"Protecting Information Assets for its confidentiality, integrity and availability"
Information is vital and constitutes an important asset for any company. When it comes to implementing codes of practice for information security management, the best point of reference is BS7799 / ISO 17799, an internationally recognized standard in this field.
BS ISO/IEC 27001:2005 (BS 7799-2:2005) is the new international standard that provides a specification for ISMS and the foundation for third-party audit and certification. The standard is complementary to the new standard BS ISO/IEC 17799:2005 (BS 7799-1:2005).
The basic objective of the standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organization for Economic Cooperation and Development) principles governing security of information and network systems. The new standard replaces BS 7799-2:2002.
The goal of BS7799 / ISO 17799 is to “provide a common base for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.”
ISO 17799:2005 outlines 134 security guidelines in eleven areas with detailed controls and human resource, legal and contingency planning guidance. These guidelines are grouped under the following areas :
Security Policy: addresses management support, commitment & direction in accomplishing information security goal.
Organization of Information Security: addresses the need for a management framework that creates, and manages the security infrastructure, including third party/ outsourcing
Asset management: addresses the way assets are grouped, handled and stored.
Human Resources Security: addresses an organization’s ability to mitigate risk inherent in human interactions, including staffing, training, security responsibilities.
Physical & Environmental Security: addresses risk inherent to organizational premises and the ability of physical infrastructure to protect the assets.
Communications & Operations Management: addresses an organization’s ability to ensure correct and secure operation of its assets, including configuration, changes, administration
Access Control: addresses an organization’s ability to control access to assets based on business and security requirements
Information systems acquisition, development and maintenance: addresses an organization’s ability to ensure that appropriate information system security controls are both incorporated and maintained
Information Security Incident Management: addresses an organization’s ability to record, investigate and take corrective measures
Business Continuity Management: addresses an organization’s ability to counteract interruptions to normal operations, due to disasters
Compliance: addresses an organization’s ability to remain in compliance with
regulatory, statutory, contractual, and security requirements
What is Information Security?
Information is an asset which, like other important business assets, has value to an organisation and consequently needs to be suitably PROTECTED.
CONFIDENTIALITY: Limited access to authorized personnel
INTEGRITY: Assuring that information is accurate and complete
AVAILABILITY: Information is ready for use when required.
What is information security management system (ISMS)
Information security management systems is an management system just like QMS and EMS designed to Protect the information assets of the organization to the level of required security through the establishment and maintenance of a set of policies, procedures, controls and practices.
It is the latest standard
It is applicable to any organization having vital information assets.
All industrial sectors
All Service Sectors
All Public Sector Units (PSU)
All Government Organization
Health Care Sector
Any small / medium / large business organization
DRIVERS FOR CERTIFICATION
Achieve competitive Edge
Provides an excellent checklist of available controls
Forms a sound basis for your information security policy