Thursday, August 27, 2009
ISO/IEC 27000 ISMS Standard
Recently i study a lot on Information Security standard and compliance. Just finish read a book " Implementing the ISO/IE 27001 Information System Standard" by Edward Humphreys. I will implement some requirements especially access control management in the my medical data security project.
ISO/IEC 27001 is a family of Information Security Management System (ISMS) standards:
27000 ISMS Overview and vocabulary
27001 ISMS requirements
27002 Code of Practice for ISMS
27003 ISMS implementation guidelines
27004 ISMS measurement
27005 Information security risk management
27006 Accreditation requirement for certification bodies (CB)
As my 1st glance to this family, I think my project should comply to ISO/IEC 27002. Here come the paragraph that remind me about the different of 27002 and 27001.
"The idea of compliance with ISO/IEC 27002 is therefore very much a question of management requirements since this is a code of practice and not a mandatory specification.ISO/IEC 27002 has no recognition as a compliant standard as is ISO/IEC 27001,which is an internationally recognized standard for compliance assessment"
Many organisations have "acceptable use policy" to control the use of Internet of their staff. For example, it could provide a clear warning of what strictly prohibited in network, eg accessing pornographic, use certain messaging services, unauthorised access to the organisation information.
As mentioned in the book, several control lists available at the Annex A. For SME case, they no need to implement all the controls. Selection and attention should be focus on those controls that reduce the the risks and impacts. Apprioprate ISMS implementation should be build to suit most of its management needs.
For authentication, the simplest way to do it is based on what user know (a password or a PIN). This is the "one-factor" authentication.If two factors such as what a user knows and has (eg. a PIN and bank card) then this commonly known as "two-factor" authentication.
The book is a comprehensive guide on Information security management based on ISO 27001 standard. Data security is much more than just the technical element. It will involve every single element that access the system, ranging from policy, operation method, human resources to software and hardware. PDCA (Plan, Do, Check, Act) cycles is long and alway on-going process to ensure the info security within the organisation and thus comply to the standard.
" Nothing is a constant as change" -Greek philosopher Heraclitus
Posted by gento_ at 10:07 PM