Information security controls

An ISO/IEC technical report (TR) providing technical controls and compliance guidelines for auditors can improve the effectiveness of an organization’s information security system.

ISO/IEC TR 27008:2011, Information technology – Security techniques – Guidelines for auditors on information security controls, aims to instill confidence in the controls underpinning an organization’s information security management system. The review applies to all parts of the organization, including business processes and its information systems environment.

“The business environment is constantly changing – along with threats to a company’s survival. Organizations

need to be ahead of the game, and an excellent defence can be built around audit of the controls used to support the information security,” says Edward Humphreys, leader of the working group that developed the new document.



“ISO/IEC TR 27008:2011 supports a rigorous organizational security audit and review programme for information security controls, to enable the organization to have confidence that their controls have been appropriately implemented and operated and that their information security is ‘fit for purpose’.”

ISO/IEC 27008 provides guidance on reviewing the implementation and operation of controls, including technical compliance checking. The document is principally aimed at information security auditors who need to check the technical compliance of an organization’s information security controls against ISO/IEC 27002 and any other control standards used by the organization. ISO/IEC TR 27008 will help them to:

- Identify and understand the extent of potential problems and shortfalls of information security controls
- Identify and understand the potential organizational impacts of inadequately mitigated information security threats and vulnerabilities
– Prioritize information security risk mitigation activities
– Confirm that previously identified or emergent weaknesses or deficiencies have been adequately addressed
– Support budgetary decisions within the investment process and other management decisions relating to improvement of organization’s information security management.

Read more text http://www.iso.org

Security techniques

From hackers trying to break into networks, to insiders using their knowledge and internal access rights to use company data for their personal gain, the impact from a wide variety of information security threats can be reduced using an information security incident management approach contained in the new International Standard ISO/IEC 27035:2011.

Information security breaches can compromise your business systems, and cause disruption to business operations. Being prepared and responding in a timely and effective way can mean the difference between minor incident and a business disaster. Using an information

security incident management system enables organizations to have the controls and procedures in place to manage a wide variety of security incidents and vulnerabilities.

ISO/IEC 27035:2011, Information technology – Security techniques – Information security incident management, gives “how to” guidance on detecting, reporting and assessing information security incidents and vulnerabilities.

It will help organizations respond to information security incidents, including the activation of appropriate controls for the prevention and reduction of, and recovery from, impacts, and, in so doing, learn and improve their overall approach.

Integrating an information security incident management system offers several benefits:

Read more text http://www.iso.org

Every product or service has an impact on the environment during all stages of its lifecycle, from extraction of resources to end-of-life treatment. The goal of ecodesign is to integrate environmental aspects into the design and development of products and services so as to reduce their environmental impacts and continually improve their environmental performance throughout their lifecycle. The result: cleaner products and services and a greener planet.

The newly published ISO 14006:2011, Environmental management systems – Guidelines for incorporating



ecodesign, gives “how to” guidance to product and service organizations on incorporating ecodesign into any environmental, quality or similar management system.

It will help organizations establish, document, implement, maintain and continually improve their management of ecodesign as part of an environmental management system (EMS). It applies to those environmental aspects of an organization’s products and/or services over which it has control or influence.

Integrating ecodesign offers several advantages:

• Economic benefits, e.g. through increased competitiveness, cost reduction and attraction of financing and investments
• Promotion of innovation and creativity, and identification of new business models
• Reduction in liability through reduced environmental impacts and improved product knowledge
• Improved public image
• Enhancement of employee motivation.

Martin Charter, Convenor of the working group responsible for ISO 14006, comments: “The new standard has been developed to help organizations implement ecodesign in a flexible and practical manner. The goal is for organizations to use these principles in order to design and develop more advanced, profitable and sustainable goods and services.”

ISO 14006:2011 is applicable to any organization, irrespective of their size, geographical location, culture, or complexity of their management systems, and no matter how simple or complex the product or service.

The new standard is intended to be used primarily by organizations that have implemented an EMS according to ISO 14001, whether or not they have a quality management system according (QMS) to ISO 9001. It can also be useful for other organizations without a formalized EMS or QMS but which are interested in reducing the adverse environmental impacts of their products.

Read more text http://www.iso.org

Car park ticket machines, computer keyboards, equipment for use in a cold store – these are just three varied examples of the millions of products that should be safe for people to use, accessible and should not pose unreasonable difficulties to operate. To achieve this, they must incorporate ergonomics principles into their design. A new ISO standard on ergonomics will therefore help optimize human well-being and overall system performance. “A substantial number of ergonomics standards have been developed to cover specific issues and different application domains, but ISO 26800:2011, Ergonomics – General approach, principles and concepts, will serve as an umbrella reference for all such standards and provide an integrated framework bringing together the basic

principles and concepts of ergonomics in one document, and thus providing a high-level view of the way in which ergonomics is applied“, commented Georg Krämer, Chair of ISO Technical Committee that developed the standard. “It is the first time where the “general ergonomics approach” and “principles and helpful “concepts” for the understanding and application of ergonomics principles, are presented in a comprehensive way in one standard”, he added.

Whatever the context (work, leisure or home), the underlying principles of ergonomics remain the same. These principles are fundamental to the design process wherever human involvement is expected, in order to ensure the optimal integration of human requirements and characteristics into a design.

ISO 26800 describes these fundamental principles in order to improve safety, performance and usability (effectiveness, efficiency and satisfaction), while safeguarding and enhancing human health and well-being, and improving accessibility, e.g. for elderly persons and persons with disabilities.

Ergonomics addresses the interactions between the humans and other components of a system, such as other humans, machines, products, services, environments and tools, as appropriate, in order to optimise human well-being as well as the overall system performance. In ergonomics, a human-centred approach to design is fundamental, taking into account the specific nature of the task and its implications for the human.

Read more text http://www.iso.org

presented the award to Mr. François Falconnet, Chair of ISO/TC 34, and Secretary, Mme Sandrine Espeillac, and Twinned Secretary (see below) Ms. Carolina Figueiredo. Dr. Aleshin commented on the importance of one aspect of TC 34’s work – food safety, which is addressed by its ISO 22000 series of standards for food safety management.

“Every year,”he said, “unsafe food is responsible for deaths and illness around the world and so ensuring safe food supply chains is a priority. I am glad to say that since publication of ISO 22000 in 2005, use of the standard has increased rapidly both in numbers and across countries.



“However, the ISO 22000 series is one out of some 775 standards developed by this prolific committee whose work covers standardization in the field of human and animal foodstuffs, covering the food chain from primary production to consumption. These standards cover terminology, sampling, methods of test and analysis, product specifications, food and feed safety and quality management and requirements for packaging, storage and transportation.”

Read more text http://www.iso.org

The WTO’s focus is on maintaining an open, equitable and non-discriminatory multilateral trading system which generates opportunities for market access.



However, he added: “If, at the technical level, countries speak a different language, then those opportunities disappear. And if regulatory agencies don’t trust the quality or safety of each others products, they may not allow trade to take place. International standardizing bodies, such as ISO, have an important role in building bridges.

“In fact, it is the very reason that two key WTO Agreements (the Agreement on Technical Barriers to Trade and the Agreement on Sanitary and Phytosanitary Measures), explicitly urge regulators to base their measures on relevant international standards to avoid unnecessary barriers to trade. These Agreements go as far as to say that measures that are based on relevant international standards are assumed to be in compliance with WTO rules.

“But this vote of confidence by the WTO confers upon international standardizing bodies significant responsibility. How you set your standards is crucial. Indeed, WTO Members have agreed that for greatest effectiveness, international standards should be developed through open and impartial, transparent and consensus-based process. These are the very same principles that underpin the WTO.

“Let me underline two points I believe are important, one on process, and the other on substance.

“On process, delegations at the WTO repeatedly emphasize the importance of transparency and accountability in development of international standards, calling for broad stakeholder engagement. In this context, I reiterate the importance of enhancing effective developing country participation in the work of international standardizing bodies. International standards must reflect developing country needs. When they do, they stand a greater chance of actually being used.

Read more text http://www.iso.org

The brochure explains that what makes ISO so effective is that it provides a non-political, non-partisan platform where standards are developed through open, transparent processes by representatives of the people that need them, implement them, are affected by them – and who can review and continually improve the results of their implementation.

Agreements reached at events like the Earth Summit and the forthcoming Rio+20 at the intergovernmental level, between public and private sectors, and with civil society still need to be translated into practical actions that can be implemented worldwide.

The brochure states: “ISO is where expert representatives from these stakeholder categories work together to develop globally relevant standards that provide concrete responses for tackling the challenges facing the international community.

“ISO is where people from around the world who want to make a positive difference put on the same team colours and strive to forge tools for transforming global agreement and willpower into global action.”

The brochure provides a concise description of ISO and how it works, and concrete examples of achievements by the international community, who will be represented at Rio+20, working within the ISO system. The examples illustrate how ISO standards serve as tools in the three dimensions of sustainable development. Examples include the following:

Read more text http://www.iso.org

Six Sigma(1) a data-driven method for improving business and quality performance, has been published as a two-part ISO standard.

Six Sigma was originally developed by Motorola in 1986 to ameliorate manufacturing processes with the goal of 99.99966% (2) of products free of defects (i.e., 3.4 errors per million).

Today, the methodology is applied in many sectors of activity by organizations large and small for all types of process and services to:

• Drive process improvement and make statistically based decisions
• Measure business results with a level of reliance
• Prepare for uncertainty
• Combine high returns and benefits in the short, medium and long-term
• Remove waste, defects and errors.

“Six Sigma can be used to effectively address serious chronic business issues,” says Dr. Michèle Boulanger, President of JISC-Statistics and co-chair of the subcommittee that developed the standard, “Organizations can deploy Six Sigma projects to increase customer satisfaction and become more competitive.”



“Although Six Sigma has existed for some time, bringing its best practice together under an ISO standard helps solidify and consolidate the methodology. The ISO brand is respected and recognized worldwide, and thus provides an added layer of confidence. Moreover, publication of Six Sigma methodology in an ISO standard will boost international uptake of the methodology in a coherent form, reduce fragmentation, and provide users with harmonized best practice,” concluded Dr. Boulanger.

Six Sigma projects follow a defined sequence of steps with quantified goals and financial targets (cost reduction and/or profit increase), and rely on statistical tools to deal with uncertainty. Implementation involves the establishment of an infrastructure with specific roles and responsibilities (e.g. black or green belts). The new standard, ISO 13053:2011, Quantitative methods in process improvement – Six Sigma, deals exclusively with the application of Six Sigma to ameliorate existing processes and is published in the following two parts:

• Part 1: DMAIC methodology, describes the five-phased methodology DMAIC (Define, Measure, Analyse, Improve and Control), and recommends best practice, including on the roles, expertise and training of personnel involved in such projects.
• Part 2: Tools and techniques, describes tools and techniques, illustrated by factsheets, to be used at each phase of the DMAIC approach.

Both documents can be applied to all sectors and organizations.

Read more text www.iso.org

GRI was one of the 42 public or private sector organizations that participated with the representatives of 99 ISO member countries in the development of ISO 26000, the International Standard giving guidance on social responsibility, which was published on 1 November 2010.

Following the launch of the standard, GRI published a linkage document on how to get the best out of ISO 26000 in conjunction with its Sustainability Reporting Guidelines – GRI and ISO 26000: How to use the GRI Guidelines in conjunction with ISO 26000.

The MoU was signed in Geneva, Switzerland, where ISO’s Central Secretariat is located, on 5 September 2011 by ISO Secretary-General, Rob Steele, and GRI Chief Executive, Ernst Ligteringen.

The MoU is intended to leverage the activities of the two organizations related to reporting and benchmarking by business and on sustainable development by sharing information on ISO standards and GRI programmes, teaming up with other partners, participating in the development of new or revised documents, joint promotion and communication.



ISO and GRI are also to support and promote each other’s involvement in initiatives related to sustainable development, such as the Rio+20 conference in Brazil in 2012, and other programmes by organizations such as the United Nations Global Compact, the Organization for Economic Cooperation and Development, and the United Nations Environment Programme.

Read more text http://www.iso.org

interoperability.

W3C’s Open Web platform is poised to be the interoperable platform of choice for an expanding Web of services, devices, and people. As these technologies become stable standards, the recognition by national   dies of W3C’s community, process, and royalty-free patent policy will only grow in significance.” The package of W3C Web Services technologies was first submitted to ISO/IEC JTC 1 Publicly Available Specifications (PAS) in January

2011.

The package included eight specifications, including SOAP 1.2, MTOM, Addressing 1.0 and Policy 1.5, which are foundation specifications for message-based service technology that has been adopted by industry worldwide. W3C has been an approved JTC 1 PAS Submitter since November 2010, and is one of eight organizations that are currently approved. Under the Publicly Available Specification procedures, organizations accredited as valid PAS Submitters can send their specifications directly to JTC 1 for national body voting to become recognized International Standards.
Read more text http://www.iso.org