ISO27001 certification

Fri
29
Jan

ISO 27001 certification: How you can help an organization to achieve it? - Series Part 06

ISO 27001 certification:  How you can help an organization to achieve it? - Series Part 06

In my last five articles, we understood about, deployment of initial security resource, understanding the standard and its mandatory controls, defining scope/ out of scope items, security ownerships visions, objectives and some perspectives about security policy with its basis. Let us now understand about Statement of Applicability.

Sat
23
Jan

ISO 27001 certification: How you can help an organization to achieve it? - Series Part V

ISO 27001 certification:  How you can help an organization to achieve it? - Series Part V

In my earlier four articles, we understood about, deployment of initial security resource, understanding the standard and its mandatory controls, defining scope/ out of scope items, security ownerships visions, objectives and some perspectives about security policy. Let us now understand, how one should collect security requirement for a customer.

Security policy document generally comprises of mandatory controls given in standards and the policy statements of security controls which are selected for the project. To know the later part, we need to know security requirements of the customer and also security requirements at the time will help you to identify critical information/ data to be protected. Multiple sources of identifying same are as follows:

Sun
17
Jan

ISO 27001 certification: How you can help an organization to achieve it? - Series Part IV

In my last three articles, we understood about, deployment of initial security resource, understanding the standard and its mandatory controls, defining scope/ out of scope items, security ownerships visions and objectives. We left the podium wondering how one should go about writing a security policy. Let us go ahead…

Different personnel have different perspective of looking towards security policy, few are listed below:

Sat
09
Jan

ISO 27001 certification: How you can help an organization to achieve it? - Series Part III

ISO 27001 certification:  How you can help an organization to achieve it? - Series Part III

In my previous two articles (please see links to those article at the end of this article), we understood about, deployment of initial security resource, understanding the standard and its mandatory controls, defining scope/ out of scope items and security ownerships. Now when the stage has been set, let us go ahead with some practical implementation steps. We should remember that our goal should be to make security as an enabler to the business and not a hurdle by imposing checks and balances, thus we need to align security to the business. Isn’t it a good idea to start with defining vision for your security program? Let us do it…

Define Security Vision

Though defining it is nowhere mandated in ISO27001, but still to set overall direction of security program, it is recommended to have one. Here we have to keep two things in mind:

Wed
30
Dec

ISO 27001 certification: How you can help an organization to achieve it? - Series Part II

ISO 27001 certification:  How you can help an organization to achieve it? - Series Part II

In Series Part I of this topic we understood about (a) Deploy initial resource, (b) Understand the standard and (c) Define the scope

We left discussing about defining ‘in scope’ and ‘out of scope’ areas/ assets. Out of scope is generally required to remove any ambiguity in scope definition especially when you might not want to keep something in scope but while reading out scope statement, it leaves someone to his/ her own understanding to include/ exclude items which are out of scope. Scope ideally should cover the physical entities, functions, user groups, IT, non IT, applications, middleware assets and of course the external parties. Going ahead now…

Mon
28
Dec

ISO 27001 Certification: How you can help an organization to achieve it? - Series Part I

ISO 27001 Certification: How you can help an organization to achieve it? - Series Part I

Problem Statement:

An organization (say Client/ Customer) hires me to start information security program, with a final goal of certifying it against ISO27001 standard. How do I start my engagement?

Solution

Note: not each previous step is pre- requisite to next step and some may be done in parallel as well.

Pages

Subscribe to RSS - ISO27001 certification