Guidelines for auditors on information security controls
Information security controls
An ISO/IEC technical report (TR) providing technical controls and compliance guidelines for auditors can improve the effectiveness of an organization’s information security system.
ISO/IEC TR 27008:2011, Information technology – Security techniques – Guidelines for auditors on information security controls, aims to instill confidence in the controls underpinning an organization’s information security management system. The review applies to all parts of the organization, including business processes and its information systems environment.
“The business environment is constantly changing – along with threats to a company’s survival. Organizations
need to be ahead of the game, and an excellent defence can be built around audit of the controls used to support the information security,” says Edward Humphreys, leader of the working group that developed the new document.
“ISO/IEC TR 27008:2011 supports a rigorous organizational security audit and review programme for information security controls, to enable the organization to have confidence that their controls have been appropriately implemented and operated and that their information security is ‘fit for purpose’.”
ISO/IEC 27008 provides guidance on reviewing the implementation and operation of controls, including technical compliance checking. The document is principally aimed at information security auditors who need to check the technical compliance of an organization’s information security controls against ISO/IEC 27002 and any other control standards used by the organization. ISO/IEC TR 27008 will help them to:
- Identify and understand the extent of potential problems and shortfalls of information security controls
- Identify and understand the potential organizational impacts of inadequately mitigated information security threats and vulnerabilities
– Prioritize information security risk mitigation activities
– Confirm that previously identified or emergent weaknesses or deficiencies have been adequately addressed
– Support budgetary decisions within the investment process and other management decisions relating to improvement of organization’s information security management.
Read more text http://www.iso.org
