Security Mananagement Systems

Introduction

Security refers to the policies, procedures and technical measures used to prevent unauthorised access, alteration, theft and physical damage to information systems by outside hackers as well as employees.  Security can be promoted with a range of tools and techniques to safeguard the computers hardware, software, communication networks and data. 

In the early 1990’s, representatives from some major organisations such as Shell, BT, Nationwide, and Marks and Spencer with both concern for information security and experience in management, put their resources together to define best practice.   This document was published as a Public Document - PD0003 by the British Standards Institution, but was later converted to BS 7799:1995 - A Code of Practice for Information Security Management.  The Standards committee then adapted the Code to become a better basis for certification by turning it into a specification for an information security management system. Thus BS 7799 Part 2:1998 was published.  With the increase attention and pressure on security these standard have now become international with the publication of ISO 27001:2005 Information technology - Information security management systems - Requirements and ISO 27001 Information technology - Code of practice for information security management.

bullet

Security Management Implementation Support

bullet

Security Management Training

bullet

ISO 27001 Foundation

bullet

ISO 27001 Audit

bullet

ISO 27001 Lead Assessor (Registered)

ISO 27001 (ISMS)

It was only a matter of time before an ISO security standard emerged for information technology.  ISO 27001 is the international Information Security Management System (ISMS) standard which is a comprehensive set of controls comprising best practices in information security.  It is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce.

ISO 17799 was first published as a DTI Code of Practice in the UK.  It was rebadged and published as Version 1 of BS 7799, published in February 1995.  It was not widely accepted for various reasons, such as not having a simplistic approach or being flexible enough.  Version 2 was published in May 1999 which was a major revision.  Formal certification and accreditation schemes were also launched in the same year, followed by the ISO standard being published. 

ISO 27001 is comprehensive in its coverage of security issues.  It contains a considerable number of control requirements, some of which are quite complex.  Compliance with ISO 27001 and certification can be a difficult and overwhelming task.  It should be taken one step at a time.  The best starting point is most likely to be an assessment of the current position, followed by the identification of changes which are needed for ISO 27001, and then comes planning and implementation.

For QM&T's special white paper comparing BS ISO/IEC 27001:2005 (BS 7799-2:2005) Information technology - Security techniques - Information security management systems - Requirements With BS 7799-2:2002 Information security management systems - Specification with guidance for use please contact QM&T- details below.

ISO 27001 (Requirements) and the associated ISO 17799 (Guide) is covers ten major elements:

  1. Business Continuity Planning – to counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.
  2. System Access Control – to control access to information; to prevent unauthorised access to information systems; to ensure protection of networked services; to prevent unauthorized computer access; to detect unauthorised activities; to ensure information security when using mobile computing and tele-networking facilities
  3. System Development and Maintenance – to ensure security is built into operational systems; to prevent loss or misuse of data; to protect the confidentiality, authenticity and integrity of information; to ensure projects are conducted in a secure manner; to maintain the security system software and data.
  4. Physical and Environmental Security – to prevent unauthorised access, damage and interference to business premises and information; to prevent loss, damage or compromise of assets and interruption to business activities; to prevent compromise or theft of information and information processing facilities.
  5. Compliance – to avoid breaches of any criminal or civil law; to ensure compliance of systems with security policies and standards; to maximize the effectiveness and minimize interference from the system audit process.
  6. Personnel Security – to reduce risks of human error, theft, fraud or misuse of facilities; to ensure that users are aware of information security threats and concerns; to minimise the damage from security incidents and faults.
  7. Security Organisation – to manage information security within the organisation; to maintain the security of information processing and information accessed by third parties.
  8. Computer & Network Management – to ensure correct and secure processing of information; to minimise risk of systems failures; to protect the integrity of software and information; to ensure the safeguarding of information in networks; to prevent damage to assets and interruptions to business activities; to prevent loss, modification or misuse of information exchanged between organizations.
  9. Asset Classification and Control – to maintain appropriate protection of assets and to ensure information assets receive an appropriate level of protection.
  10. Security Policy – to provide management direction and support for information security.

Security Management Systems Support

Our experienced and knowledgeable staff have frequently been requested to provide security management system support not only for organisations wishing to meet the requirements of ISO 27001, but also those wishing to review, evaluate and improve their security arrangements.

For further information about implementing Information Security Management System to meet the requirements of ISO 27001 please contact QM&T- contact details below.

Security Management Training

Note; Our lecturers are experienced practitioners in their respective subject, so if further information or support is required (e.g. implementation) then please contact QM&T- help@qmt.co.uk

Security Management Short Courses

ISO 27001 (BS 7799) Foundation
ISO 27001 (BS 7799) Audit
ISO 27001 Lead Assessor (Registered)

For further information

If you would like to know more about Security Management Systems please contact QM&T at:

Tel:   + 44 -0 1483 453511
Fax:  + 44 -0 1483 453512

Address:

 Quality Management & Training Ltd. PO Box 172, Guildford, Surrey, GU2 7FN United Kingdom
E-mail:l

  help@qmt.co.uk

 

 

 

Links

bullet

Quality Management & Training Limited: http://www.qmt.co.uk/  Everything you wanted to know about Quality Management, Books, Distance Learning, Training courses, Software....

bullet

Customer Satisfaction:  http://www.customer-satisfaction.co.uk Our new Customer Satisfaction website which may help you consider, what options you have when evaluating, what your customers think of your organisation and its products and services? - How loyal are your customers? ...

bullet

Poka-Yoke:  http://www.poka-yoke.org.uk Everything you wanted to know about Poke-Yoke and Fool or Mistake Proofing...

bullet

Quality: http://www.quality-uk.com/ Quality always appears to be a moving target, changing in terms of direction and standard, but after all this time of "getting it right" ...

bullet

Quality Books: http://www.quality-books.org.uk/ Quality Management & Training (publications) Limited offer a large selection of books, distance learning packages, videos, posters and software that cover all aspects of quality, environment, health & safety and security...

bullet

Quality Training: http://www.quality-training.org.uk A comprehensive range of Quality Assurance & Management Training courses (At QM&T training centre, Online, Distance Learning, In-company...

bullet

Root Cause Analysis: http://www.root-cause-analysis.co.uk Root cause analysis is a relatively new methodology that is continually evolving. Like most Quality Improvement approaches it is not magic; “there is no silver bullet”...

bullet

Security Management: http://www.security-management-systems.co.uk/ Security refers to the policies, procedures and technical measures used to prevent unauthorised access, alteration, theft and physical damage to information systems by outside hackers as well as employees... 

bullet

Six Sigma:  http://www.6sigma-training.co.uk  or  http://www.sigma-6.co.uk 6F -  Six Sigma is a business strategy as well as a quality improvement technique. It began in the 1980’s at ...

bullet

Process Mapping: http://www.process-mapping.co.uk  Process Mapping and Process Flow Charting are techniques that can be employed to not only provide a visual representation of a procedure but also have the potential to identify significant savings in the way in which the process is organised and performed.  This is particularly so when aligned with Process Cost Modelling... 

bullet

Value Stream Mapping: (http://www.value-stream-mapping.co.uk/) is used to analyse the flow of materials and information currently required to bring a product or service to a customer. The technique originated in Toyota, where it is known as "Material and Information Flow Mapping"...

bullet

Failure Mode Effects Analysis: http://www.fmea-training.co.uk/ Failure Mode Effects Analysis (FMEA) or to give it its correct title Failure Mode Effects & Criticality Analysis (FMECA) is a logical technique used to identify and eliminate possible causes of failure.

bullet

IQA Diploma:  http://www.iqa-diploma.co.uk  QM&T are an Institute of Quality Assurance (IQA) registered Education Centre.  This together with our team having over fifty years experience of working with the IQA, means that you can buy with confidenceOur IQA experience includes not only setting, markings and assessing IQA examination papers but also writing the standard text books for the courses and articles on Quality Assurance and attending various IQA meeting and committees. 

bullet

Health & Safety:  http://www.health-safety-online.co.uk  QM&T has for over 20 years successfully delivering training support and are please to announce the following products to support your Health & safety initiative.

bullet

Quality Awareness: http://www.quality-awareness.co.uk  Not getting the quality message across?  New starts and even existing employees seem unaware of the quality management system or the importance of quality? 

 

Updated: November 2009