tracker

TQMC

TQMC has acquired wide Domain Knowledge and Experience. You can FREELY access it here and here

DISCLAIMER: This matter here is a guide only. For authentic and up-to-date information, please contact TQMC.

The DIRECTIVES and STANDARDS listed here may have been subsequently REVISED . You must refer to the CURRENT REVISION and AMENDMENTS if any.

Wednesday, August 5, 2009

ISO 27001 - Info LINKS

Sources of the ISO27k standards themselves
ANSI is selling their “INCITS” versions of ISO/IEC 27001 and ISO/IEC 27002 as PDF downloads for just US$30 each. These are official, completely legitimate versions, not bargain basement seconds. The standards can also be purchased rather more expensively from ISO, from the national standards bodies such as the British Standards Institute and from commercial organizations such as IHS Technical Indexes and TechStreet. There are several other sources so shop around for the best deals, for example using this Google search.
Several national standards bodies release translated versions of the ISO/IEC standards in their local languages. They all go to great lengths to ensure that the translations remain true to the original, causing some delay while the English language versions from ISO/IEC are translated, reviewed and released.


Further info on the ISO27k standards & their implementation
The State of California State Information Security Office has released a 43-page Information Security Program Guide for State Agencies - in effect a guideline on implementing ISO/IEC 27002 for US government entities. It includes a template ‘acceptable use’ policy. The State also offers a range of risk analysis checklists, tools and advice for small/simple, medium and large/complex entities, and a guide to the role and responsibilities of information security officer.
@sec has a good ISMS implementation guide along with several other information security white papers.


A comprehensive French language website provides useful information on ISO27k, risk analysis methods such as MEHARI and EBIOS, and general infosec info e.g. a brief outline of ingenierie sociale (social engineering).


The Government Chief Information Office, part of the New South Wales Department of Commerce, published and maintains a useful 111-page manual to guide Australian government agencies implementing ISO27k. The guidelines explain how to structure the ISMS, analyze risks to identify suitable information security controls, and measure and improve the ISMS thereafter. It doesn’t go into detail on implementing specific controls but provides general guidance by reference to the standards.


If you are actively implementing the ISO27k standards, you are welcome to join the ISO27k Implementers’ Forum to discuss the practicalities with others doing the same thing. The community of forum members will be pleased to advise you in relation to implementation, giving you the benefit of their collective experience in this field. Your own thoughts and inputs are most welcome, including contentious points for discussion.
Visit ISO27001certificates.com for details of most although evidently not all ISO/IEC 27001 certificates issued. The site is maintained by Ted Humphreys.


The ISO site lists standards under the remit of JTC1/SC27.
ISO/IEC 27001: the future of infosec certification by Taiye Lambo was originally published in ISSA Journal in 2006. It outlines reasons for implementing an ISMS including legal and regulatory compliance as well as reducing the costs arising from information security incidents.
An AC Nielsen survey conducted on behalf of ISO on the ISO management systems standards covered the ISMS standards, giving a breakdown of ISO/IEC 27001 certificates issued per country as at the end of 2006. [The total number is higher than usually reported so it is possible that they double-counted organizations with multiple certificates].



A report by the Government of the Hong Kong Special Administrative Region outlined ISO27k plus related standards, regulations etc. including PCI-DSS, COBIT, ITIL/ISO 20000, FISMA, SOX and HIPAA.


A handy guide to the process approach is available on ISO’s ISO 9000 website.
Ismael Valenzuela in [IN]SECURE eZine explained how information security can and indeed should be integrated with the systems development lifecycle (SDLC), using ISO/IEC 17799 (now ISO/IEC 27002). The piece included a useful table linking specific clauses in the ISO/IEC standard to SDLC phases starting from the risk assessment stage, prior to drawing up security requirements, and continuing right through development, testing and operations to eventual retirement of the system at the end of its life.



British Standards Institute has published a number of useful little ISMS guidance booklets over the years including BSI/DISC PD 005 (?) which contained a very handy overview diagram showing the typical lifecycle of an organization’s ISMS project. It would be good to see the parts of this older material recycled into the new. A security metrics booklet BIP 0074 is available from BSI: Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001. “With increasing International interest in the field of ISMS metrics and measurements, this publication brings together the different methods that are currently in use to measure controls and/or processes. In addition it gives further information and guidance about these various methods to measure the success of security arrangements in place.” Price ~£40 ($75). [Another, cheaper, BSI booklet covers metrics for ISO 20000 (ITIL).]


www.ISO27000.es is “el portal de ISO 27000 en Espagñol” - the Spanish language equivalent to this site.
www.ISO27000.ru is the Russian version.


Comunidade Portuguesa de Segurança da Informação is a Portuguese community for those interested in implementing ISO27k information security management systems (mainly in Portuguese but with some good papers also in English).
Open Directory Project (ODP) maintains a page of ISO27k links.


Praxiom sells ‘plain English’ guides and gap analysis/audit tools for ISO/IEC 27001 & ISO/IEC 27002. Their site includes a useful summary of the controls from the standards.


General information security management sources
The German Government’s IT Baseline Protection Manual (also available as a single 25Mb PDF) contains standard security safeguards, implementation advice (e.g. “differential analysis” to identify changes in information security risks), technical security measures for several operating systems and threat catalogues. While not directly aligned, the content is relevant to ISO27k implementations. You'll need some time to read all 2,377 pages though!
An extensive list/catalog of potential information security metrics includes a section aligning the metrics against ISO/IEC 27002.



A French government website dedicated to information systems security provides, amongst other stuff, the risk assessment methodology EBIOS and associated tool for Windows, Linux ...
IT security guidance from the Canadian Government has some interesting documents on risk assessment etc.


A collection of general information security links is maintained by Gideon Rasmussen at ussecurityawareness.org
Russ McRee, author of the Toolsmith column in ISSA Journal, maintains a page of links to infosec standards.


The IT Compliance Institute (ITCi) has produced a useful cross-reference matrix showing the points of contact/overlap between a whole bunch of US/international laws, standards and regulations relating to information security (free access requires registration on the ITCi site - there are other useful resources too so it's probably worth doing). Some of the main ones are: ISO/IEC 27001 and ISO/IEC 27002, COBIT, COSO ERM, NIST SP 800-14/26/53, FISMA, Mastercard SDP, HIPAA, various FFIEC, SAS 70, PCAOB and SOX. They are listed along one axis with control objectives on the other axis and the page or section references in the body note the coverage. Here are three ways you might use the matrix:



ISMS coverage by control objective: check down the list to confirm that your ISMS covers most of the control objectives, and if there are any you do not recognize or you know are weak, look across the rows to find references from the standards that will explain the requirements;
ISMS coverage of applicable laws/standards/regulations: highlight the vertical columns for all those laws/stds/regs which which your organization has to comply, then highlight the horizontal rows where there are any entries in a marked column. Rows with multiple entries are common controls so you probably already have them but implementation should integrate the multiple requirements. Be careful about the rows with single entries: do you have them all covered in your ISMS? If not, there's a noncompliance risk to consider.


Linking standards to laws & regs: management are strangely concerned about compliance to laws and regs if not standards, presumably because they fear the personal accountability and business impact of noncompliance. The cross-reference matrix can help the information security manager who is promoting best practice ISMS standards by identifying the legal and regulatory requirements that coincide with best practice controls.


A lot of work must have gone into compiling the matrix. Make the most of it. The ITCi’s Unified Compliance Project is definitely one to look out for if your organization is subject to the usual mesh of overlapping laws, standards and regs.


Books on ISO27k and related standards.
CCcure.org lists useful books and other resources for the CISSP and related qualifications, all of which are also good reference material for ISO/IEC 27001, ISO/IEC 27002 etc.
There are many more information security management-related links in the NoticeBored links collection.


Suppliers of ISO27k-related services and products
Implementing ISO 27001 - A Coal-Face Account From The Secure Data Destruction Industry is a new blog from a British company that can take care of all your secure data destruction needs. It aims to provide easy-to-understand information for non-information-security-experts and company directors, based on the author’s experiences implementing and seeking certification jointly against ISO/IEC 27001, ISO 9001 and ISO 14001.
Neupart’s SecureAware information security policy management system is supplied with a generic policy template based on ISO/IEC 27002 (among others). A video demo shows how to select and modify the default policy statements, procedures etc., optionally add-in your own pre-existing policies/procedures, and promote them to multilingual target audiences through the Learning Management System. Smart!
SAI-Global offers ISO27k-related ISMS training courses including implementation and auditing.
Stiki offers Risk Management Studio, a software suite to assist with security analyses.
Consult2Comply offers consultancy support for governance, risk and compliance, and sells a range of British and international standards.
Warrior Networks specialises in digital information security, offering general ISMS and governance consultancy, ISO/IEC 27001 auditing and implementation support.
M


go
here for Links

much MORE

No comments:

Post a Comment