Information Security, Risk Management
Governance and Audit.
OVERVIEW
INFORMATION SECURITY
RISK MANAGEMENT
GOVERNANCE
AUDIT
BRIEF
“Information is your organizations most valuable asset so why not protect it in the same you way you protect your physical assets?
Yew Tree Services can help you make the most of your information by making sure it is there when you need it and managed in line with international standards and legislation.”
www.yewtreeservices.co.uk
HOME
ABOUT US
STANDARDS
CONSULTATION
RESOURCES
CONTACT US

Standards

What is ISO/IEC 27001? What happened to BS7799?

ISO/IEC 27001 was published by the International Organization for Standardization (ISO) on 15 October 2005. It replaced the previous standard in this area BS7799-2 and is essentially the same standard updated to reflect the feedback from implementers and the requirements for ISO standardisation. What started as a straightforward British Standard has gone on to become globally accepted as the standard to work towards and now internationally recognised.

ISO/IEC 27001 defines an Information Security Management System (ISMS) and provides an internationally recognised standard against which organisations can gain certification. It is complimented by the ISO/IEC 17799 'code of practice', itself first published as BS 7799-1. The two are closely aligned and related, but perform distinctive roles.

ISO/IEC 27001 specifies the requirements for the security management system itself. It is this standard against which certification may be obtained, as opposed to ISO/IEC 17799 which is a set of guidelines to best practice.

ISO/IEC 27001 has also been harmonised to be compatible with other management systems standards, such as ISO/IEC 9001 and ISO/IEC 14001.

So what does ISO/IEC 27001 actually do?
ISO/IEC 27001 is a standard setting out the requirements for an information security management system (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties including an organisation’s customers. It is suitable for many different types of organisational use and is unusual in that it does not have to be adopted in it’s entirety to achieve compliance, provided the exemptions can be justified.

What about ISO/IEC 17799?
ISO/IEC 17799 details a number of individual security controls, which may be selected and applied as part of the ISMS. ISO/IEC 17799, again based on a British Standard, is scheduled to become ISO/IEC 27002 in a couple of years.

The ISO/IEC 17799 Code of Practice for Information Security Management establishes guidelines and general principles for organisations to initiate, implement, maintain, and improve information security management. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in information security management:

ISO/IEC 17799 is not a standard against which an organisation can become certified.  Rather, it is a set of guidelines which, if implemented, will greatly assist an organisation in becoming compliant with or certified against ISO/IEC 27001.

Certification or Compliance, which is best?
There is no hard and fast answer to this. Certification is a strenuous activity for any business, but can present significant benefits to those achieving it.  As well and the advantages  of managing its business information effectively and securely; Certification shows the world, and potential clients or customers that you are serious about the way you do business in the information age. Certification can only be achieved by submission to, and successful conclusion of, a series of external audits by an accredited certification body.

Compliance on the other hand is more easily achieved in that the business decides on its own criteria for that compliance, rather than those of an external body.  It still requires work however, although the rewards can be almost as great as those of Certification if done correctly.

Yew Tree Services can help business achieve compliance to its own criteria or gain Certification against this international standard.

BS25999

Over 60% of FTSE 250 companies now recognize the business benefits of Business Continuity Management (BCM) in terms of reducing risk, satisfying customer requirements, remaining competitive and winning new business.

But many companies still put themselves risk:

46% said it would take LESS THAN A DAY for a serious disruption to significantly impact business.

BS 25999-1:2006 is a code of practice that takes the form of guidance and recommendations. It establishes the process, principles and terminology of business continuity management (BCM), providing a basis for understanding, developing and implementing business continuity within an organization and to provide confidence in business-to-business and business-to-customer dealings.

In addition to the above, it provides a comprehensive set of controls based on BCM best practice and covers the whole BCM lifecycle.

We can help explain why BS 25999 is needed, what it is all about, how to use it, and the benefits its implementation can have to your business - large or small.

We can show you how you can use the standard to:

  • meets strategic, organizational, regulatory and legislative requirements
  • provide effective BCM frameworks
  • fit with your existing processes and systems - including supply chains
  • works with civil contingencies/emergency plans
  • benefit your business
  • impact on your future.

PCI DSS

If your organization sells or takes donations or payments by credit card online or by phone, it has been required since June 2005 as a "merchant", to comply with the Payment Card Industry Data Security Standard (PCI DSS).
Originally a joint development between Visa and MasterCard, the standard is now endorsed by many other major card issuers. The standard was implemented as an industry response to increased fraud and identity theft involving stolen credit card information. It’s aim is to stem losses to the card providers and improve consumer confidence. It not only addresses the most common consumer fears over making credit card transactions online or over the phone - that their cardholder details will be compromised and abused - but ensures merchants become more accountable for their own risk.

Where cardholder information is compromised, merchants who are unable to demonstrate compliance with the standard may now be liable for losses that arise from that compromise. Beyond compliance, real business risks relative to brand, customer loyalty and corporate reputation exist if the payment data is not securely managed.
In addition, merchants who do not comply with the standard face the prospect of substantial fines and imposed by the card schemes or being permanently barred from the card acceptance program should a security breach occur.

The PCI DSS requires merchants to:

  • Build and Maintain a Secure Network
  • Protect Cardholder Data- Maintain a Vulnerability Management Program
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

These 6 core functions are broken down into 12 specific requirements and over 200 individual controls.  Yew Tee Services can help “merchant” organizations implement information management controls that will enable them to meet the requirements of the PCI DSS and protect their cardholder information to the required standard.
Copyright © Yew Tree Services 2007 | Privacy Policy | Terms of Use | Contact Us