A Directors' brief on ISO27001 Information Security Management by iupon13


									?It is generally accepted that information is the greatest asset any organisation has
under its control. Managing Directors are aware that the supply of complete and
accurate information is vital to the survival of their organisations.

Today more and more organisations are realising that information security is a critical
business function. It is not just an IT function but covers:

Governance;Risk Management;Physical Security;Business Continuity;Regulatory and
Legislative Compliance.

Information Security
Business has been transformed by the use of IT systems, indeed it has become central
to delivering business efficiently. The use of bespoke packages, databases and email
have allowed businesses to grow while encouraging remote communication and

Most businesses rely heavily on IT but critical information extends well beyond
computer systems. It encompasses knowledge retained by people, paper documents as
well as traditional records held in a variety of media. A common mistake when
incorporating an information security system is to ignore these elements and
concentrate only on the IT issues.

Information security is a whole organisation matter and crosses departmental
boundaries. It is more than just keeping a small amount of information secret; your
very success is becoming more dependent upon the availability and integrity of
critical information to ensure smooth operation and improved competitiveness.

These are the three requirements for any ISMS.

Managing Directors' Perspective
Your vision is central to organisational development; driving improvements in all
areas of the business to create value. With information technology being key to so
many change programmes, effective information security management systems are a
prerequisite to ensuring that systems deliver on their business objectives. Your
leadership can help create the appropriate security culture to protect your business.

Organisations are increasingly being asked questions about ISO 27001, particularly
by national or local government, professional and the financial sector. This is being
driven by adoption of the standard as part of their legal and regulatory obligations. In
some areas this is becoming a tender requirement.
Others are seeing a competitive advantage in leading their sector and using
certification in information security management to develop customer/ client
confidence and win new business. With public concern over security issues at an all
time high, there is a real need to build effective marketing mechanisms to show how
your business can be trusted.

You will certainly be aware of your responsibilities for effective governance, and be
answerable for damaging incidents that can affect organisational value. The risk
assessment, which is the foundation of the standard is designed to give you a clear
picture of where your risks are and to facilitate effective decision making. This
translates into risk management, not simply risk reduction and therefore replaces the
feeling many directors have of risk ignorance in this area. This will help you
understand the potential risks involved with the deployment of the latest information
technologies and will enable you to balance the potential downside with the more
obvious benefits.

Whether, as part of compliance, such as required by Professional Bodies, Sarbanes
Oxley, Data Protection Act, or as part of an effective governance, information security
is a key component of operational risk management. It enables the formulation of
effective risk analysis and measurement, combined with transparent reporting of
ongoing security incidents to refine risk decisions.

Giving values to the impact security incidents can have on your business is vital.
Analysis of where you are vulnerable allows you to measure the probability that you
will be hit by security incidents with direct financial consequences.

An added benefit of the risk assessment process is that it gives you a thorough
analysis of your information assets, how they can be impacted by attacks on their
confidentiality, integrity and availability, and a measure of their real value to your

Although the detail within the risk assessment process can be complex, it is also
possible to translate this into clear priorities and risk profiles that the Board can make
sense of, leading to more effective financial decision making.

Business Continuity
How well would you cope if a disaster affected your business?

This could be from some natural cause such as flood, storm or worse from fire,
terrorism or other civil unrest. The areas not often considered are sickness, failure of
utilities or technology breakdown.

Business continuity planning in advance of a disaster can mean the difference
between survival or extinction of the business.
Many of the businesses affected by the Bunsfield Fuel Depot disaster never recovered.
Those with an effective business continuity plan have emerged like the phoenix from
the ashes.

Many businesses claim to have a plan but if the plan is untested or ill prepared then it
is bound to fail.

ISO27001 states that a fully planned and tested BCP should be in place to prepare for
and be able to deal with, such an emergency.

ISO 27001 Sections
Security policy - This provides management direction and support for information
security. Organisation of assets and resources - To help manage information security
within the organisation. Asset classification and control - To help identify assets and
protect them appropriately.Human resources security - To reduce the risks of human
error, theft, fraud or misuse of facilities. Physical and environmental security - To
prevent unauthorised access, damage and interference to business premises and
information.Communications and operations management - To ensure the correct and
secure operation of information processing facilities.Access control - To control
access to informationInformation systems acquisition, development and maintenance
- To ensure that security is built into information systems. Information security
incident management -To deal effectively with any identified security
incident.Business continuity management - To counteract interruptions to business
activities and to protect critical business processes from the effects of major failures
or disasters. Compliance - To avoid breaches of any criminal and civil law, statutory,
regulatory or contractual obligations, and any security requirement.

To top