Business Case for ISO 27001
By Robert Forbes
Senior Consultant, Orange Parachute
A high priority among the challenges facing information security leadership is the business dictum of "doing more with less", in addition to your sales team effectively leveraging security as a market differentiator. This whitepaper sets out the benefits and provides a business case for an Information Security Management System (ISMS) conforming to ISO 27001.
Request Business Case for ISO 27001 Whitepaper
Packaging for Success!
By Tom Carlson - CISSP
Principal Consultant and ISMS Practice Lead - Orange Parachute
Information Security professionals are finally asking hard questions and expecting hard answers. Part of this metamorphosis, of course, is due to the long overdue recognition that information security is not just a technology problem, although there are certainly significant technical components. Much of this credit must certainly be given to recently embraced standards such as ISO 27001, which expanded information security from technology security to information in any form. This has had the effect of requiring traditional information security programs to interface with other enterprise programs such as Human Resources, Physical Security, Legal, and others in order to provide a holistic approach. Another milestone was the recognition of synergies with other disciplines such as Risk Management, Quality Management, and I.T. Service Management (ITIL). This has allowed us to look at common management solutions in order to solve common management problems.
Request Packaging for Success! Whitepaper
ISO 27001 and SAS 70 – A Comparison of Methodologies and Approaches
by contributing authors of Orange Parachute
Organizations today are faced with many challenges. One of the more difficult questions is how to provide assurance of Information Security, Information Technology, and control environments to third parties. These third parties may be clients, business partners, regulatory bodies, or others. For many years, the SAS 70 Service Auditors Report has been used to meet this requirement. This whitepaper provides an alternate perspective on third party assurance, by comparing and contrasting the SAS 70 process with that of creating an Information Security Management System (ISMS) based upon ISO 27001.
Request ISO 27001/SAS 70 Whitepaper
Understanding Information Risk Management
by Nick Halvorson, Senior Consultant, Orange Parachute
Business is all about risk and the management of any enterprise is in some manner enterprise risk management. Traditionally the term risk management has been focused on financial and fiduciary business risk. The increased importance of information confidentiality, integrity, and availability in managing an enterprise has caused the recognition that information risk is equally concerning to the health and wellbeing of an enterprise and should be managed accordingly.
Request Information Risk Management Whitepaper
Understanding Information Security Management Systems (ISMS)
by Tom Carlson, Principal Consultant, Orange Parachute
Organizations have long been practicing information security but not effectively managing information security. Assuming that security guidance is being given, and security activities performed, organizations have some form of an Information Security Management System already in place, although perhaps immature and incohesive. The ISMS process brings Quality Management concepts to the discipline of information security with numerous benefits.
Understanding ISO 27001
by Tom Carlson, Principal Consultant, Orange Parachute
The information security field has traditionally been based on sound "best practices" and "guidelines". While this cumulative wisdom of the ages is valid, it is also subject to various interpretations and implementations, not always consistent or harmonious. Furthermore, without the risk justification required by ISO 27001, "best practice" is in reality "best guess" devoid of the underlying analysis that makes control implementation both justifiable and defensible. ISO 27001 offers multiple benefits to an organization if applied correctly.
Understanding ISO 27002
by Tom Carlson, Principal Consultant, Orange Parachute
As a standard that is primarily conceptual, ISO 27002 is NOT:
- A technical standard
- Product or technology driven
- An equipment evaluation methodology
ISO 27002 is a comprehensive minimum baseline of information security controls that all Information Security Programs SHOULD address in some manner. This paper provides detail on the ISO 27002 standard and discusses the benefits of ISO 27002 and a comparison to the ISO 27001 standard.