"that part of the overall management system based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security"
and 'information security' is defined as: "preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved"
Back to Top»»
ISO Technical Committee 1 (Information Technology) Sub-Committee 27 (IT Security Techniques) is responsible for the drafting and publication of the ISO/IEC 27000 family of standards. The abbreviated reference of this group is ISO TC1 SC27, or frequently just 'SC27'. ISO is responsible for publishing these standards.
SC27 is a formal standardization body supported by Technical Advisory Groups (TAGs) from ISO member countries (these are usually just referred to as 'National Bodies - NBs'). The US national body is the Inter-National Committee for Information Technology Standards (INCITS) Technical Committee for Cyber Security,
. the Zygma partnership is a voting member of CS1 - Richard Wilsher is Zygma's principal representative.
CS1 reviews and votes on draft texts and resolutions, proposals for new work items etc. and submits its ballot results and review feedback into the appropriate SC27 forum.
To date ISO has published the following standards in the '27000' series:
ISO/IEC 27001:2005 "Information security management systems - Requirements";
ISO/IEC 27002(17799):2005 "Code of practice for information security management";
ISO/IEC 27006:2007 "Requirements for the accreditation of bodies
providing certification of information security management systems".
Back to Top»»
Business benefits of an ISMS
Some people and organizations have a negative view of information security - they consider it to be a "grudge purchase". The reality is that, intelligently applied, information security is a business enabler.
Through careful consideration of the value that various forms of information have to a business, by considering the risks to that information, the degree of reliance which the business has on it and the resources which enable the business to access and apply that information, in considering the controls required to mitigate the perceived risks and in understanding the consequences upon the business of those risks becoming manifest, a business and its management can gain control of their information security. How they manage their information security and the measures they implement should reflect the value and sensitivity of both the information and the information processing resources they have and need.
An ISMS is intended to provide the framework for the achievement of all that. It can help your business to:
S establish and apply information security policies consistently and in a fashion which is relevant to the business goals and related risks;
S ensure that controls in place are sufficient to mitigate risk to an acceptable level, and that the controls applied do so cost-effectively;
S enhance management oversight with greater involvement and visibility of risk controls;
S enhance the business' overall information security;
S provide evidence of due diligence in the approach to regulatory (or other forms of) compliance and conformity;
S convey greater assurance to stake-holders (management, investors, clients, ...);
S reduce costs such as insurance premiums, reduced audit requirements (e.g. from clients seeking assurances);
S limit exposure and therefore liability;
S gain competitive advantage;
S provide a forum for continual review and improvement of the processes involved.
Back to Top»»
Internal Control Systems
ISO/IEC 27001 is a specification for building, operating, maintaining and improving an ISMS. However, the security (or assurance) of its information resources is not management's only concern. They will have other interests and responsibilities which relate directly to the nature of the business they are in. Therefore, an ISMS is just part of an organization's internal control system. Management establishes an internal control system to marshal the organization's resources so as to best achieve their business objectives and manage the associated risks. An ISMS can be regarded as that part of the internal management system (IMS) where information security/assurance is a concern.
Furthermore, the management principles which an ISMS relies upon can be applied to other aspects of the business, and the set of controls may also be extended to encompass other aspects of the IMS (although a certification would cover only the specific scope of ISO/IEC 27001 - nevertheless, the fact that the framework of the ISMS was certified would add confidence in its broader application).
The term information assurance is gradually taking over from the term information security, to emphasize the inclusion of integrity (i.e. the characteristic that information must be not be changed without authorization and be sufficiently right for the purpose for which it is used at the time it is used).
Back to Top»»
The controls which are described in ISO/IEC 27002 are generic in the sense that they are not slanted towards any particular
industry sector. Nonetheless they are very extensive and cover all of the areas to which a business should give general
consideration. Some businesses will of course be subject to particular constraints or requirements, often imposed by external
regulation, e.g. in the medical, health, financial, pharmaceutical sectors; equally a business may itself establish some very
specific requirements. In such cases there may be a need to add further controls to those set out in 27002 and further,
included within the Statement of Applicability in ISO/IEC 27001: indeed, both standards actively encourage the inclusion
of additional controls where these are felt to be necessary.
In recognizing this circumstance, Zygma has developed a model for building into an ISMS the ability to map its controls
(or a sub-set of them) into other standards and regulations. This is described in one of our
, as is an in-depth mapping of the Health Insurance Portability and Accountability Act (HIPAA) security standards against the requirements of 27001.
Back to Top»»
Fast-track the development of your ISMS: take a look at our hyper-linked development tool,
the , which is a fully-ISO/IEC 27001:2005 conformant support presenting a substantive body of proforma text for you to customize to suit your own ISMS. In addition to the provision of baseline policies, asset list, risk treatment plans and a Statement of Applicability that is already partially complete, all the elements of the tool are hyper-linked internally, and where necessary to external documents, such that in development, use and when showing an auditor how you have configured and are operating your ISMS, everything is just a click away. This tool provides full support for the standard, including all the documentation and management review/records required by 27001.
Using it can fast-track your ISMS development and your audits, quickly giving an external auditor the clear message that you've got yopur business' information security under control.
Some tools offer you help with '17799 (i.e. 27002, as here termed) conformance' - don't be misled; conformance against 27002 (or 17799) means nothing! 27002 is an informative code of practice - the conformity of your ISMS can only be assessed against ISO/IEC 27001:2005, which is the normative ISMS management standard which includes requirements for process and procedures, and not all tools give you that support. Other tools give you lists and flat text, not a working document infrastructure. Zygma's is a real proto-ISMS.
Back to Top»»