26
Mar

Information Security Management System (ISMS) and ISO\IEC 27001:2005

Recently my current employer, M.H. Alshaya Co. W.L.L., became the first retailer in the Middle East to be certified with ISO/IEC 27001:2005 certification. This was a result of hard work from around 150 employees (whose processes were included in the scope) spanning across multiple departments. I was a member of the ISMS (Information Security Management System) steering committee.

ISO/IEC 27001:2005 standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving ISMS. For its implementation, ISO defines a set of information security management requirements outlined in clauses 4, 5, 6, 7, and 8 of the standard. An organization must meet each of these requirements to achieve ISO 27001 compliance. Further, the standard adopts the PDCA (Plan, Do, Check, Act) model for every aspect of its implementation.

  • PLAN: Section 4 expects you to plan the establishment of your organization’s ISMS.
  • DO: Section 5 expects you to implement, operate, and maintain ISMS.
  • CHECK: Sections 6 and 7 expect you to monitor, measure, audit, and review your ISMS.
  • ACT: Section 8 expects you to take corrective and preventive actions and continually improve your ISMS.

Along with these requirements, the standard also lists a set of control objectives and corresponding controls in Appendix A (A5-A15). Based on some detailed risk assessment, an organization needs to identify the controls to implement or exclude (with valid reasons). The control objectives are listed as:

  • A5: Security Policy
  • A6: Organization of Information Security
  • A7: Asset Management
  • A8: Human Resources Security
  • A9: Physical and Environmental Security
  • A10: Communication and Operations Management
  • A11: Access Control
  • A12: Information System Acquisition, Development, and Maintenance
  • A13: Information Security Incident Management
  • A14: Business Continuity Management
  • A15: Compliance

For certification an organization needs to establish ISMS that meets ISO 27001:2005 and identify its internal needs. An external registrar is then invited to audit the system. If the registrar is satisfied with the compliance it will issue the ISO 27001:2005 compliance certificate. The entire process is extremely tedious but certainly worthwhile in protecting important information assets of the organization. 

Share this Post:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • MySpace
  • Reddit
  • Slashdot
  • StumbleUpon
  • Technorati
  • TwitThis
  • Yahoo! Buzz
  • YahooMyWeb
IT Governance by kaizar
free blog themes

Leave a Reply