Meet your stakeholders expectations for risk management and information security by conforming to international standards ISO 27001, ISO 27002, and ISO 27005

Today, "information security" is the far more than "IT security". Managing and controlling access to information throughout the organization - whether electronic or hard copy - is now relevant throughout the entire organization. Concerns for controlling information confidentiality, integrity, and availability now transcend beyond the organization's traditional boundaries. Organizations now have the duty to consider how information is regulated, how it is used and protected by vendors, and how the expectations of its customers and trading partners affect its current information management processes. In short, managing information security has become much, much more than keeping hackers out of an IT network. It has grown from a departmental management issue to become a corporate governance issue that requires professional management and oversight according to international standards. How do you know if the organization's information security is good enough to hold up to all of these expectations? Govern your information security by the international standard for an information security management system - ISO/IEC 27001. The organization can then even get proof of its adherence to best practices by getting a respected ISO/IEC 27001 certification. The problem is, how can your organization do this if it doesn't know how to establish, manage, test, maintain, and improve an ISO/IEC 27001 information security program?

How we can help.

Certified Information Security has the knowledge, experience, and alliances to train your people. Allen Keele, the firm's founder, is a Certified Information Systems Security Professional, Certified Information Systems Auditor, Certified Information Security Manager, and Certified Fraud Examiner. He has delivered custom-developed information security training sessions to organizations throughout the world, including the United States, Caribbean, Africa, Europe, and Asia for over 10 years.

Exploring the use of ISO/IEC standards 27001, 27002, and 27003, this course provides critical information for understanding the business drivers for information security, as well as the core concepts for planning and implementing information security according to the internationally accepted best practices.

What the ISO 27005 Standard is...

ISO 27005 provides guidelines for information security and operational risk management. It supports the general concepts specified in ISO 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO 27001 and ISO 27002 is important for a complete understanding of ISO 27005. ISO 27005 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.

What the 27001 Standard is...

Published in 2005, ISO/IEC 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. ISO 27001 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

It is intended to be suitable for several different types of use, including the following:

• use within organizations to formulate security requirements and objectives;
• use within organizations as a way to ensure that security risks are cost effectively managed;
• use within organizations to ensure compliance with laws and regulations;
• use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
• definition of new information security management processes;
• identification and clarification of existing information security management processes;
• use by the management of organizations to determine the status of information security management activities;
• use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization;
• use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;
• implementation of business-enabling information security;
• use by organizations to provide relevant information about information security to customers.

What the 27002 Standard is...

As the former ISO 17799, ISO 27002 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27002 contains best practices of control objectives and controls in the following areas of information security management:

• security policy;
• organization of information security;
• asset management;
• human resources security;
• physical and environmental security;
• communications and operations management;
• access control;
• information systems acquisition, development and maintenance;
• information security incident management;
• business continuity management;
• compliance.

Tying the Standards together...

Basically, ISO 27001 provides 1.) a framework for an information security management program within the organization (an information security management system, or "ISMS"); and 2.) an auditable specification whereby an organization can have its ISMS certified. ISO 27002 is actually the former ISO 17799 that was originally established in 2000. It provides many of the information security best practices, control objectives, and policy guidance we need to run within the afore-mentioned ISO 27001 information security management system. Because all information security analysis, controls, and processes are essentially a product of risk management, ISO 27005 provides the framework for how to apply proper risk management within the 27001/27002/27003 ISMS.

Who are these standards for?

The standards are applicable to all sectors of industry and commerce and is not confined to information held on computers. It addresses the security of information in whatever form it is held.

Exploring the use of ISO/IEC standards 27001, 27002, and 27003, this course provides critical information for understanding the business drivers for information security, as well as the core concepts for planning and implementing information security according to the internationally accepted best practices.

Covered topics include:

• Developing an Information Security Management System program
• Project managing a successful ISO 27001 internal controls implementation
• Core ISO 27001, 27002, and 27003 best practices relating to:
  • Information security policy and scope
  • Risk assessment and Statement of Applicability
  • External party controls
  • Asset management
  • Human Resources security
  • Physical and environmental security
  • Equipment security
  • Communications and operations management
  • Malicious software controls
  • Network security management and media handling
  • Business continuity management
  • Compliance
  • Exchange of information
  • Electronic commerce, e-mail and internet security
  • General, network, operating system, and application access control
  • Systems acquisition, development and maintenance
  • Cryptographic controls
  • Development and support process security
  • Monitoring of information security and incident management
  • Preparing for an ISO 27001 audit

You and your team will be performing 12 in-class gap assessments, resulting in your own custom executive summary gap assessment for your enterprise-wide information security program that clearly indicates what is most critical to initiate or improve your program, and how to best move forward in doing it throughout all departments in the organization.

This is a business seminar focusing on how to manage information security risk throughout the organization.

It is not a technical "how-to" course. This course will explore various business processes, environments, and risk strategy approaches to help you better understand how to best protect your organization's ability to control information confidentiality, integrity, and availability.

Attendance of Using ISO 27005 to Develop and Deploy Enterprise Risk Management is recommended as prerequisite training prior to attending this course. Prior business is experience is also highly recommended.

- or-