Some 4 500 organizations implement ISO/IEC 27001. Information security INTERNATIONAL

Similar documents
Preparing yourself for ISO/IEC

How to implement an ISO/IEC information security management system

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Information Security: Business Assurance Guidelines

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza

Executive Director Centre for Cyber Victim Counselling /

opinion piece IT Security and Compliance: They can Live Happily Ever After

Information Security Management System Policy

Software-as-a-service Delivery: The Build vs. Buy Decision

Security in Fax: Minimizing Breaches and Compliance Risks

Information Security Management System Information Security Policy

The quality assurance of transnational education: challenges and solutions. Carolyn Campbell Head of International Affairs

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Security Controls What Works. Southside Virginia Community College: Security Awareness

How To Manage An Ip Telephony Service For A Business

+20. Outsourcing feature STEPHEN MALLON/GETTY IMAGES

Dow Jones Titans Indices Methodology

360 o View of. Global Immigration

Championing the region since NECC International Trade

Four steps to improving cloud security and compliance

ISO/IEC Information & ICT Security and Governance Standards in practice. Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT

Corporate Presentation

IT Security. Securing Your Business Investments

Val-EdTM. Valiant Technologies Education & Training Services. 2-day Workshop on Business Continuity & Disaster Recovery Planning

best practice guide 7 Best Practices to Make Telecom Expense Management Work for Your Business

HKCS RESPONSE COMMONLY ACCEPTED AUDIT OR ASSESSMENT MECHANISM TO CERTIFY INFORMATION SECURITY STANDARDS

Dimension Data s Uptime Maintenance Service

Developing National Frameworks & Engaging the Private Sector

Dow Jones Titans Indices Methodology

RESEARCH Recruiting Online

Japan 94% of parents think that their children s safety has improved since moving. China is home to the highest earning expats in the world

The Information Security Management System According ISO The Value for Services

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

ISO/IEC 27001:2013 Your implementation guide

Governance, Risk and Compliance Assessment

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations

Cyber Security Recommendations October 29, 2002

Contents Company overview Partnering with CCE Service offerings Accreditations Service coverage ISO compliance

BT Conferencing Business Continuity Management. Planning to stay in business

Randstad MENA Salary Survey 2016

Sybase Solutions for Healthcare Adapting to an Evolving Business and Regulatory Environment

The Value of Information Security Certifications

Application management services that power business transformation

NSW Government Digital Information Security Policy

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Why Join BSA? A Vital Resource for Software Companies. The many reasons why software companies join BSA OUR VALUE PROPOSITION

Asia-Pacific Web Application Firewall Market Increasing Attacks on the Application Layer are Driving the Market

Singapore as the global wealth hub of the future?

Cyber Security - What Would a Breach Really Mean for your Business?

ISO/IEC/IEEE The New International Software Testing Standards

QFBS WAIVE TRANSACTION FEE ON SHARED ATM NETWORK - atm 5

Quality Management System Certification. Understanding Quality Management System (QMS) certification

opinion piece Eight Simple Steps to Effective Software Asset Management

ISO/IEC Information Security Management. Securing your information assets Product Guide

For Discussion Paper No. 9/2011 on 3 November 2011 DIGITAL 21 STRATEGY ADVISORY COMMITTEE. Cyber Security

INFORMATION ECONOMY REPORT 2015: Unlocking The E-commerce Potential For Developing Countries

AACSB International Accreditation and Joint Programs

ISO 9001:2015 QUALITY MANAGEMENT SYSTEMS AUDITOR/LEAD AUDITOR

The Advanced Cyber Attack Landscape

Welcome to UL Protecting People, Products and Places

Unisys Security Insights: Global Summary A Consumer Viewpoint

Schedule of Accreditation issued by United Kingdom Accreditation Service 2 Pine Trees, Chertsey Lane, Staines-upon-Thames, TW18 3HR, UK

Sustainable Solutions. Switch to future thinking

Burning Dollars Top Five Trends in US Telecom Spend

Measures to Make Japan Asia s Center for Business February 2011 Ministry o f of Economy T, rade Trade and Industry

The Changing Data Centre Landscape in APAC. Saravanan Govindan Associate, BroadGroup

Personalised recruitment and search services

CRYOVIVA SINGAPORE REACHES SETTLEMENT WITH CORDLIFE

CORPORATE PRESENTATION

WELCOME MIKE STRAWSON LEAD ASSOCIATE CHAMBER INTERNATIONAL

An Overview of ISO/IEC family of Information Security Management System Standards

IBM Global Process Services. Next-generation business process outsourcing for Natural Resources

Radio Spectrum and Technical Standards Advisory Committee

INTERNATIONAL EMPLOYMENT GROUP. Employment Services in Oman

Strategy Implementation. Graham Levinsohn Group Strategy and Development Director

ISO/IEC 90003:2004 covers all aspects

Cyber and Data Security. Proposal form

MANAGING DIRECTOR S LETTER

Rouse. The right mix of intellectual property specialists.

Hexaware UN Partnership

Vietnam. companies and retailers might consider individuals with complementary FMCG experience whose skills can be refined internally.

C L A R I D E N August 2014

International Education Index comparative perspective from 21 countries. Janet Ilieva, PhD EDUCATION INTELLIGENCE

The value of accredited certification

Ethics Everywhere Jones Lang LaSalle Incorporated Annual Report for Calendar Year 2013 Program

Corporate Jet & Helicopter Finance Asia 2013

Transcription:

Some 4 500 organizations implement ISO/IEC 27001 for information security The author reports on global progress in the implementation of the international information security management system standard ISO/IEC 27001:2005, with testimonials from early adopters among the 4 500 organizations now certified to the standard. by Edward Humphreys The author, Professor Edward Humphreys, is Convenor of ISO/IEC JTC 1/SC 27, Information technology, WG 1. E-mail edwardj7@msn.com Most of us depend more than ever on IT systems, wireless and mobile telephone networks and increasing connectivity in today s business environment. But organizations are challenged with threats to these systems, exposing assets to risk. However, implementing and managing effective information security provides organizations with the means to minimise these risks while maximising business opportunities and investments. In addition to IT dependency, we also face greater government, legislative and regulatory requirements which often have information security consequences that add to our business challenges. International Standard ISO/ IEC 27001:2005, Information technology Security techniques Information security management systems Requirements, was developed as a common business language to help information security management address the needs of small, medium or large organizations from all business sectors. The business case for ISO/IEC 27001 Thousands of organizations around the world have already benefited from applying ISO/ IEC 27001-based information security management systems (ISMS), especially the 4 500 to date that have become certified. The business drivers and benefits include : improved business performance from reduced operational risks ; enhanced customer confidence and trust from demonstrating fitness for purpose, by doing business securely ; decrease in negative business impacts and financial losses ; improved market positioning and competitive advantage ; greater protection of business continuity and availability of services. Limitless range The range of ISO/IEC 27001 implementers seems limitless, and includes such diverse organizations as tin mines, waxed carton producers, oil and gas suppliers, schools and universities, logistics companies, small businesses, low- to high-tech businesses, healthcare services, on-line banking, multinationals, governments, 20 ISO Management Systems July-August 2008

and international institutions such as the World Bank and the UN. Such diversification affects businesses and their customers, consumers and the general public. The following case studies reflect the widespread applicability of the standard. IWF and ISO/IEC 27001 The first features the Internet Watch Foundation (IWF), a self-regulatory body and charity operating the United Kingdom s Internet hotline for the public and IT professionals to report their inadvertent exposure to potentially illegal online content, primarily images of child sexual abuse. The IWF works to remove that content from the Internet and facilitates the initiative allowing UK Internet service providers to protect their customers from inadvertently accessing sexually abusive images of children. Fred Langford, IWF Director of Technology and Content, describes the organization s experiences with information security management and ISO/ IEC 27001 : The IWF receives significant attention both in the UK and overseas and is often subject to public, media and international scrutiny. As such there is a requirement to demonstrate to stakeholders, including the government, law enforcement, Fred Langford, Director of Technology and Content, IWF. Web www.iwf.org.uk charities, the online sector and others, that all possible steps are taken to ensure information security. Recent media attention on data breaches within the public and private sectors serve to underline the importance of this commitment to the highest possible standard in this area. We initially investigated ISO/ IEC 27001 certification in 2005 following advice from security advisors, 7Safe. Previously the IWF had internal controls, which were externally audited; however, these were not part of a company-wide system that managed the security of sensitive information and risk. Certification provided the IWF with a valuable framework that is now used to resolve security issues, ensuring that they remain visible and part of a review process. The adoption of an ongoing, robust process such as this also serves to enhance the security awareness of all employees ISO Management Systems July-August 2008 21

and their role within the report and review cycle. Once certification was achieved, internal and external stakeholder confidence in, and perception of, the IWF increased and associated organizations have begun to show an interest in gaining similar accreditation. As the IWF is responsible for extremely sensitive data that must not be released into the public domain under any circumstances, ISO/IEC 27001 certification further increased client and associate confidence that risk is managed within exemplary internal security implementation. The process required to gain certification has helped us formalize good practice standards internally, following ISO/IEC 27001 principles. Effective information security provides organizations with the means to minimise risks An additional factor in the IWF pursuing certification was its worldwide relevance ; especially considering the global nature of the Internet, the area of criminality with which the IWF deals, and the international arena in which it provides intelligence, evidence and expertise. Security was always paramount to the IWF the high standards of the organization s processes, network and information security is now increased, formal and evident. PCCW and ISO/IEC 27001 The second case study features PCCW Limited, the largest communications provider in Hong Kong, and one of Asia s leading technology players in new generation fixedline telephony, broadband, IT, wireless and delivery of home entertainment, enabling organizations to bring their business to Asia and take Asian business to the rest of the world. Dale Johnstone, the company s Chief Security Officer, outlines PCCW s involvement in information security management and ISO/IEC 27001: Dale Johnstone, Chief Security Officer, PCCW Limited. Web www.pccw.com PCCW applied international information security management standards prior to 2000 and has always considered the security of stored and communicated information assets a high priority of crucial importance to PCCW in protecting its own, customer, and business partner information assets in accordance with the interests of all stakeholders. In March 2002, PCCW became the first telecom operator in the greater China region to attain ISO/IEC 27001 certification, currently maintains four separate certifications in different business units and provides consulting services to other organizations to help them achieve and maintain their own ISO/IEC 27001 certifications. The range of ISO/IEC 27001 implementers seems limitless PCCW demonstrated a strong public commitment in achieving ISO/IEC 27001 certification, enshrining the fundamental principle that PCCW will at all times aim to protect information in its possession, in accordance with the highest levels of international standards a qualification all information and communication technology companies should strive to achieve. The benefits PCCW achieved through ISO/IEC 27001 certification include : enhanced cultural awareness of all PCCW stakeholders in understanding the need for information security ; an understanding of the true value of the information assets held in its possession ; an appreciation of the risk management approach to the protection of information assets ; increased PCCW compliance with government regulations, inclusive of privacy controls and how information is secured and protected. ISO/IEC 27001 certification has positioned PCCW well in responding effectively to the increasing complexity of government regulations in the countries in which PCCW operates throughout the world. Another major benefit of obtaining and maintaining its ISO/IEC 27001 certifications is the knowledge that, in doing so, PCCW is setting a trend for the Asia Pacific information and communication technology industry. GFI and ISO/IEC 27001 The final case study illustrates the worldwide influence of legislation and regulation on the implementation of information security, particularly regarding data protection and privacy. Also coming into force are governance regulations such as Sarbanes Oxley (SoX) and Basel II, and cyber laws on hacking and spam. Tokyo-based Global Friendship Inc. (GFI) develops privacy and information security technology to ensure compliance with Japanese regulations, and is itself compliant by virtue of ISO/IEC 27001 certification. Yutaka Yasukura, GFI CEO, explains: In 2003, Japan adopted the Protection of Personal Information Act (No. 57), now obligatory, which has led to increased awareness of data 22 ISO Management Systems July-August 2008

Regional adoption Yutaka Yashukura, CEO, Global Friendship Inc. Web www.gfi.co.jp management among every business and market in the country. GFI introduced an information security solution called GFI E-Tally, to help organizations comply with the Act. Implementation is driven by the need to provide confidence Instead of encryption, our software uses secret sharing technology which processes highly confidential information into meaningless decomposed data. This data is no longer considered to be personal information, as defined in the Act; thus, obligation to protect personal data no longer applies and helps save cost for data storage and management required by law. GFI E-Tally, which fulfils the requirements of CIA confidentiality, integrity and availability was developed primarily to ensure the confidentiality of files created by any entity. Figure 1 ISO/IEC 27001 certifications by sector. GFI was audited and certified to ISO/IEC 27001 by TÜV Rheinland Japan Ltd. using GFI E-Tally technology applied to our own information security management system. Third party review for ISMS certification gave us a better understanding of the risks related to product development, while achieving certification gives us confidence in the security of services provided by GFI. ISO/IEC 27001 certification led to the success of GFI E-Tally as an alternative to encryption, and helps us explain to clients that it is applicable to ISMS and has the potential for world-wide acceptance. Sector adoption The services, telecoms, financial services, manufacturing, healthcare, government and utilities sectors are the most dominant in ISO/IEC 27001 adoption. Figure 1 shows the breakdown of the current 4 500 ISO/IEC 27001 certificates by sector, and Table 1 indicates the subdivision of the services, technology and finance and insurance sectors by specialization. Services Advertising Business solutions Consultancy services Consumer services Data collection services Distribution services Entertainment industry ICT services Information services Logistic services Managed data services Marketing services Music industry Outsourcing Postal services Publishing industry Recruitment services Research services Technology Table 1 Specializations of ISO/IEC 27001-certified organizations in three main sectors. Generally, implementation is driven by the need to provide customer assurance and confidence, i.e. fit for purpose, outsourcing arrangements, increasing information security risks, and governance, compliance, legislation and regulations. The design, development, manufacturing and selling of ICT such as : Asia represents over 66 % of the total number of ISO/IEC 27001 certificates issued to date, followed by Europe with 20 %. There are close similarities between the types of business in Asia and Europe that have pursued certification (see Figure 2, overleaf). Computer hardware Electrical goods Electronic goods Multimedia devices Communications devices Network equipment Scientific instruments Software Finance and Insurance Asset management Banking (wholesale) Banking (retail) Health insurance Insurance brokers Life insurance Medical insurance Mortgage investment Property management Real estate development Savings and loans Stock brokers The ICT sector is most prominent among certified organizations in Hong Kong, Malaysia and Singapore, while Telecoms sector representation is strong in Hong Kong but not yet in Malaysia. Conversely, 26 % of all certifications in ISO Management Systems July-August 2008 23

Malaysia are from the financial services sector, but only 6 % and 8 % respectively in Hong Kong and Singapore. Government departments on the other hand are just starting on the road to ISMS certification (see Table 2). ISMS adoption in important sectors such as healthcare is currently lagging behind that of Japan, Korea and Europe. In addition, representation of professional and information services remains low compared with Europe. Africa and Middle East ISO/IEC/ 27001 implementation in Africa and the Middle East is starting to grow, with banks, telecoms, oil and gas companies leading the way. Dr. Angelika Plate, ISMS Consultant for Aexis Security Consultants, comments on progress : Information security is becoming a hot topic in the Middle East, particularly in Bahrain, Oman, Saudi Arabia and the United Arab Emirates as the dependency being placed on information processing and Dr. Angelika Plate, ISMS Consultant, Aexis Security Consultants. Web www.aexis.de IT services continues to accelerate. More and more organizations in the region are adopting ISO/IEC 27001 to manage their information security and benefit from applying such best practice standards that have already proven useful around the world. Interest in certification continues to grow (the numbers have doubled in the last year) and more are in the pipeline. There is also interest in integrated management systems combining, for example, ISO/ IEC 27001 with the service management standard ISO/ IEC 20000. Figure 2 ISO/IEC 27001 certifications by region. Hong Kong Malaysia Singapore ICT 32 % 50 % 41 % Telecoms 25 % 11 % Financial services 6 % 26 % 8 % Manufacturing 4 % 5 % 8 % Government 4 % 9 % 8 % Professional services 11 % 8 % Information services 4 % 15 % Education 5 % Engineering 6 % 5 % Healthcare 4 % Logistics and transportation 4 % 5 % Table 2 ISO/IEC 27001 certifications in Hong Kong, Malaysia and Singapore. 24 ISO Management Systems July-August 2008

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information