Home Page
IT Security
Specialists
Anti-Virus Software by McAfee Anti-Virus Anti-Spam Appliances by Secure Computing Aruba Wireless Networks Networks Juniper Firewalls & Routers
 
ISO/IEC 27001
ISO 27001 Information Security
To learn more about ISO/IEC 27001 or purchase a copy of the standard, click here.
 
Network Security Planning
Security Planning:
Now more than ever, businesses rely on their networks for all aspects of their operations, including internal and external communications, inventory, billing, sales, and trading with partners. However, many businesses have no well defined strategy, policies, or procedures to manage their data and network assets. Sometimes existing policies are actually illegal, something that won't come to light until there is a problem. A well implemented security plan not only protects your data, but also how your network assets are used. It can enforce your company policies such as how employees spend their time on line that can far more than pay for itself in productivity savings. Having a policy in place that is enforced can also limit your legal liability. Today there is a standard available known as ISO/IEC 27001. Whether or not you need or want to be certified to the standard, writing a security policy that is in compliance with a world-wide standard adds credibility to your plan. A good security plan will identify what needs to be done concerning the formulation of policies, enforcement, and clarifies the requirements for the software and hardware selection process.

What Is ISO/IEC 27001?
ISO/IEC 27001 is The ISO 27000-series information security management standards align with other ISO management systems standard, such as those for ISO 9001 (quality management systems), both in terms of their general structure and in the nature of combining best practice with certification standards.

Reasons to use ISO/IEC 27001
ISO/IEC 27001 is a good security best practices guide in its own right. More and more organizations require assurance of external data security. As with ISO 9001, the easiest way for customers to do that is require certification to the standard where compliance is certified by a third party at the vendor's expense. Certification will be easier and less expensive for your company if ISO/IEC 27001 is the guiding document for your network security.

How does it benefit internal operations?

ISO/IEC 27001 was designed to provide a framework to:
  • Formulate security requirements and objectives
  • Ensure that security risks are cost effectively managed
  • Ensure compliance with laws and regulations
  • Provide a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met
  • Define security management processes
  • Document security management processes
  • Provide a standard to measure the status of information security management
  • Provide a document for use by the internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization
  • Provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons
  • Assist in implementing information security
  • Be used to provide relevant information about information security to customers

If you want to be certified
As with ISO 9001, it is unethical for NSI to be the organization that helps you become compliant and also be the one that certifies your compliance.

As with ISO 9001, certification involves a two-stage audit process:
- Stage 1 is a "table top" review of the existence and completeness of key documentation such as the organization's Security Policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP).
- Stage 2 is a detailed, in-depth audit involving testing the existence and effectiveness of the ISMS controls stated in the SoA and RTP, as well as their supporting documentation.

Certification renewal involves periodic reviews and re-assessments to confirm that organizations remain compliant.

Certification of an organisation's ISMS against ISO/IEC 27001 is one means of providing assurance that the certified organization has implemented a system for the management of information security in line with the standard. Credibility is the key advantage of being certified by a respected, independent and competent third party. The assurance it provides gives confidence to management, business partners, customers and auditors that the organization is serious about information security management. Organizations may be certified compliant with ISO 27001 by a number of accredited certification bodies worldwide.