Quality News » security

Why ISO 27001 is not enough

QualityGuru — Tue, 21 Jul 2009 13:28:55 +0000

Infromation security

Since its publication in October 2005, ISO 27001 has been implemented in many organisations as the best practice for information security management, with over three hundred UK organisations independently certified against the standard.

So if these organisations, which range from small and medium to large enterprises, have implemented ISO 27001, why are we still hearing about lapses in information security? Neil O’Connor, principal consultant, Activity asks what lessons are there to be learnt from every organisation, whatever its size, using ISO 27001 as a benchmark?

Introduction

Information security, and in particular the handling of personal information, has regularly been in the headlines over the last few months. There have been notable incidents at HM Revenue and Customs, the Ministry of Defence, Nationwide Building Society and Marks and Spencer among others.

These are all large organisations implementing information security management systems at least compliant with, if not certified against, the international standard for information security management, ISO 27001.

ISO27001

A key issue is that ISO 27001 is a management standard, not a security standard. It provides a framework for the management of security within an organisation, but does not provide a ‘Gold Standard’ for security, which, if implemented, will ensure the security of an organisation.

ISO 27001 takes a risk assessment based approach. An information security risk assessment is used to identify the security requirements of the organisation, and to then identify the security controls needed to bring that risk within an acceptable level for the organisation.

Once the security controls have been identified, ISO 27001 defines processes to ensure that a) these controls are implemented and are effective; and b) that the controls continue to meet the organisation’s security needs.

read full text on bcs.org

ISO standard to ensure structures are not “gone with the wind”

QualityGuru — Fri, 19 Jun 2009 07:11:47 +0000

ISO.ORG gives us
ISO 4354, Wind actions on structures was prepared by the ISO technical committee ISO/TC 98, Bases for design of structures, subcommittee SC 3, Loads, forces and other actions.
A new International Standard, ISO 4354, Wind actions on structures, will help ensure the reliability of structures in areas exposed to strong winds and cyclones.
The standard describes the actions of wind on structures, and specifies methods for calculating characteristic values of wind loads.
“Perhaps one of the biggest advantages of ISO 4354 is that it allows you to bridge the gaps of all wind loading codes around the world,” says Prof. William Melbourne, Convenor of the working group that developed the standard.

“The standard provides methodology for calculating wind loads on structures, some of which have never been available in this form before. It cancels and replaces the first edition of the standard, originally published in 1997, with a full technical revision” concludes Prof. Melbourne. The standard covers design methodologies for three main storm types: synoptic winds (large scale winds), thunderstorms and topical cyclones (hurricanes, typhoons).

It provides the basic methods for determining wind loading analytically for simple structures and guidance for the design of more complex structures. ISO 4354 will be useful for structural engineers involved in the design of buildings, towers, chimneys, bridges and other structures, and their components and appendages. The standard will be of particular interest for countries without an adequate wind loading standard.

red full text on iso.org

overview of information security management systems

QualityGuru — Sun, 07 Jun 2009 19:35:54 +0000

Infromation security

With more and more organizations implementing information security management systems (ISMS) as part of their risk management strategy, the publication of a new ISO/IEC standard giving an overview of ISMS is particularly timely.

Information securityISO/IEC 27000:2009, Information technology – Security techniques – Information security management systems – Overview and vocabulary, will assist organizations of all types to understand the fundamentals, principles and concepts to improve protection of their information assets.

Applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, non-profit organizations), ISO/IEC 27000:2009 supplements the ISO/IEC 27000 family of standards by providing an introduction to information security management and defining related terms.

Today, an organization’s information assets are dependent upon information and communications technology. The technology assists in facilitating the creation, processing, storing, transmitting, protection and destruction of information.

As the extent of the interconnected global business environment expands, so does the requirement to protect information as it is exposed to a wider variety of threats and vulnerabilities.

Edward Humphreys, convenor of the working group, which developed the standard, comments: “Standardized security techniques are becoming mandatory requirements for e-commerce, health-care, telecoms, automotive and many other application areas in both the commercial and government sectors. ISO/IEC 27000:2009, together with the other ISO/IEC 27000 family of standards, aims to assist organizations more effectively achieve an appropriate level of information security.”

red full story here