Meeting

ISO 27001:2005

Information Security Management System

Why Implement an ISMS?

Benefits of an ISMS

Difference between ISO 27001 and IS0 27002

Assets

Information Security Threats

ISO 27001:2005 Annex A Controls

Why Implement an ISMS?

  • Minimize the impact on your business of a breach of security:
    • Lost business
    • Lost brand equity
    • Lost productivity
    • Increased labor costs for containment, repair, and reconstitution
    • Increased insurance premiums
    • Increased legal fees
    • Fines
  • Ensure business continuity
  • Minimize business damage
  • Maximize return on investment and business opportunities
  • Maintain competitive edge
  • Ensure cash flow
  • Maintain profitability
  • Ensure legal compliance
  • Maintain commercial image

Every organization will have a differing set of requirements in terms of controls and the level of confidentiality, integrity, and availability required.

Return to top

Benefits of an ISMS

  • Ensures compliance with mandates and laws
  • Provides the means for information security corporate governance
  • Provides satisfaction and confidence of that customers' information security requirements are being met
  • Allows for focused staff responsibilities
  • Improves the effectiveness of the information security environment
  • Allows for market differentiation due to a positive influence on company prestige and image, as well as a possible effect on the asset or share value of the company
  • Reduces liability and risk due to implemented or enforced policies and procedures, which demonstrate due diligence
  • Facilitates better awareness of security throughout the organization
  • Provides competitive advantages and reduction in costs connected with the improvement of process efficiency and the management of security costs
  • Potentially lowers rates on insurance

Return to top

Difference Between ISO 27001 and ISO 27002

ISO 27001:2005:

  • Specifies requirements for establishing, implementing, and documenting Information Security Management Systems (ISMS)
  • Specifies requirements for security controls to be implemented according to the needs of individual organizations
  • Serves as the basis for the third party certification audit
  • Consists of 11 control sections, 39 control objectives, and 133 controls
  • Is aligned with ISO/IEC 17799:2005

ISO 27001:2005 Focus:

  • Harmonization with other management system standards
  • The need for continual improvement processes
  • Corporate governance
  • Information security assurance
  • Implementation of Organization for Economic Co-operation and Development (OECD) principles

ISO 27002:2005, Code of Practice:

  • Defines a process to evaluate, implement, maintain, and manage information security
  • Is based on BS 7799-1:2005
  • Is intended for use as a guidance or reference document
  • Is based on best information security practices
  • Consists of 11 control sections, 39 control objectives, and 133 controls
  • Was developed by industry for industry
  • Is not used for assessment and registration
  • Is not a technical standard

Return to top

Assets

An asset is something an organization assigns value to. Examples include:

  • Information assets
  • Paper documents
  • Software assets
  • Physical assets
  • People
  • Company image and reputation
  • Services

For ISO/IEC 27001:2005, "assets" will not necessarily include all those things normally considered as having a value within an organization.

An organization must determine which assets, by their absence, may materially affect delivery of product/service or cause degradation or damage to the organization through loss of confidentiality or integrity.

Return to top

Information Security Threats

A threat has the potential to cause an unwanted incident which may result in harm to a system or organization and its assets.

Sources of threats to plan for:

  • Disgruntled or coerced employees
  • Service disruption
  • Growth in complexity and effectiveness of hacking tools
  • Growth in networking
  • Growth in distributed computing
  • Vandalism
  • E-mail
  • Worms and viruses
  • Theft
  • Natural and unnatural disasters (i.e., fire, flood, earthquake, terrorism, etc.)
  • Hardware/software failure
  • Human error
  • Computer-assisted fraud
  • Espionage
  • Sabotage
  • Computer hacking

Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage, and maximize return on investment and business opportunities.

Return to top

ISO 27001:2005 Annex A Controls

Return to top