our audit started on the Monday. Somehow the words ‘published and communicated, as appropriate, to all employees’ (A.3.1.1.) did not spring to mind.

Likewise failure to perform a risk assessment would not give the auditor a warm and comforting feeling of a risk assessment being carried out on the ‘assets within the scope’ (4.2.1).

Any organization that cannot demonstrate that the ISMS works by undertaking internal ISMS audits (6.4) will not be looked upon favourably for passing a certification audit.

Another major failure at the outset of the certification or implementation project is the failure to have demonstrable management commitment. This means something more than saying ‘yes –go do it’ by the CEO or MD. There needs to be management commitment to the process as well as ring fencing resources. (5.1 and 5.2).

What is a CB Audit
What Documents can I read to help me prepare for BS7799?
The CB Audit process

Source : http://17799-news.the-hamster.com/interviews/interview4-audit.htm

ISO 17799 It's a control, not a standard

By Patrick Lamphere
April 29, 2007
Computerworld

Im always interested when I learn that things arent the way I thought
they were. Mom put "Santa's" presents under the Christmas tree.
Columbus didnt discover America. Lee, Lifeson, and Peart arent equal to
the Father, Son, and Holy Spirit. And, most recently, ISO 17799:2005
shouldnt be used as a list of required controls for organizations to
deploy.

Dont get me wrong. For something written by committee, the
International Standards Organization and International Electrotechnical
Commission - Code of Practice for Information Security Management
Reference Number 17799:2005 (from here on out ISO 17799) isnt half bad.
As anyone familiar with it knows, its a fairly exhaustive list of
controls covering 11 major domains of information security (more on that
later), from policy to compliance.

Its not perfect. Aside from the Briticisms (it is their language, after
all), there are some areas where it doesnt give enough depth or detail,
others where it goes a little overboard, and some terminology that is
just plain odd ("Threat Vulnerability Management," anyone?). But these
relatively minor shortcomings are outweighed by the overall benefits for
those companies that turn to it for guidance.

If your company is adopting ISO 17799 as a "standard," however, youre
missing the point. ISO 17799 is a list of controls -- nothing more,
nothing less. Notice the ample use of the word should throughout the
document. Nowhere are there any requirements that an organization do
anything. No shall or shall not, no do or do not -- ISO 17799 is a list
of guidelines, not requirements.

This is a good thing.

ISO 17799 was originally British Standard 7799-1, and meant to be
adopted along with the other parts of the 7799 series, namely 7799-2
(Information Security Management Systems) and 7799-3 (Guidelines for
Information Security Risk Management. Further muddying the waters, BS
7799-2 was recently adopted as ISO 27001. BS 7799-1/ISO 17799 will
eventually be renumbered as ISO 27002 (PDF format).

So whats the point? Thats where ISO 27001 comes in. ISO 27001:2005 is
a specification for an Information Security Management System (ISMS):
These are things you must do to set up an ISMS. But what is an ISMS?
The ISMS is the framework you need to have in place to define, implement
and monitor the controls needed to protect the information in your
company.

And here we get back to information security. ISOs 17799 and 27001 arent
just concerned with the data sitting on your companys collection of hard
drives. They cover how your company protects its information in all its
forms, from bits on disks to black marks on dead trees and piles of
sentient meat.

This is also a good thing.

Getting started ISO 27001-style

There are 5 main clauses of the ISO 27001 standard (8 total, but 1-3 are
definitions and overview), plus an annex that maps directly to
17799/27002. Clause 4 is the meat of the standard. It outlines the
requirements for the ISMS.

First you establish the scope -- what is it going to cover? Your entire
organization? A smaller portion (like a datacenter or subsidiary)?
The scope is up to you, but needs to be reasonable -- if youre an online
backup firm, for instance, excluding the servers used to perform those
backups but leaving everything else in wouldnt make sense.

Once youve got scope defined, you create the policy to govern the ISMS.
This includes the usual high-level policy stuff such as management
support and alignment with the business; along with the interesting
parts that make ISO 27001 unique and more useful than any of the other
frameworks out there: contractual (PCI), business, legal and regulatory
(eg., SOX or HIPAA) requirements; and the risk management context,
including risk assessment and acceptance criteria.

After youve got your scope and policy, its time to get down to work
figuring out what information assets you have, and doing a risk
assessment of each of those assets. The assets can be as granular as is
reasonable for your business, though its easier to lump things together
(for example, one asset type defined as employee personal information
instead of separate categories for W-2, I-9, 1099, 401k, and so forth).
Once the assets are figured out, you can then choose your favorite risk
assessment methodology (OCTAVE, NIST 800-30 [PDF format], BS 7799-3,
Tarot) to determine the risks that apply to your defined information
assets.

Suggestions, not requirements

Now that youve determined your risks, its time to pick controls. And
heres the best part: while you do need to address the control areas
outlined in Annex A, the controls you select dont have to be as
stringent as whats outlined in ISO 17799/27002. The controls in ISO
17799/27002 are suggestions. Its up to you to pick the controls that
provide an appropriate level of mitigation for your business. Granted,
you still need to take into account the realities of your regulatory
environment (no 4 character passwords and ROT13 encryption for PCI), but
the controls beyond that, as long as they are reasonable for the defined
levels of risk, are entirely up to your business

A side note on risk -- as part of any risk assessment program, you
should have guidelines for how risks are going to be handled --
mitigation (the application of controls), acknowledged and deferred (we
know about that, we just cant afford to do anything about it right now,
hold off until the next budget cycle), transferred (insurance), and
acceptance (the level of risk that the business is able to live with).

The remainder of clauses 4-8 deal with the management acknowledgement
and acceptance of any residual risk, ensuring that the ISMS is kept up
to date through periodic management review, internal audit, and process
improvement; and of course proper documentation (if its not on paper, it
doesnt exist).

And the benefits?

So once youve gone through this long (18-30 months) and admittedly
difficult-at-times process, whats the benefit?

Controls that align with the business. No longer are your information
security controls applied based on the whims of management and
proclivities of your IT staff. Risk is managed as a whole -- no more
chasing down the rat-hole of SOX only to finally crawl back out again,
bruised, bloodied, and battered, to repeat the experience with HIPAA,
then with SB 1386, then PCI, USA PATRIOT (PDF format), FinCEN, OFAC,
PIPEDA, ad infinitum.

Best of all? You can get your business certified to the fact that you
have a functioning ISMS that incorporates the requirements of all the
legal, contractual, and regulatory requirements that you have included
in your scope. Its the closest thing out there to being certified
compliant to HIPAA or SOX. And the cost of certification is surprisingly
cheap -- $15K to $50K for three years, depending on the size and scope
of your ISMS. And despite what the security community is more than
willing to sell at the moment, you cant certify to ISO 17799/27002. The
controls outlined in ISO 17799 are simply guidelines, not requirements.

This isnt to say that an organization cant decide to use those
guidelines as the basis of their control framework, and then perform a
gap analysis against those controls. Its just by deploying ISO
17799/27002 and ignoring 27001, youre missing a fantastic opportunity to
bring your Information Security and IT Departments to a level of
maturity that is fully aligned with the realities your business faces.

-=-

Patrick Lamphere is a professional cynic, skeptic, and tubist who amuses
himself working as an information security consultant.

Article Source : http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9018158

E-Governance Information Security Standard

Draft document, Version 01, 12 Oct 2006

0. Introduction
0.1 General
This Standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an organization’s ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization. These and their supporting systems are expected to change over time. It is expected that an ISMS implementation will be scaled in accordance with the needs of the organization, e.g. a simple situation requires a simple ISMS solution.
This Standard can be used in order to assess conformance by interested internal and external parties.

0.2 Process approach
This Standard promotes the adoption of a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's ISMS.
An organization must identify and manage many activities in order to function effectively. Any activity using resources and managed in order to enable the transformation of inputs into outputs can be considered to be a process. Often the output from one process directly forms the input to the following process.
The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management, can be referred to as a “process approach”.

View All Information : E-Governance Information Security Standard

Comparison of Controls ISO/IEC 27001:2005 to ISO/IEC 17799:2000

The new ISO 27001 standard (based on BS 7799-1 and ISO17799:2000) has been released in the fourth quarter of 2005. To assist in comparing the
new version of the standard to the previous version, a list of the controls is presented in http://www.cccure.org/Documents/ISO17799/ISO_%2027001_to_17799_mapping.pdf

Implementing an Information Security Management System in an Internal Web Development Environment (Ebook)

Implementing an Information Security Management System in an Internal Web Development Environment

GIAC ISO-17799 Certification (G7799)
Practical Assignment –Version 1.1
SANS 2004 (Orlando, FL)

Joseph McComb
October 28th, 2004

File Type : PDF
Page : 88 Page
Source : http://www.giac.org/certified_professionals/practicals/g7799/0019.php

Table of Contents

Abstract ..................................................................................................................................................3
I. The System Defined .............................................................................................................................3
The Company .....................................................................................................................................3
The Origin of the Environment ..............................................................................................................6
The Current Environment .....................................................................................................................7
Current Web Applications and Sites in the Environment .....................................................................10
Current State of Security ....................................................................................................................12
Scope of Information Security Management System (ISMS) ...............................................................15
II. Planning the Implementation of the Information Security Management System (ISMS).......................15
Management Structure .......................................................................................................................15
The Asset Inventory ...........................................................................................................................18
Policies .............................................................................................................................................21
Risk Identification and Analysis Process.............................................................................................23
Plans for Risk Management................................................................................................................24
III. Implementation (the “Do” phase).......................................................................................................33
Correcting the Problems Identified in the Risk Management Plan .......................................................33
Statements Of Applicability.................................................................................................................43
IV. Check –System Auditing..................................................................................................................44
V. Continuous Improvement (“Act” Phase).............................................................................................51
Improving the System Through Lessons Learned from Incident Handling ...........................................51
Improving the System through Auditing ..............................................................................................51
Bibliography..........................................................................................................................................52
Appendix A –Extended Asset Classification ..........................................................................................53
Appendix B –Policies...........................................................................................................................62
Policy –System and Application Access Control (section 9.1 of the ISO 17799 standard)...................62
Policy –Business Continuity Planning (section 11.1 of the ISO 17799 standard) ................................63
Policy –Security Engineering in the Systems Development Life Cycle (section 10.1 of the ISO 17799
standard)...........................................................................................................................................64
Appendix C –Fault Tree Analysis ..........................................................................................................65
Appendix D –Flagged System Events .................................................................................................657
Appendix E –High Level Plan for Risk Management ..............................................................................81
Appendix F –Extended Audit Checklist..................................................................................................82
Table of Figures
Figure 1. Overview of the Drug Development Stages ...............................................................................5
Figure 2. Diagram of the Web Server Environment...................................................................................8
Figure 3. Overview of the Systems Development Life Cycle...................................................................10
Figure 4. Information Flow in the Data Center Environment ....................................................................11
Figure 5. Information Flow in the Development Environment ..................................................................12
Table of Tables
Table 1. Plan for Risk Management .......................................................................................................26
Table 2. Documentation of System Problems. ........................................................................................33
Table 3. Audit Checklist for User Access Management...........................................................................45

ISO 27001 CERTIFICATION CONSULTANCY

BS7799 / ISO 27001 CERTIFICATION CONSULTANCY

The British Institute has suggested the Plan Do Check Act methodology for implementation of the ISO 27001 standard. INFOAMN has developed a unique methodology for implementation of ISO 27001 controls by breaking down the entire PDCA cycle in 5 distinct phases. Starting with Security Profiling which identifies the gaps in security vis-à-vis BS 7799/ISO 27001 standard, followed by Security Prescription which suggest the security measures; Security Treatment, where the security measures are implemented; Security Vigil, where the implementation is monitored to ensure that the security measures are effective in mitigating the risks and ensuring security of the information assets. Successful implementation of these phases leads to the final phase of Security Certification.

INFORMATION SECURITY GAP ANALYSIS

ISO 27001, the Code of Practice for Information Security Management describes a management framework within which an organization can examine and improve its security health. ‘End-to-End’ security is required and the controls must reflect this. Under each domain, there are defined objectives and related controls. Infoamn’s role is to understand the applicable controls based on the risk assessment and formulate policies and procedures. ISO 27001 contains a comprehensive set of security controls to improve the level of security within any organization. Even if formal certification is not a strategic objective, efforts to comply with the principles of ISO 27001 bring many tangible benefits such as reduced exposure to wide range of threats, creation of more secure operational environment, assurance that security practice is in line with the industry best practice, improvement in user security awareness and prioritizing security needs. An Information Security GAP Analysis as per ISO 27001 Standard helps organizations to know their state of security and thereby deciding the future roadmap.

MANAGED SECURITY SERVICES

Outsourcing selected managed security services (MSS) by forming a partnership with a MSS provider is often a good solution for transferring information security responsibilities and operations. Contracting a MSS provider allows it to share risk management and mitigation approaches. INFOAMN manages the information security issues so that the organization can concentrate on its key performing areas.

APPLICATION SECURITY TESTING

Application Security Testing involves analyzing a custom application for vulnerabilities. This can be done either by way of 'black box' i.e. without access to the source code, or 'white box' i.e. with access to the source code. An application security test ensures that any customized application being used is secure and doing exactly what it is supposed to do.

TECHNICAL SECURITY AUDIT

The technical security audit modules broadly consist of auditing the perimeter devices, network devices, desktop PCs, Servers and the applications and databases. The overall network security architecture is also reviewed keeping in view the business requirements and goals, its connectivity with the trading partners, its connectivity to the Internet etc. Also adequate security solutions & technical controls are recommended to mitigate the risks.

VULNERABILITY ASSESSMENT & PENETRATION TESTING

Penetration testing and Vulnerability assessment are two different and complimentary pro-active approaches to assess the security posture of the information systems networks. Penetration testing is the testing of the security posture from the hacker's perspective, whereas the Vulnerability Assessment is done to test the security posture of the Information Systems as an internal attacker. Comprehensive methodology is recommended to fix the identified vulnerabilities. INFOAMN has a proven track record of finding known and new threats.

CONTENT SECURITY SOLUTIONG

Leakage of critical data through emails and loss of productive time and bandwidth are major concerns for the organization. Spam emails are increasing by the day. INFOAMN offers MIME sweeper content filtering & antispam solution helps organizations in protecting critical data by enforcing security policies that also increase overall productivity.

WIRELESS SECURITY AUDIT

With the increased popularity of remote working in recent years, wireless networks have become more common. However, when many of the Wireless networks were deployed, not a lot was known about the security risks. A Wireless LAN needs to be audited like the internal network. The systems available through cordless devices are more vulnerable to attack if not monitored and properly secured.

ASSESSMENT OF NETWORK SECURITY ARCHITECTURE

Inherent weaknesses and design flaws in the network architecture from security perspective are detected, which can lead to compromise of confidentiality, integrity or availability of the system. The mitigation strategy is suggested. The proposed network architecture is designed and delivered. Network architecture is backbone of any secure information systems network. INFOAMN follows a structured approach to network security design often within the client's existing infrastructure or by recommending additional best-of-the-breed security components.

DESKTOP SECURITY AUDIT

Securing desktop workstations and laptops is a significant part of your network and information-security strategy because of the sensitive information often stored on workstations and their connection to the networked world. Many security problems can be avoided if the workstations and network are appropriately configured. Default hardware and software configurations, however, are set by vendors who tend to emphasize features and functions more than security. Since vendors are not aware of your security needs, the workstations should be configured to as per the security policy of the organization.

Source : www.infoamn.com

Infoamn Consulting is the Iran's leading provider of services and solutions for information security, business continuity and risk management. We offer a complete, end-to-end portfolio encompassing: Consultancy, Testing, Implementation, Training, Managed services Infoamn Consulting is the first Iranian Company who has applied for BS 7799/ISO 27001 certificaiotn

ISO 27001: ISMS Highlights

Clarifies and improves existing PDCA process requirements

–ISMS scope (inc. details & justification for any exclusions)

–Approach to risk assessment (to produce comparable & reproducible results)

–Selection of controls (criteria for accepting risks)

–Statement of Applicability (currently implemented)

–Reviewing risks

–Management commitment

–ISMS internal audits

–Results of effectiveness and measurements

(summarised statement on ‘measures of effectiveness’)

–Update risk treatment plans, procedures and controls

Regulatory Compliance and ISO 27001

n this excerpt from Chapter 10 of The Case for ISO 27001, author Alan Calder explains how using ISO 27001 can help information security professionals deal with the challenges of complying with complex and overlapping regulatory requirements.

Today's regulatory environment is increasingly complex, the penalties for failure unattractive and the route to effective compliance not clear. ISO 27001 provides a best-practice solution to a range of regulatory issues faced by directors.

The Regulatory conundrum
Organizations have traditionally responded to regulatory compliance requirements on a law-by-law, or department-by-department basis. That was, last century, a perfectly adequate response. There were relatively few laws, compliance requirements were generally firmly established and well-understood, and the jurisdictions within which businesses operated were well-defined.

Over the last decade, all that has changed. Rapid globalisation, increasingly pervasive information technology, the evolving business risk and threat environment, and today's governance expectations have, between them, created a fast-growing and complex body of laws and regulations – such as Data Protection and privacy legislation (e HIPAA, GLBA, DPA) and governance requirements (eg SOX and Turnbull) - that all impact the organization's IT systems. While global companies are in the forefront of finding effective compliance solutions, every organization, however small, and in whatever industry, is faced with the same broad range of regulatory requirements.

These regulatory requirements focus on the confidentiality, integrity and availability of electronically-held information, and primarily – but not exclusively – on personal data. Many of the new laws appear to overlap and, not only is there very little established legal guidance as to what constitutes compliance, new laws and regulatory requirements continue to emerge. Increasingly, these laws have a geographic reach that extends to organizations based and operating outside the apparent jurisdiction of the legislative or regulatory body that originated them.

Regulatory requirements in all these areas concentrate on preserving the confidentiality, integrity and availability of electronic data held by organizations operating within the sector. Regulations, which are technology-neutral, describe what must be done, but not how. Organizations are left to establish, for themselves, how to meet these requirements.

In most instances, there is not yet a body of tested case law and proven compliance methodologies to which organizations can turn in order to calibrate their efforts. There are no technology products which, of themselves, can render an organization compliant with any of the data security regulations, because all data security controls consist of a combination of technology, procedure and human behaviour. In other words, installing a firewall will not protect an organization if there are no procedures for correctly configuring and maintaining it, and if users habitually bypass it (through, for instance, Instant Messaging, Internet browsing or the deployment of rogue wireless access points).

In the face of new, blended, complex and evolving threats to their data, organizations have business and regulatory obligations to protect, maintain and make that data available when it is required. They have to do this in an uncertain compliance environment where the rewards for success don't grab headlines, but the penalties for failure do. Fines, reputation and brand damage and, in some circumstances, jail time for directors are outcomes that every business wants to avoid, and wants to avoid as systematically and cost-effectively as possible.

The adoption of an externally-validated, best-practice approach to information security – one that provides a single, coherent framework that enables simultaneous compliance with multiple regulatory requirements - is, therefore, a solution to which organizations are increasingly turning.

ISO 27001
ISO 27001 provides just such a solution. It focuses on the confidentiality, availability and integrity of data and its key precepts and requirements all occur in the regulatory requirements. Implementation of an ISO 27001 framework enables an organization to comply, at one step (and subject to specific documentation and working practices tailored for each individual regulation), with all the core requirements of information related regulation anywhere in the world.

Download this excerpt

From : searchsecurity.techtarget.com

The Benefits of ISO 27001 Implementation

The benefits of standardization, and of implementation of one or more of the ISO 27000 series are wide and varied. Although they tend to differ from organization to organization, many are common.

The following is a list of potential benefits. As with many items on this website, this is an ongoing project. Please feel free to add further points via the comments option below.

Interoperability
This is a general benefit of standardization. The idea is that systems from diverse parties are more likely to fit together if they follow a common guideline.

Assurance
Management can be assured of the quality of a system, business unit, or other entity, if a recognized framework or approach is followed.

Due Diligence
Compliance with, or certification against, and international standard is often used by management to demonstrate due diligence.

Bench Marking
Organizations often use a standard as a measure of their status within their peer community. It can be used as a bench mark for current position and progress.

Awareness
Implementation of a standard such as ISO 27001 can often result in greater security awareness within an organization.

Alignment
Because implementation of ISO 27001 (and the other ISO 27000 standards) tends to involve both business management and technical staff, greater IT and Business alignment often results.