[Infowarrior] - ISO 27001: A new standard for IT security

Thu Jul 27 08:22:48 EDT 2006

ISO 27001: A new standard for IT security
Thursday July 27, 2006 (11:01 AM GMT)
By: Mikael Vingaard

http://www.itmanagersjournal.com/article.pl?sid=06/07/26/1453251

Information security flaws can create havoc within your business operations.
The ISO 27001 standard for information security management systems can help
to locate existing security problems and prevent future threats before they
prove harmful to your organization.

ISO 27001 is the new international standard created by the International
Standards Organization for Information Security Management Systems. An ISMS
is a planned way to managing an organization's information so that it
remains secure, by using the right methodology of people, processes, and IT
systems. The best practices for ISMS includes a wide range of planning to
ensure business continuity, minimize business damage, and maximize ROI and
business opportunities. The standard sets out how the planning process
should go and specifies the components that must be identified; people,
processes, and pratices are essential.

Official known as ISO/IEC 27001:2005, this standard, published last October,
will replace the British BS7799-2 and the ISO 17799 standard; the latter
may, however, be renumbered ISO 27002, but ISO has not made a final
statement regarding ISO 17799 renumbering yet.

Internationalization of these standards will create a demand for a
recognised ISMS certification. Clients in the future may ask whether your
organization have achieved ISO 27001 certification. Besides providing
"marketing" value, it helps IT managers create a framework, based on a
"Plan-Do-Check-Act" approach.

If the Sarbanes-Oxley Act is relevant for your business, ISO 27001 could be
your best way to get a framework. If SOX is not yet relevant -- if you live
outside of the US, for instance -- you may be less interested in it.

Successful certification requires a methodical approach, careful
consideration of scope, and a thorough understanding of your organization
information security needs. Achieving the ISO 27001 certification mitigates
the risk of human error, by having sound procedures and regulations. The
certification process involves several visits from certified external
auditors, who review documents and processes. Any non-compliance must be
corrected before their next visit. The time the certification process takes
can differ greatly, as no two organizations are alike.

There are clear relationships between ISO 27001 and the Sarbanes-Oxley Act's
requirement to develop an information security management system that is
integrated, comprehensive, and incorporates widely recognized best
practices. ISO 27001 is a step toward effecting and demonstrating compliance
with the SOX legislation. Getting the ISO 27001 certification also tells
your clients that the requirements in SOX section 404 have been successfully
passed.

You can read the standard -- you may buy it online for $107 from Ansi.org,
or for £90 from British Standards Online, among other places.

If your organization is acting under the Sarbanes-Oxley Act or other
security legislation, take a look at the ISO 27001 standard. As an
international standard and framework for best pratices, it is very good. Any
organization can benefit from its "Plan-Do-Check-Act" approach, even without
planning to get the certification.

Mikael Vingaard, CISSP, works at BSDConsult with the ISO standards and on
support and education for the Open/FreeBSD OS. 