The lack of a one-fits-all information security solution means that those responsible for the management of information security risks have to apply the relevant information security controls based on their risk assessment and control objectives.
Information security in this context can be defined based on the CIA triad. Broadly speaking, it gives guidance on the implementation of ISO You cannot certify against ISO because it is not a management standard. Information security involves protecting various aspects of the information which can be represented by the CIA model. Understanding this will enable the formulation and implementation of effective information security controls. These aspects include confidentiality, integrity, and availability of the information.
Confidentiality — The confidentiality of information means measures should be taken to protect it from unauthorized access. One way to achieve this is by enforcing different access levels for information based on who needs access and how sensitive the information is.
Some means for managing confidentiality include file and volume encryptions, access control lists, and file permissions. Integrity — Data integrity is an important part of the information security triad, aimed at protecting data from any unauthorized modifications or deletions. This also involves ensuring that the unauthorized modifications or deletions made to the data can be undone.
Availability — Availability is aimed at ensuring that the data is accessible to those who need them when it is needed. Some of the information security risks to availability include sabotage, hardware corruption, network failure, and power outages. These three components of information security work hand in hand, and you cannot concentrate on one of them at the expense of the others. The ISO 27k series is a collection of standards and best practices that were donated to the UK government initiative by Shell in the early s.
Various amendments have been made to the standard over time, involving correction of certain terms to make them less ambiguous and more understandable. It involved three changes which saw the inclusion of information as an asset. This Corrigendum 2 involved the change of one reference section from see Organisations wishing to explore information security management systems may have come across both ISO and standards.
It provides a framework to assist organisations with the establishment, implementation, operation, monitoring, review, maintenance, and continuous improvement of their information security management systems.
Annex A contains a list of the security categories, domains, control objectives, and the relevant security controls applicable. There are various standards in various countries that are equivalent to ISO Below are some of the national equivalent standards for ISO in various countries:. By implementing information security controls found in ISO , organisations can rest assured that their information assets are protected by internationally recognized and approved standards.
Organisations of all sizes and levels of security maturity can reap the following benefits from adherence to the ISO code of practice:. There is no limit to the organisations that can successfully implement and benefit from ISO standard for information security management. Both small and large enterprises that depend on, deal in, or handle information of any kind should implement the relevant information security controls to protect their information assets.
No matter the organisation type; whether non-profit, government departments, charities, or multinational corporations, there are information security controls which must be put in place to address certain information risks raised during the risk assessment process.
While the details of the specific information risk and control requirements may differ from organisation to the next, there are some common standards that apply to all enterprises. Organizations should identify their physical and information assets and determine the appropriate level of protection necessary for each.
Access to information and information processing facilities should be limited to prevent unauthorized user access. Users should be responsible for safeguarding their authentication information, such as passwords. Controls should be introduced to prevent unauthorized physical access, damage, and interference to information processing facilities. Information and information processing facilities should be protected from malware, data loss, and the exploitation of technical vulnerabilities.
Information should be protected in networks and as it is transferred, both within the organization and externally. Test data should also be protected. Ideal for information security managers, auditors, consultants, and organizations preparing for ISO certification, this book will help readers understand the requirements of an ISMS based on ISO Find out more. Book your place. Learn from experts with real-world expertise and insights.
We have a variety of products, tools, and services to help you meet the ISO requirements. Management should define a set of policies to clarify their direction of, and support for, information security. The organization should lay out the roles and responsibilities for information security, and allocate them to individuals.
Where relevant, duties should be segregated across roles and individuals to avoid conflicts of interest and prevent inappropriate activities.
There should be contacts with relevant external authorities such as CERTs and special interest groups on information security matters. Information security should be an integral part of the management of all types of project. Information security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff e. Managers should ensure that employees and contractors are made aware of and motivated to comply with their information security obligations.
A formal disciplinary process is necessary to handle information security incidents allegedly caused by workers. All information assets should be inventoried and owners should be identified to be held accountable for their security. Information should be classified and labelled by its owners according to the security protection needed, and handled appropriately. Information storage media should be managed, controlled, moved and disposed of in such a way that the information content is not compromised.
Network access and connections should be restricted. Users should be made aware of their responsibilities towards maintaining effective access controls e. Information access should be restricted in accordance with the access control policy e.
There should be a policy on the use of encryption, plus cryptographic authentication and integrity controls such as digital signatures and message authentication codes, and cryptographic key management. Specialist advice should be sought regarding protection against fires, floods, earthquakes, bombs etc. Equipment and information should not be taken off-site unless authorized, and must be adequately protected both on and off-site.
Information must be destroyed prior to storage media being disposed of or re-used. Unattended equipment must be secured and there should be a clear desk and clear screen policy. IT operating responsibilities and procedures should be documented. Changes to IT facilities and systems should be controlled.
Capacity and performance should be managed. Development, test and operational systems should be separated.
Appropriate backups should be taken and retained in accordance with a backup policy. Clocks should be synchronized. Technical vulnerabilities should be patched, and there should be rules in place governing software installation by users. IT audits should be planned and controlled to minimize adverse effects on production systems, or inappropriate data access.
Networks and network services should be secured, for example by segregation. There should be policies, procedures and agreements e. Security control requirements should be analyzed and specified, including web applications and transactions.
Changes to systems both applications and operating systems should be controlled. Software packages should ideally not be modified, and secure system engineering principles should be followed. The development environment should be secured, and outsourced development should be controlled. System security should be tested and acceptance criteria defined to include security aspects. Note: there is a typo in See the status update below, or technical corrigendum 2 for the official correction.
There should be policies, procedures, awareness etc.
0コメント