INFORMATION ASSURANCE

Insight Briefs

Executive Updates

FAQ’s
USEFUL LINKS

International Register of ISMS Certificates

International Organization for Standardization (ISO)

International Registry of Certificated Auditors

ANSI-ASQ National Accreditation Board (ANAB)

RABQSA International, Personnel & Training Certification

About Information Assurance & Security

Frequently Asked Questions

What is Information Security?
Information Security is the process of protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption. The fields of information assurance and information security are frequently interrelated and share the common goals. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Information Assurance is the practice of managing information-related risks and holds a broader connotation which also includes reliability and emphasizes strategic risk management.

What should an Information Security Program be comprised of?
Many organizations are under the mistaken impression that Information Security only focuses on technology. An effective Information Security program takes people and processes, as well as technology into consideration. Further, establishing an Information Security program should be the beginning of a continuous improvement process that addresses the on-going nature of managing risk for the organization.

How is a comprehensive Information Security Program created?
One very effective strategy for implementing an Information Security program is to build an Information Security program within the framework of ISO 27001/ISO 27002, the international standard for Information Security.

What is ISO 27001?
ISO 27001/ISO 27002 (formerly known as BS 7799/ISO 17799) is the International Information Security standard originally prepared by the British Standards Institution and accepted by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) as the international standard for information security. It is a widely recognized code of practice for Information Security Management which includes security control objectives and recommends a range of specific security controls. Organizations that implement an Information Security Management System (ISMS) in accordance with the guidance provided in the Code of Practice can expect to more effectively manage risk to critical information. . The basic objective of the standard is to help establish and maintain an effective information security management system using a holistic, comprehensive, total quality and continual improvement approach to developing and implementing an organization’s information security program while reflecting OECD (Organization for Economic Cooperation and Development) principles governing security of information and network systems.

ISO 27001/ISO 27002 has been implemented in seventy countries around the world and nearly 4000 organizations are certified. Legislation in the U.S. such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leech-Bliley Act (GLBA) as well as several international laws and regulations borrow heavily from ISO 27001. ISO 27001/ISO 27002 identifies 11 areas, 39 security objectives and 133 specific controls around Information Security. What better solution to the requirements of Sarbanes-Oxley (SOX) Section 404 than an Internationally recognized, defensible, repeatable and measurable approach to Information Security.

Why ISO 27001?
The framework for ISO 27001 is holistic, comprehensive, repeatable, measurable, and defensible, recognizes information in all forms, is process-focused, and business-oriented.

What does the ISO 27001 framework look like?
The framework is comprised of General Requirements and Annex A, consisting of 11 control areas, 39 control objectives, and 133 specific controls for information security. The eleven control areas are:
• Security Policy
• Organization of Information Security
• Asset Management
• Human Resources Security
• Physical and Environmental Security
• Communications and Operations Management
• Access Control
• Information Systems Acquisition, Development and Maintenance
• Information Security Incident Management
• Business Continuity Management
• Compliance

What does it mean to be "certified" to ISO 27001?
Certification is acknowledgement by an independent third party that the organization has implemented an effective Information Security program. In ISO 27001-parlance, certification is given for the organizations Information Security Management System (ISMS).

How long does it take to become ISO 27001 certified?
The certification process is relatively quick. The challenging part is implementing the ISMS. Time to implement depends on the maturity of the existing Information Security program, the level of commitment from the organization (resources available), scope of the ISMS and the expertise of those responsible for the implementation. Organizations have achieved certification for their ISMS in as little as three months or as long as several years. The average time required for implementation is eighteen months.
What are the pitfalls to successful ISMS implementation?
The pitfalls to successful ISMS implementation are many and varied. Among the impediments to successful implementation:
• Lack of knowledge/expertise of the implementers
• Lack of management support/commitment
• Unrealistic scope definition for the ISMS
• Dearth of resources for implementation
• Lack of "buy-in" from the organization as a whole
 

Tel: +1.877.97.27001
E-mail: info@jbwgroup.com
About Us | Services | Training | News | Resources | Contact Us
Copyright © 2002 - 2010 JBW International. All Rights Reserved. | Privacy Policy | Site Map