Home :: Consulting :: Information Security & Risk Management

Information Security & Risk Management

ISO 27001 – Information Security Management System

ISO 27001:2005 is the international standard prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS).

Interested internal and external parties can use this ISO 27001:2005 international standard in order to assess conformance.

What the ISO 27001:2005 international standard professes:

• The adoption of ISMS is a strategic decision for an organization.
• The needs and objectives, security requirements, the processes employed, and the size and structure of the organization influence the design and implementation of an organization’s ISMS.
• With change over time, it is expected that an ISMS implementation should scale in accordance with organizational needs.
• The controls specified are to be implemented to meet the requirements identified by a risk assessment.

ISO 27002:2005 international standard is the Code of Practice for information security management, to establish guidelines and general principles for initiating, implementing, maintaining and improving information security management in an organization. The objective is to provide general guidance on the commonly accepted goals of information security management.

Both these international standards viz., ISO 27001:2005 and ISO 27002:2005 have been derived from the British standard BS7799 at different points in time. The formal adoption of 27001 as the standard for assessing ISMS conformance by ISO came in December 2005.

ISO 27001:2005 is aligned with ISO 9001:2000 and ISO 14001:2004 in order to support consistent and integrated implementation and operate with related management standards.

ISO 28001:2007 - Security management systems for the supply chain

ISO 28001:2007 provides requirements and guidance for organizations in international supply chains to

• develop and implement supply chain security processes;
• establish and document a minimum level of security within a supply chain(s) or segment of a supply chain;
• assist in meeting the applicable authorized economic operator (AEO) criteria set forth in the World Customs Organization Framework of Standards and conforming national supply chain security programmes.

ISO 22301:2012 (BS 25999) – Business Continuity Management

ISO 22301:2012 is the new international business continuity standard replacing BS 25999-2 and set outs the requirements for a Business Continuity Management System. ISO 22301 is based on the Plan-Do-Check-Act model as found in other management system standards

Benefits of ISO22301

• The requirements in the standard can be applied in any type or size of organisation, no matter the location, making it widely applicable.
• By creating a BCMS aligned with ISO 22301 organisations can ensure that they are prepared should an disruptive incident occur, and more importantly, continue trading and return to business as usual as quickly as possible.
• An ISO 22301 BMCS protects an organisation’s turnover, profits and reputation by ensuring preparedness.

ISO 20000-1:2011 – IT Service Management

A primary focus of IT Service Management (ITSM) is the application of IT best practices (founded in ITIL) to enable IT to be a more effective service provider across the enterprise to satisfy the organization’s business requirements.

This involves a transformation of traditional Business-IT paradigm into one that is process-oriented, proactive, and enterprise wide. This ‘service provider’ paradigm encompasses IT best practices using the perspectives of people, process, technology, organization, and integration.

Within the ITSM service provider paradigm there are several focus areas such as business objectives, service level objectives, and technology infrastructure that with other areas play critical roles in the ITSM methods and best practices.

ISO 20000 IT Service Management System (ITSMS) provides an integrated framework for delivering and managing IT services to the customer. The integrated approach enables an organization to effectively and efficiently deliver managed IT services, which meet the business and customer requirements. ISO 20000 is aligned with and complementary to the process approach defined within IT Infrastructure Library (ITIL) from The Office of Government Commerce (OGC), U.K.

The primary objective of IT Service Management is to ensure that IT services are aligned business needs. This can be achieved through:

1. Providing high quality, reliable and cost effective services
2. Maintaining effective IT customer supplier relationships
3. Continuously improving the quality of IT services
4. Using the IT services effectively to meet current and changing business requirements

The ISO 20000 standard is applicable to organizations of all sizes, which are:

• Providers of ‘Managed IT Services’.
• Businesses that are outsourcing their IT services.
• Internal IT departments /businesses managing their own IT services.

ISO 20000-1:2011 certification provides a trust and confidence to customers and partners that your organization has processes and procedures in place to demonstrate compliance with IT Best Practices.

ITSM in an organization is a new layer of management capability used to manage complex business applications and improve relationships in business. This layer of management is situated above the networked systems.

The primary objective of ITSM is to ensure that the IT services are aligned to the business needs. This can be achieved by:

1. Providing high quality, reliable and cost effective services.
2. Maintaining effective IT customer-supplier relationship.
3. Continuously improving the quality of IT services.
4. Using the IT services effectively to meet the current and changing business requirements.

There are 5 elements in the ITIL (IT Infrastructure Library) structure:

1. Service Delivery
2. Service Support
3. Applications Management
4. Business Perspective
5. Infrastructure Management

Service Support and Service Delivery describe key processes IT organizations must have in place to provide quality IT services for its customers. While Service Support reviews a function and the operational processes, Service Delivery reviews the tactical processes.