ISO27001:2005
Global Landmark has been recognized as an ISO 27001:2005
certified organization. The security policies & measures in Global Landmark
are compliant with these standards. Having obtained the BS 7799:
2002 certification in August 2002 (by BVQI, UK), we have successfully
gone through three surveillance audits after that (Feb 2003, Nov
2003 and Sep 2004, and re-certified in June 2005 by STQC) and
received ISO 27001:2005 certification in March 2007.
ISO 27001, titled "Information Security Management - Specification with Guidance for Use", is the replacement for BS7799-2. It is intended to provide the foundation for third party audit, and is 'harmonized' with other management standards, such as ISO 9001 and ISO 14001. The ISO standards provide best practice guidance on protecting the confidentiality, integrity and availability of information that we depend on.
The basic objective of the standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organization for Economic Cooperation and Development) principles, governing security of information and network systems. The information may be printed or written on paper, stored electronically, transmitted by post or email, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, ISO 27001 helps an organization ensure it is always appropriately protected.
Information security can be characterized as the preservation of:
|
Confidentiality:: Ensuring that access to information is appropriately authorized |
|
Integrity: Safeguarding the accuracy and completeness of information and processing methods. |
|
Availability: Ensuring that authorized users have access to information when they need it |
The ISO 27001 contains a number of control objectives and controls. These include:
|
Security |
|
Organizational security |
|
Asset classification and control |
|
Personnel security |
|
Physical and environmental security |
|
Communications and operations management |
|
Access control |
|
System development and maintenance |
|
Business continuity management |
|
Compliance |
Why is Information Security required?
The purpose of information security is to ensure business continuity and minimize damage by preventing and minimizing the impact of security incidents. Information security management enables information to be shared, while ensuring the protection of information and all other assets within the scope of the Information Security Management System (ISMS). It has three basic components (Confidentiality, Integrity, and Availability) as described above.
What is the requirement for action?
An organization's information, and the systems, applications and networks that support it are important business assets. The confidentiality, integrity and availability of the assets may be essential to maintain competitive edge, cash flow, profitability, legal compliance and an organization's image. An organization may be facing increasing security threats from a wide range of sources. An organization's systems, applications and networks may be the target of a range of serious threats including computer-based fraud, espionage, sabotage, vandalism and other sources of failure or disaster. New sources of damage, such as the highly publicized threats from computer viruses and computer hackers, continue to emerge. Such threats to information security are expected to become more widespread, more ambitious and increasingly sophisticated.
Risk Assessment Process
Generally, risk assessment methods and techniques are applied to a complete ISMS or specific information systems and facilities, but they can also be directed to individual system components or services. Assessment of risks involves the systematic consideration of the following:
Consequence: The harm to a business likely to
result from a significant breach of information security, taking
into account the potential consequences of loss or failure of
information confidentiality, integrity and availability
Probability: The realistic likelihood of such
a breach occurring in the light of prevailing threats, vulnerabilities
and controls.
The process involves:
The selection of a method of risk assessment that is suitable for the ISMS, and the identified business information security, legal and regulatory requirements, as well as determining criteria for accepting risks and identifying the acceptable levels of risk
Identifying and assessing the risks for the ISMS(s) and the information systems encompassed in ISMS(s); Identifying and evaluating options for the treatment of risk, select control objectives and controls to reduce the risks to acceptable levels, and for certification purposes to produce a Statement of Applicability
Assessment of risks depends upon the following factors:
The nature of the business information and systems
The business purpose for which the information is used
The environment in which the system is used and operated
The protection provided by the controls in place
ISO 27001:2005 at Global Landmark
The security procedures are defined in the Information Security Management System (ISMS) section of the Business Management System (BMS).The procedures gives insights into how security aspects are managed at Global Landmark. Further, the aspects of Business Resumption and Disaster recovery are also covered in the ISMS.
Benefits for Clients
ISO 27001 ensures a transparent Information Management System which is free from security threats. The customer data and systems are assured of a fail-safe plan, adequate business continuity and risk mitigation plans will be put in place for all customer engagements. The ISMS procedures and process are also subjected to periodic surveillance audits by renowned external accreditation agencies which further increase the customer confidence.
Top
|