BS ISO/IEC 17799:2005 and ISO 27001:2005: Any advice on value and implementation?

M

morgand - 2006

#1
We recently got wind that one of our customers is considering requiring at least compliancy to BS ISO/IEC 17799:2005 and ISO 27001:2005. We do have some influence on this descision by the customer.

We know what these documents are supposed to do/guide from websites, forums, abstracts and have ordered a copy, but we haven't read them yet.
Is anyone else looking at these documents?
Do you think that they are worthwhile?
How far are you into implemetation?
What do you estimate your implemention timeline to be?
Is there anything that we should be aware of or consider in addition to the previously stated?

Thanks, Ann
 
Elsmar Forum Sponsor
D

donaghadee - 2008

#2
Morgand,
I have not found much on this site about this subject.

Do you think that they are worthwhile? - depends what you mean. yes any Information Security must be worthwhile. This is something that contractors especally government, financial etc contractors will be looking for when they are awarding contracts.
How far are you into implementation? We are just starting to put consultation out to tender. In fact we have not even considered who will lead it. Quality & Compliance Dept , IT etc.
What do you estimate your implemention timeline to be? The estimates we have are for around 7 months if we buy off-the-shelf policies, p[rocedures etc., 12-14 months for a consultancy led project or 12-18 months for DIY.

Will give you any other info as we get into the project.
 
P

pldey42

#3
Before I left Excel in the USA to return home to London I wrote the first version of their ISO 27001 Lead Auditor course. Here are a few things you might want to keep in mind as an ISO 9001-registered company considering ISO 27001:

1. It's an excellent framework for systematically evaluating and managing risks to information security. It can share infrastructure like doc control and corrective action with the QMS.

2. If customers care, it's a good way of demonstrating their information is secure in your hands. If they don't care, the costs of registration can be hard to justify unless the management team are foresighted.

3. Information security is more than IT, although that is a big part of it. For example, some of the major breaches recently have been people leaving laptops in cars and having them stolen: IT alone can't manage this kind of situation, HR and line management are involved as well.

4. Define the scope in terms of the information assets (files, papers, disks) you need to protect, and from what they need protecting. If the scope is too broad you can find yourself protecting orders for paper clips because the order is regarded as "information" ! For example, define the scope to protect your designs and other patented information, customer's credit card data or healthcare information, etc, etc.

5. ISO 27001 defines many "controls" and they are all optional, though some are more optional than others. You decide which ones you'll use according to your risk assessment. The risk assessment is a mandatory requirement -- but how to do it is quite broadly defined. Auditors will have to be very, very careful in how they audit the risk assessment in order to avoid mandating their own subjective opinions of the risks you face. After auditing the risk assessment, they audit the controls you define in your "statement of applicability". I believe that good auditors, if they disagree with your risk assessment, will include objective evidence for the risks they believe you have mis-assessed in their findings; arm waving and "in my experience" won't count.

6. Auditors must have some sound IT experience to audit successfully. Even though managing risks to information assets is more than an IT problem, much of the system is concerned with IT and you certainly cannot, in this modern world, audit an Information Security Management System (ISMS) without visiting IT and understanding what they show you when, for example, you ask about firewalls. They also need to understand the confidentiality aspects of information security and what that means for the questions they ask, their handling of objective evidence and their reporting. For example, we don't ask for the ISMS manual to be e-mailed to us for a desk check because that might be a security risk: we go visit, physically, and take nothing off the premises with us.

7. The ISMS can extend to subcontractors. To see how, map the processes that they use to handle your information assets. For example, what happens to backups? -- "Oh, they're held in a secure vault off site." Sounds good. But how do they get there? "Courier service." Sounds good -- but do they manage the courier. A short while ago a bank lost millions of credit card details when the courier lost the tape on the way to the secure vault. (As in regular quality management, we can't blame our vendors for information security beaches.)

8. Some companies appoint a "Director of Information Security" reporting independently from quality and IT. The benefits of this approach are to protect the ISMS budget, to assure that internal information security audits are independent, and to limit knowledge of certain information security measures to a small number of people on a "need to know" basis.

Hope this helps,
Patrick
 

Randy

Super Moderator
#4
Why don't you ask the Veterans Administration and a bunch of banking organizations who've lost data about the importance of Information Security?
 
P

pldey42

#5
That's a good question, Randy. I tried to do something like this earlier this year and drew a blank. One banking professional said, "We did all that years ago." He saw the odd loss of a million credit card records as some kind of minor glitch in the system -- which of course it isn't.

I searched the Homeland Security and other US government procurement websites for requirements on vendors on information security and found no mention of ISO 27001.

I think, as is often the way, they want it but do not see the need to proactively manage it. In information security management we're in the equivalent of the dark old days of vendor management: if a supplier screws up, place the business with the next cheapest vendor and add hefty penalty clauses :-(

If anyone knows how to persuade customers like the government and banks to mandate ISO 27001 through the information chain, that would be a shot in the arm for systematic proactive information security management, methinks. Currently, it's happening in Japan because of government regs, and in India because they want to attract outsourced business and infosec is important. I'm not aware of other major markets for it.

Just my 2c, if anyone can add to this please do,
Patrick
 
Thread starter Similar threads Forum Replies Date
B BS ISO/IEC 17799:2000 - Code of practice for information security management Software Quality Assurance 5
A ISO/DIS 15223-1:2020 - Country of manufacture label (IEC 60417 No. 6049) - Which national law requires this symbol? Other Medical Device Related Standards 0
Le Chiffre Online training available for ISO/IEC 17021-1: Requirements for bodies providing audit and certification of management systems Training - Internal, External, Online and Distance Learning 3
T Relationship between ISO 9001 and ISO – IEC BS EN 870079- 34 2020 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
T Help with BS EN ISO - IEC 80079-34 2020 (Explosive atmospheres QMS) Other ISO and International Standards and European Regulations 0
C ISO/IEC 17021-1 clause 7.1.2 - Determination of competence criteria Document Control Systems, Procedures, Forms and Templates 2
C ISO/ IEC 17021 Resource requirement (need help) Document Control Systems, Procedures, Forms and Templates 5
T ISO/IEC 17065 certification scheme Help Other ISO and International Standards and European Regulations 7
R Who is the customer in the ISO/IEC 17025:2017? ISO 17025 related Discussions 1
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
I Approved Suppliers ISO/IEC 17025:2017 and used test equipment ISO 17025 related Discussions 6
S The (E) in ISO/IEC 17025:2017(E) ISO 17025 related Discussions 3
MDD_QNA QR Code Standard ISO/IEC 15417:2007 - Does anyone use it? Other Medical Device Related Standards 3
DuncanGibbons Who are ISO/IEC 17065 and 17025 applicable to? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
V IS/ISO/IEC 17025:2017 Clause 7, sub clause 7.11 Control of data and information management ISO 17025 related Discussions 1
V IS/ISO/IEC 17025:2017 Clause 4.1 Impartiality ISO 17025 related Discussions 3
P Risk acceptability alignment between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 6
S Relationship between IEC 62304 problem resolution and ISO 13485 IEC 62304 - Medical Device Software Life Cycle Processes 8
S When is the last date for transition to ISO/IEC 80079-34:2018? Other ISO and International Standards and European Regulations 0
M Informational ISO TC 210 IEC SC 62A JWG 1 Medical device risk management – São Paulo meeting 2019 Medical Device and FDA Regulations and Standards News 6
M Medical Device News ISO TC 210 IEC SC 62A JWG 1 Medical device risk management – São Paulo meeting 2019 Medical Device and FDA Regulations and Standards News 0
D Laboratory Manual ISO/IEC 17025 Example wanted ISO 17025 related Discussions 2
Douglas E. Purdy ISO/IEC 17025:2017 3rd Ed. Changes from 2nd Ed. ISO 17025 related Discussions 6
Douglas E. Purdy ISO/IEC 17025:2017 Clause 8 & Annex B ISO 17025 related Discussions 9
Le Chiffre Is ISO/IEC 27001 appropriate for most small businesses? IEC 27001 - Information Security Management Systems (ISMS) 2
D IEC 60601-1 and ISO 14971 Assessment IEC 60601 - Medical Electrical Equipment Safety Standards Series 25
L What are the rules on significance of digits in numbers in IEC/ISO standards? IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
A ISO/IEC 27001 - Issue during implementation of system IEC 27001 - Information Security Management Systems (ISMS) 3
C Data Matrix and DPM (direct part marking) UDI Standards - ISO/IEC TR 29158 Other US Medical Device Regulations 2
T Is there any requirement to be compliant with IEC 62304 while implementing ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 5
Ajit Basrur Informational ISO/IEC 17025:2017 Published - November 2017 ISO 17025 related Discussions 8
G Effect of ISO9001 2015 transition on ISO IEC 80079-34 Other ISO and International Standards and European Regulations 3
Richard Regalado ISMS Auditing Guideline V2 (based from ISO/IEC 27001:2013) IEC 27001 - Information Security Management Systems (ISMS) 7
B Our NB says that IEC 62304 is an ISO 14971 Requirement ISO 14971 - Medical Device Risk Management 1
B Clarification on interpretation of some EN ISO 14971:2012 & IEC 62304:2006 req's ISO 14971 - Medical Device Risk Management 46
H ISO 14971 vs. IEC 62304 vs. 98/79/EC vs. ISO 13485 (Software Medical Device) ISO 14971 - Medical Device Risk Management 1
M Does Calibration to ISO/IEC 17025 conform to Z540.3? ISO 17025 related Discussions 1
K ISO/IEC 27000, ISO 15408 and the DSS security clearance (FCL) -- Oh, My IEC 27001 - Information Security Management Systems (ISMS) 0
M IEC 62304, ISO 14971 and FDA Medical Device SW Guidance 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
Richard Regalado ISO/IEC 27001:2016 Overview and Vocabulary - FREE! IEC 27001 - Information Security Management Systems (ISMS) 3
K ISO 14971 and IEC 62304 - Medical Device Software House ISO 14971 - Medical Device Risk Management 9
Richard Regalado ISO/IEC 27001 Mandatory Documentation Checklist IEC 27001 - Information Security Management Systems (ISMS) 1
A ISO/IEC process of revising the ISO IEC 20000 standards - Your chance to have a say IT (Information Technology) Service Management 1
P Where to start to helping other companies to get ISO IEC 27000? Consultants and Consulting 1
Richard Regalado Sharing a Statement of Applicability (SOA) for ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 2
D ISO/IEC 17025 Implementation Workshop Ideas ISO 17025 related Discussions 2
M ISO 14971, IEC 60601 Satisfy 98/37/EC, 2006/95/EC, 2004/108/EC Directives? Other ISO and International Standards and European Regulations 3
M UDI (Unique Device Identifier) ISO/IEC 15459 (Unique Identifiers) Requirements Other US Medical Device Regulations 4
Q A Resource - Cheap Harmonised ISO and IEC Standards EU Medical Device Regulations 2
A ISO/IEC 20000 Toolkit For Academic Purpose IT (Information Technology) Service Management 6

Similar threads

Top Bottom