Security Mananagement Systems

Introduction

Security refers to the policies, procedures and technical measures used to prevent unauthorised access, alteration, theft and physical damage to information systems by outside hackers as well as employees.  Security can be promoted with a range of tools and techniques to safeguard the computers hardware, software, communication networks and data. 

In the early 1990’s, representatives from some major organisations such as Shell, BT, Nationwide, and Marks and Spencer with both concern for information security and experience in management, put their resources together to define best practice.   This document was published as a Public Document - PD0003 by the British Standards Institution, but was later converted to BS 7799:1995 - A Code of Practice for Information Security Management.  The Standards committee then adapted the Code to become a better basis for certification by turning it into a specification for an information security management system. Thus BS 7799 Part 2:1998 was published.  With the increase attention and pressure on security these standard have now become international with the publication of ISO 27001 Information technology - Information security management systems - Requirements and ISO 27001 Information technology - Code of practice for information security management.

bullet

Security Management Toolkit

bullet

Security Management Implementation Support

bullet

Security Management Training

 

Security Management
Short Courses

On-site price

Per delegate price

Dates for 2011

Duration

POA

POA

Various dates & locations

1 Day

POA

POA

Various dates & locations

2 Days

ISO 27001 Lead Auditor - LRQA (IRCA)

POA

POA

Various dates & locations

5 Days

POA

POA

Various dates & locations

3 Days
POA

POA

Various dates & locations

1 Day

POA

-

In-Company only

2 Days

ISO 28000 Lead Auditor   - LRQA

   POA

-

In-Company only

5 Days

ISO 27001 (ISMS)

It was only a matter of time before an ISO security standard emerged for information technology.  ISO 27001 is the international Information Security Management System (ISMS) standard which is a comprehensive set of controls comprising best practices in information security.  It is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce.

ISO 17799 was first published as a DTI Code of Practice in the UK.  It was rebadged and published as Version 1 of BS 7799, published in February 1995.  It was not widely accepted for various reasons, such as not having a simplistic approach or being flexible enough.  Version 2 was published in May 1999 which was a major revision.  Formal certification and accreditation schemes were also launched in the same year, followed by the ISO standard being published. 

ISO 27001 is comprehensive in its coverage of security issues.  It contains a considerable number of control requirements, some of which are quite complex.  Compliance with ISO 27001 and certification can be a difficult and overwhelming task.  It should be taken one step at a time.  The best starting point is most likely to be an assessment of the current position, followed by the identification of changes which are needed for ISO 27001, and then comes planning and implementation.

For QM&T's special white paper comparing BS ISO/IEC 27001 Information technology - Security techniques - Information security management systems - Requirements With ISO 27002 Information security management systems - Specification with guidance for use please contact - details below.

ISO 27001 (Requirements) and the associated ISO 27002 (Guide) is covers ten major elements:

  1. Business Continuity Planning – to counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.

  2. System Access Control – to control access to information; to prevent unauthorised access to information systems; to ensure protection of networked services; to prevent unauthorized computer access; to detect unauthorised activities; to ensure information security when using mobile computing and tele-networking facilities

  3. System Development and Maintenance – to ensure security is built into operational systems; to prevent loss or misuse of data; to protect the confidentiality, authenticity and integrity of information; to ensure projects are conducted in a secure manner; to maintain the security system software and data.

  4. Physical and Environmental Security – to prevent unauthorised access, damage and interference to business premises and information; to prevent loss, damage or compromise of assets and interruption to business activities; to prevent compromise or theft of information and information processing facilities.

  5. Compliance – to avoid breaches of any criminal or civil law; to ensure compliance of systems with security policies and standards; to maximize the effectiveness and minimize interference from the system audit process.

  6. Personnel Security – to reduce risks of human error, theft, fraud or misuse of facilities; to ensure that users are aware of information security threats and concerns; to minimise the damage from security incidents and faults.

  7. Security Organisation – to manage information security within the organisation; to maintain the security of information processing and information accessed by third parties.

  8. Computer & Network Management – to ensure correct and secure processing of information; to minimise risk of systems failures; to protect the integrity of software and information; to ensure the safeguarding of information in networks; to prevent damage to assets and interruptions to business activities; to prevent loss, modification or misuse of information exchanged between organizations.

  9. Asset Classification and Control – to maintain appropriate protection of assets and to ensure information assets receive an appropriate level of protection.

  10. Security Policy – to provide management direction and support for information security.

Security Management Systems Toolkit CD Rom

Meeting the exacting requirements ISO27001 is a business objective for many organisations.  However, achieving compliance or developing and implementing the required policies and procedures for your organization can seem a huge task.  This is where the ISO27001 Toolkit can help. The toolkit contains all the information, programmes, plans, presentations and software needs to meet the requirements of this standard.  This tools kit has proved to be successfully, even when subjected to the full rigors of an ISO 27001 certification audit by a world renowned certification body.   The ISO 27001 Toolkit was created with the invaluable assistance of a professional ISO27001 and IRCA recognised Lead Assessor.

 It contains

 

bullet

Electronic versions of the ISO27001 standard

bullet

A full set of ISO27001 compliant information security policies 

bullet

A management presentation on ISO 27001 in PowerPoint format

bullet

A disaster recovery planning kit (re: ISO27001 section 11)

bullet

A road map (programme and project plan) for certification

bullet

An audit kit (checklists, etc) for a modern network system (section 12)

bullet

A comprehensive glossary of information security and computer terms

bullet

A business impact analysis questionnaire

bullet

Risk Analysis software

bullet

Software for the security management system records, audit and documentation

All these important elements are provided in electronic form, allowing the option of instant access via download. 

Security Management Systems Support

Our experienced and knowledgeable staff have frequently been requested provide security management system support not only for organisations wishing to meet the requirements of ISO 27001but also those wishing to review, evaluate and improve their security arrangements.

For further information about implementing Information Security Management System to meet the requirements of ISO 27001 please  - contact details below.

Security Management Training

 

Note; Our lecturers are experienced practitioners in their respective subject, so if further information or support is required (e.g. implementation) then please contact - help@qmt.co.uk

 

For further information

If you would like to know more about Security Management Systems please contact Sales at:

Telephone:   + 44 -0 1483 453511
Fax:  + 44 -0 1483 453512

Postal address:

 Quality Management & Training Limited PO Box 172, Guildford, Surrey, GU2 7FN United Kingdom
Electronic mail

Technical Support: help@qmt.co.uk
General Information: sales@qmt.co.uk

Customer Support:  tutor@qmt.co.uk

 

 

 

 

 

 

Links