Security
refers to the policies, procedures and technical measures used to prevent
unauthorised access, alteration, theft and physical damage to information
systems by outside hackers as well as employees. Security can be promoted with
a range of tools and techniques to safeguard the computers hardware, software,
communication networks and data.
In the early 1990s, representatives from some major organisations such as Shell, BT, Nationwide, and Marks and Spencer with both concern for information security and experience in management, put their resources together to define best practice. This document was published as a Public Document - PD0003 by the British Standards Institution, but was later converted to BS 7799:1995 - A Code of Practice for Information Security Management. The Standards committee then adapted the Code to become a better basis for certification by turning it into a specification for an information security management system. Thus BS 7799 Part 2:1998 was published. With the increase attention and pressure on security these standard have now become international with the publication of ISO 27001:2005 Information technology - Information security management systems - Requirements and ISO 27001 Information technology - Code of practice for information security management.
|
|
It was only a matter of time before an ISO security standard emerged for information technology. ISO 27001 is the international Information Security Management System (ISMS) standard which is a comprehensive set of controls comprising best practices in information security. It is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce.
ISO 17799 was first published as a DTI Code of Practice in the UK. It was rebadged and published as Version 1 of BS 7799, published in February 1995. It was not widely accepted for various reasons, such as not having a simplistic approach or being flexible enough. Version 2 was published in May 1999 which was a major revision. Formal certification and accreditation schemes were also launched in the same year, followed by the ISO standard being published.
ISO 27001 is comprehensive in its coverage of security issues. It contains a considerable number of control requirements, some of which are quite complex. Compliance with ISO 27001 and certification can be a difficult and overwhelming task. It should be taken one step at a time. The best starting point is most likely to be an assessment of the current position, followed by the identification of changes which are needed for ISO 27001, and then comes planning and implementation.
For QM&T's special white paper comparing BS ISO/IEC 27001:2005 (BS 7799-2:2005) Information technology - Security techniques - Information security management systems - Requirements With BS 7799-2:2002 Information security management systems - Specification with guidance for use please contact Edda Saunders - details below.
ISO 27001 (Requirements) and the associated ISO 17799 (Guide) is covers ten major elements:
Business Continuity Planning to counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.
System Access Control to control access to information; to prevent unauthorised access to information systems; to ensure protection of networked services; to prevent unauthorized computer access; to detect unauthorised activities; to ensure information security when using mobile computing and tele-networking facilities
System Development and Maintenance to ensure security is built into operational systems; to prevent loss or misuse of data; to protect the confidentiality, authenticity and integrity of information; to ensure projects are conducted in a secure manner; to maintain the security system software and data.
Physical and Environmental Security to prevent unauthorised access, damage and interference to business premises and information; to prevent loss, damage or compromise of assets and interruption to business activities; to prevent compromise or theft of information and information processing facilities.
Compliance to avoid breaches of any criminal or civil law; to ensure compliance of systems with security policies and standards; to maximize the effectiveness and minimize interference from the system audit process.
Personnel Security to reduce risks of human error, theft, fraud or misuse of facilities; to ensure that users are aware of information security threats and concerns; to minimise the damage from security incidents and faults.
Security Organisation to manage information security within the organisation; to maintain the security of information processing and information accessed by third parties.
Computer & Network Management to ensure correct and secure processing of information; to minimise risk of systems failures; to protect the integrity of software and information; to ensure the safeguarding of information in networks; to prevent damage to assets and interruptions to business activities; to prevent loss, modification or misuse of information exchanged between organizations.
Asset Classification and Control to maintain appropriate protection of assets and to ensure information assets receive an appropriate level of protection.
Security Policy to provide management direction and support for information security.
![]()
Meeting the exacting requirements ISO27001 is a business objective for many organisations. However, achieving compliance or developing and implementing the required policies and procedures for your organization can seem a huge task. This is where the ISO27001 Toolkit can help. The toolkit contains all the information, programmes, plans, presentations and software needs to meet the requirements of this standard. This tools kit has proved to be successfully, even when subjected to the full rigors of an ISO 27001 certification audit by a world renowned certification body. The ISO 27001 Toolkit was created with the invaluable assistance of a professional ISO27001 and IRCA recognised Lead Assessor.
It contains
|
Electronic versions of the ISO27001 standard | |
|
A full set of ISO27001 compliant information security policies | |
|
A management presentation on ISO 27001 in PowerPoint format | |
|
A disaster recovery planning kit (re: ISO27001 section 11) | |
|
A road map (programme and project plan) for certification | |
|
An audit kit (checklists, etc) for a modern network system (section 12) | |
|
A comprehensive glossary of information security and computer terms | |
|
A business impact analysis questionnaire | |
|
Risk Analysis software | |
|
Software for the security management system records, audit and documentation |
All these important elements are provided in electronic form, allowing the option of instant access via download.
![]()
Our experienced and knowledgeable staff have frequently been requested provide security management system support not only for organisations wishing to meet the requirements of ISO 27001but also those wishing to review, evaluate and improve their security arrangements.
For further information about implementing Information Security Management System to meet the requirements of ISO 27001 please contact Edda Saunders - contact details below.
![]()
| ISO 27001 (BS 7799) Foundation |
| ISO 27001 (BS 7799) Audit |
| ISO 27001 Lead Assessor (Registered) |
![]()
If you would like to know more about Security Management Systems please contact Edda Saunders at:
| Telephone: | + 44 -0 1483 453511 |
| Fax: | + 44 -0 1483 453512 |
|
Postal address: |
Quality Management & Training Limited PO Box 172, Guildford, Surrey, GU2 7FN United Kingdom |
| Electronic mail |
Technical Support:
help@qmt.co.uk Customer Support: Mary-Clare Bushell tutor@qmt.co.uk |
![]()
|
Quality Management & Training Limited: http://www.qmt.co.uk/ Everything you wanted to know about Quality Management, Books, Distance Learning, Training courses, Software.... | |
|
Customer Satisfaction: http://www.customer-satisfaction.co.uk Our new Customer Satisfaction website which may help you consider, what options you have when evaluating, what your customers think of your organisation and its products and services? - How loyal are your customers? ... | |
|
Poka-Yoke: http://www.poka-yoke.org.uk Everything you wanted to know about Poke-Yoke and Fool or Mistake Proofing... | |
|
Quality: http://www.quality-uk.com/ Quality always appears to be a moving target, changing in terms of direction and standard, but after all this time of "getting it right" ... | |
|
Quality Books: http://www.quality-books.org.uk/ Quality Management & Training (publications) Limited offer a large selection of books, distance learning packages, videos, posters and software that cover all aspects of quality, environment, health & safety and security... | |
|
Quality Training: http://www.quality-training.org.uk A comprehensive range of Quality Assurance & Management Training courses (At QM&T training centre, Online, Distance Learning, In-company... | |
|
Root Cause Analysis: http://www.root-cause-analysis.co.uk Root cause analysis is a relatively new methodology that is continually evolving. Like most Quality Improvement approaches it is not magic; there is no silver bullet... | |
|
Security Management: http://www.security-management-systems.co.uk/ Security refers to the policies, procedures and technical measures used to prevent unauthorised access, alteration, theft and physical damage to information systems by outside hackers as well as employees... | |
|
Six Sigma: http://www.6sigma-training.co.uk or http://www.sigma-6.co.uk 6F - Six Sigma is a business strategy as well as a quality improvement technique. It began in the 1980s at ... | |
|
Process Mapping: http://www.process-mapping.co.uk Process Mapping and Process Flow Charting are techniques that can be employed to not only provide a visual representation of a procedure but also have the potential to identify significant savings in the way in which the process is organised and performed. This is particularly so when aligned with Process Cost Modelling... | |
|
Failure Mode Effects Analysis: http://www.fmea-training.co.uk/ Failure Mode Effects Analysis (FMEA) or to give it its correct title Failure Mode Effects & Criticality Analysis (FMECA) is a logical technique used to identify and eliminate possible causes of failure. | |
|
IQA Diploma: http://www.iqa-diploma.co.uk QM&T are an Institute of Quality Assurance (IQA) registered Education Centre. This together with our team having over fifty years experience of working with the IQA, means that you can buy with confidence. Our IQA experience includes not only setting, markings and assessing IQA examination papers but also writing the standard text books for the courses and articles on Quality Assurance and attending various IQA meeting and committees. | |
|
Health & Safety: http://www.health-safety-online.co.uk QM&T has for over 20 years successfully delivering training support and are please to announce the following products to support your Health & safety initiative. | |
|
Quality Awareness: http://www.quality-awareness.co.uk Not getting the quality message across? New starts and even existing employees seem unaware of the quality management system or the importance of quality? |