White Papers

A high priority among the challenges facing business leadership today is the business dictum of “doing more 
with less”, in addition to meeting the more rigorous security and compliance requirements facing your business from both customers and regulators alike. With the amount of available security and compliance products and services on the market today, it’s extremely difficult to know what’s best for your business. This whitepaper sets out the benefits and provides a business case for an Information Security Management System (ISMS) conforming to ISO 27001.

The information security field has traditionally been based on sound "best practices" and "guidelines". While this cumulative wisdom of the ages is valid, it is also subject to various interpretations and implementations, not always consistent or harmonious. Furthermore, without the risk justification required by ISO 27001, "best practice" is in reality "best guess" devoid of the underlying analysis that makes control implementation both justifiable and defensible. ISO 27001 offers multiple benefits to an organization if applied correctly.

Organizations have long been practicing information security but not effectively managing information security. Assuming that security guidance is being given, and security activities performed, organizations have some form of an Information Security Management System already in place, although perhaps immature and incohesive. The ISMS process brings Quality Management concepts to the discipline of information security with numerous benefits.

As a standard that is primarily conceptual, ISO 27002 is NOT:

• A technical standard
• Product or technology driven
• An equipment evaluation methodology

ISO 27002 is a comprehensive minimum baseline of information security controls that all Information Security Programs SHOULD address in some manner. This paper provides detail on the ISO 27002 standard and discusses the benefits of ISO 27002 and a comparison to the ISO 27001 standard.

Business is all about risk and the management of any enterprise is in some manner enterprise risk management. Traditionally the term risk management has been focused on financial and fiduciary business risk. The increased importance of information confidentiality, integrity, and availability in managing an enterprise has caused the recognition that information risk is equally concerning to the health and wellbeing of an enterprise and should be managed accordingly.

Organizations today are faced with many challenges. One of the more difficult questions is how to provide assurance of Information Security, Information Technology, and control environments to third parties. These third parties may be clients, business partners, regulatory bodies, or others. For many years, the SAS 70 Service Auditors Report has been used to meet this requirement. This whitepaper provides an alternate perspective on third party assurance, by comparing and contrasting the SAS 70 process with that of creating an Information Security Management System (ISMS) based upon ISO 27001.

Business is all about risk and the management of any enterprise is in some manner enterprise risk management. Traditionally the term risk management has been focused on financial and fiduciary business risk. The increased importance of information confidentiality, integrity, and availability in managing an enterprise has caused the recognition that information risk is equally concerning to the health and wellbeing of an enterprise and should be managed accordingly.

Information Security professionals are finally asking hard questions and expecting hard answers. Part of this metamorphosis, of course, is due to the long overdue recognition that information security is not just a technology problem, although there are certainly significant technical components. Much of this credit must certainly be given to recently embraced standards such as ISO 27001, which expanded information security from technology security to information in any form. This has had the effect of requiring traditional information security programs to interface with other enterprise programs such as Human Resources, Physical Security, Legal, and others in order to provide a holistic approach. Another milestone was the recognition of synergies with other disciplines such as Risk Management, Quality Management, and I.T. Service Management (ITIL). This has allowed us to look at common management solutions in order to solve common management problems.