Security refers to the policies, procedures and technical measures used to prevent unauthorised access, alteration, theft and physical damage to information systems by outside hackers as well as employees. Security can be promoted with a range of tools and techniques to safeguard the computers hardware, software, communication networks and data.
In the early 1990’s, representatives from some major organisations such as Shell, BT, Nationwide, and Marks and Spencer with both concern for information security and experience in management, put their resources together to define best practice. This document was published as a Public Document - PD0003 by the British Standards Institution, but was later converted to BS 7799:1995 - A Code of Practice for Information Security Management. The Standards committee then adapted the Code to become a better basis for certification by turning it into a specification for an information security management system. Thus BS 7799 Part 2:1998 was published. With the increase attention and pressure on security these standard have now become international with the publication of ISO 27001 Information technology - Information security management systems - Requirements and ISO 27001 Information technology - Code of practice for information security management.
Security Management
|
Dates for 2011 |
Duration |
||
POA
|
POA |
Various dates & locations |
1 Day |
|
ISO 27001 Internal Auditor
-LRQA (IRCA)
|
POA
|
POA |
Various dates & locations |
2 Days |
ISO 27001 Lead Auditor - LRQA (IRCA) |
POA
|
POA |
Various dates & locations |
5 Days |
ISO 27001 Lead Auditor Conversion
- LRQA (IRCA)
|
POA
|
POA |
Various dates & locations |
3 Days |
POA
|
POA |
Various dates & locations |
1 Day |
|
ISO 28000 Internal Auditor
- LRQA
|
POA
|
- |
In-Company only |
2 Days |
ISO 28000 Lead Auditor - LRQA |
POA |
- |
In-Company only |
5 Days |
It was only a matter of time before an ISO security standard emerged for information technology. ISO 27001 is the international Information Security Management System (ISMS) standard which is a comprehensive set of controls comprising best practices in information security. It is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce.
ISO 17799 was first published as a DTI Code of Practice in the UK. It was rebadged and published as Version 1 of BS 7799, published in February 1995. It was not widely accepted for various reasons, such as not having a simplistic approach or being flexible enough. Version 2 was published in May 1999 which was a major revision. Formal certification and accreditation schemes were also launched in the same year, followed by the ISO standard being published.
ISO 27001 is comprehensive in its coverage of security issues. It contains a considerable number of control requirements, some of which are quite complex. Compliance with ISO 27001 and certification can be a difficult and overwhelming task. It should be taken one step at a time. The best starting point is most likely to be an assessment of the current position, followed by the identification of changes which are needed for ISO 27001, and then comes planning and implementation.
For QM&T's special white paper comparing BS ISO/IEC 27001 Information technology - Security techniques - Information security management systems - Requirements With ISO 27002 Information security management systems - Specification with guidance for use please contact - details below.
ISO 27001 (Requirements) and the associated ISO 27002 (Guide) is covers ten major elements:
Business Continuity Planning – to counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.
System Access Control – to control access to information; to prevent unauthorised access to information systems; to ensure protection of networked services; to prevent unauthorized computer access; to detect unauthorised activities; to ensure information security when using mobile computing and tele-networking facilities
System Development and Maintenance – to ensure security is built into operational systems; to prevent loss or misuse of data; to protect the confidentiality, authenticity and integrity of information; to ensure projects are conducted in a secure manner; to maintain the security system software and data.
Physical and Environmental Security – to prevent unauthorised access, damage and interference to business premises and information; to prevent loss, damage or compromise of assets and interruption to business activities; to prevent compromise or theft of information and information processing facilities.
Compliance – to avoid breaches of any criminal or civil law; to ensure compliance of systems with security policies and standards; to maximize the effectiveness and minimize interference from the system audit process.
Personnel Security – to reduce risks of human error, theft, fraud or misuse of facilities; to ensure that users are aware of information security threats and concerns; to minimise the damage from security incidents and faults.
Security Organisation – to manage information security within the organisation; to maintain the security of information processing and information accessed by third parties.
Computer & Network Management – to ensure correct and secure processing of information; to minimise risk of systems failures; to protect the integrity of software and information; to ensure the safeguarding of information in networks; to prevent damage to assets and interruptions to business activities; to prevent loss, modification or misuse of information exchanged between organizations.
Asset Classification and Control – to maintain appropriate protection of assets and to ensure information assets receive an appropriate level of protection.
Security Policy – to provide management direction and support for information security.
Meeting the exacting requirements ISO27001 is a business objective for many organisations. However, achieving compliance or developing and implementing the required policies and procedures for your organization can seem a huge task. This is where the ISO27001 Toolkit can help. The toolkit contains all the information, programmes, plans, presentations and software needs to meet the requirements of this standard. This tools kit has proved to be successfully, even when subjected to the full rigors of an ISO 27001 certification audit by a world renowned certification body. The ISO 27001 Toolkit was created with the invaluable assistance of a professional ISO27001 and IRCA recognised Lead Assessor.
It contains
Electronic versions of the ISO27001 standard | |
A full set of ISO27001 compliant information security policies | |
A management presentation on ISO 27001 in PowerPoint format | |
A disaster recovery planning kit (re: ISO27001 section 11) | |
A road map (programme and project plan) for certification | |
An audit kit (checklists, etc) for a modern network system (section 12) | |
A comprehensive glossary of information security and computer terms | |
A business impact analysis questionnaire | |
Risk Analysis software | |
Software for the security management system records, audit and documentation |
All these important elements are provided in electronic form, allowing the option of instant access via download.
Our experienced and knowledgeable staff have frequently been requested provide security management system support not only for organisations wishing to meet the requirements of ISO 27001but also those wishing to review, evaluate and improve their security arrangements.
For further information about implementing Information Security Management System to meet the requirements of ISO 27001 please - contact details below.
If you would like to know more about Security Management Systems please contact Sales at:
Telephone: | + 44 -0 1483 453511 |
Fax: | + 44 -0 1483 453512 |
Postal address: |
Quality Management & Training Limited PO Box 172, Guildford, Surrey, GU2 7FN United Kingdom |
Electronic mail |
Technical Support:
help@qmt.co.uk Customer Support: tutor@qmt.co.uk |