ISO27001

A simple tips and steps for the smooth implementation and certification of ISMS IS 27001

1. Get Management Support
The first thing that you should do is get a management support. ISO 27001 implementation need a corporate wide top down approach. Make sure that you have approval and support from higher management level

2. Define ISMS Scope
Whether integrated for all information security layers or just partial for data center, server or infrastructure is basically depends on your need and capability. Most of companies find some difficulties when implementing this standard for entire department. So be selective when defining the scope and limitation

3. Inventory Information Assets
Inventory asset is the next important thing. Make sure that all of assets recorded properly. Make sure that intellectual and shared asset is also not missed. Collecting this information assets usually facing a challenge since many of information is distributed and separated in several functions.

4. Conduct Information Security Risk Assessment

Confuse about ISO 27001/17799 implementation? below ISO 27001 mind map that help you gain understanding with the latest Information System Security Standard

Download

Information Security Policy

1. Whether there exists an Information security policy, which is approved by the management, published and communicated as appropriate to all employees.
2. Whether the policy states management commitment and sets out the organizational approach to managing information security.
3. Whether the Information Security Policy is reviewed at planned intervals, or if significant changes occur to ensure its continuing suitability, adequacy and effectiveness.
4. Whether the Information Security policy has an owner, who has approved management responsibility for development, review and evaluation of the security policy.

Internal Organization

Many friend of mine keep asking me about what is should be implemented first to improve their information system management: whether taking Cobit, ITIL, or ISO27001. And the next question usually which one is the easiest to be implemented in their company.

To be able to answer this question, let me tell you the definition of this three major standard in information system, who has a little bit difference in basic concept.

COBIT

Cobit is stand for Control Objective over Information and Related Technology. Cobit issued by ISACA (Information System Control Standard) a non profit organization for IT Governance. The Cobit main function is to help the company, mapping their IT process to ISACA best practices standard. Cobit usually choosen by the company who performing information system audit, whether related to financial audit or general IT audit.

ITIL

ITIL is stand for Information Technology Library. ITIL issued by OGC, is a set of framework for managing IT Service Level. Although ITIL is quite similar with COBIT in many ways, but the basic difference is Cobit set the standard by seeing the process based and risk, and in the other hand ITIL set the standard from basic IT service.

ISO27001

ISO27001 is much more different between COBIT and ITIL, because ISO27001 is a security standard, so it has smaller but deeper domain compare to COBIT and ITIL.

ISO/IEC 27001 part of a growing family of ISO/IEC standards, the 'ISO/IEC 27000 series' is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems -- Requirements but it is commonly known as "ISO 27001".

It is intended to be used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management, which lists security control objectives and recommends a range of specific security controls. Organizations that implement an ISMS in accordance with the best practice advice in ISO/IEC 27002 are likely simultaneously to meet the requirements of ISO/IEC 27001 but certification is entirely optional (unless mandated by the organization's stakeholders).