About Us
Home
Contact Us
Articles

 

 

A walk through of the requirements of ISO 27001 and ISO 27002

Index

What are the standards and how do they fit together

Why ISO 27001?

Impact of IT failure

Sources of risk

Minimising the impact of an incident

ISO 27001 requirements

ISO 27002

The approval process

Our approach

 

Quality Improvement Services Ltd

 

What are the standards and how do they fit together

 

o   ISO 27001: 2005 Information Technology ?Security Techniques ?Information Security Management Systems ?requirements which were issued at the end of 2005 replaced BS 7799-2.? This is the standard to which companies gain approval, similar to ISO 9001 for quality.

 

o   ISO 27002 Information Technology ?Security Techniques - Code of Practice for information security management - is a comprehensive code of practice and not all of the subjects will be appropriate to all companies. As part of the requirements of ISO 27001 you are required to produce a statement of applicability of the 133 requirements see ISO 27001 Annex A.

 

o   BS 25999-1:2006 Business Continuity Management is another standard to which you can gain approval independently of ISO 27001.?When first issued it was the fastest selling British Standard ever.?The standard places less emphasis on IT Security and requires that the company look at how they would maintain the service after any type of disaster affecting the business.

 

Quality Improvement Services Ltd

 

Why ISO 27001/BS25999?

Customer Confidence ?Evidence from an independent organisation that we have good IT Security Systems, customers may supply or provide access to confidential data e.g. NHS or allow access to data that must remain secure e.g. banking, web sites

Market Perception ?Often a tick in a box in bids or tenders but a stumbling block if the tick is not there

Legislation ?A controlled method of ensuring compliance with legislation

Protects Valuable Assets?- The risk of information theft, loss or corruption is minimised

An Opportunity to Continually Review ?ISO 27002 is a checklist of good management practices and the introduction of the requirements provide a chance to look at our strengths and weaknesses

A Forum for Improvement ?The standard is concerned with measurement and improvement and creates a structure that helps us to look at how we can improve

Raising the Priority –The prime business that earns revenue is always the number one priority and anything else comes second place, seeking ISO 27001 approval raises the priority of some of the other issues that would normally never make the top of the list.

Attention to Detail -?It is easy in haste to move things forward and overlook the details such as keeping records up to date, the internal and external audits act as a check/reminder to do this.

 

 

Quality Improvement Services Ltd

 


 

 

Quality Improvement Services Ltd

 

Sources of Risk

We tend to think of computers and viruses when we think of IT risks, but paper records of contracts may be equally important.?As we look at the sources of risk we realise that we are not just talking about having a firewall or backing up data the physical security of the building, theft of laptops from cars, staff giving out confidential information are all things we need to consider.?We need to assess the risk of each type of incident, determine the impact on the organisation and the appropriate action to be taken.?One of the greatest risks is the introduction of new technology and there have been some very costly failures of new IT systems.

PEOPLE

TECHNOLOGY

FIRE

THEFT

OTHER SOURCES

ENVIRONMENT


 

Quality Improvement Services Ltd

 

Minimising the impact of an incident

 

The key to the whole process is the assessment of risks, it provides a means of evaluating the action you should take and also the justification of not taking action on some occasions.?The standard does not require you to have the best IT systems available on the market, just systems appropriate to your business and needs.?This can be turned into a complex and costly exercise both in time and purchase of un-necessary systems ?be warned there are simple solutions.


 

 

 

Quality Improvement Services Ltd

 

ISO 27001 requirements

FIVE MAIN SECTIONS

Section 4 Information Security Management System

Section 5 Management Responsibilities

Section 6 Internal ISMS Audits

Section 7 Management Review of the ISMS

Section 8 ISMS Improvement

 

Quality Improvement Services Ltd

 

ISO 27001 Section 4 Information Security Management System

 

Scope and Policy

Risk Assessment, Treatment and Management

Statement of Applicability (ISO 17799)

Monitoring, Reviewing and Improvement

Documentation Requirements

 

 

Quality Improvement Services Ltd

 

ISO 27001 Section 5 Management Responsibilities

 

Management Commitment

Resource Management

Training, Awareness and Competence

 

Quality Improvement Services Ltd

 

Section 6 Internal ISMS Audits and Section 7 Management Review of the ISMS

Internal ISMS Audits

Management Review Process

Results of Internal Audits

Feedback from Interested Parties

Processes and Procedures

Preventative and Corrective Action

Vulnerability or Threats

Follow-up Action

Changes Affecting ISMS

Recommendations for Improvement


 

Quality Improvement Services Ltd

 

ISO 27001 Section 8 ?ISMS Improvement

Continual Improvement

Corrective Action

Preventative Action

Quality Improvement Services Ltd

 

ISO 27002

TWELVE MAIN SECTIONS

 

Risk Assessment and Treatment

Security Policy

Organisation of Information Security

Asset Management

Human Resources Security

Physical and Environmental Security

Communications and Operational Management

Access Control

Information System Acquisition, Development and Maintenance

Information Security Incident Management

Business Continuity Management

Compliance

 

Quality Improvement Services Ltd


ISO 27002 Critical Success Factors

 

o   Information security policy, objectives and activities that reflect business objectives

o   An approach and framework to implementing, maintaining, monitoring and improving information security that is consistent with the organisational culture

o   Visible support and commitment from all levels of management

o   A good understanding of the information security requirements, risk assessments and risk management

o   Effective marketing of information security to all managers, employees and other parties to achieve awareness

o   Distribution of guidance information, security policy and standards to all managers, employees and other parties

o   Provision to fund information security management activities

o   Providing appropriate awareness, training and education

o   Establishing an effective information security incident management process

o   Implementation of a measurement system that is used to evaluate performance in information security management and feedback suggestions for improvement

 

Quality Improvement Services Ltd

 

The Approval Process


 

Quality Improvement Services Ltd

 

Our Approach

QIS’s software tools to simplify control

Gap analysis ?Review ISO 27002 requirements against current practices identify gaps complete draft Statement of Applicability (SoP)

Consolidate Current Practices

Assess - Risk v Assets

Introduce Improvement

Obtain Approval

 

Quality Improvement Services Ltd

 

Canada Goose dame herre sale
Cheap Air Max 2016
Canada Goose parka
Canada goose outlet
Cheap Air Max 90
Canada Goose pas cher
Canada Goosejakke sale
Canada Goose Vestec
Canada Goose jakke dame
Canada Goose jassen outlet