ISO 27002 (ISO 17799:2005) & ISO/IEC 27001

Most Effective Way to Secure your Business Information Systems?
A Definitive Guide
Intellectual property and other sensitive or business-critical information is the life-blood of many companies today. With the ever increasing number of IT security breaches being reported, companies need to protect themselves and their customers.

Sapphire is a 'one stop shop' for technical and consultancy information security products and systems.

Sapphire offers a modular stage-wise programme of consultancy services designed to assure the confidentiality, integrity and availability of your information and assets. You can decide which of them you need and Sapphire's degree of involvement.

Sapphire's methodology is based on ISO 27002 (ISO 17799:2005) 'Information Security Management'. Compliance to this standard is becoming an increasing requirement from customers and the government.

As well as helping to achieve certification to ISO/IEC 27001:2005, Sapphire can assist you in the development of a robust information security management system that will help you to:

> Objectively identify and manage risk to information assets;
> Progress towards business maturity;
> Satisfy Corporate Governance, customers, statutory and insurance requirements.

Compliance to ISO 27002 (ISO 17799:2005) provides:

> A common basis for developing organisational security standards;
> An effective security management practice;
> Confidence in inter-organisational dealings.

Sapphire's consultants have over 100 years combined industry experience, and include trained BS7799/ISO 27001 Lead Auditors.

They are currently guiding a number of clients through the newly established ISO/IEC 27001:2005 Certification process. (This is the direct replacement for the BS7799-2) Previous include companies of different sizes, from small IT enterprises to local authorities. To date, Sapphire has a 100% success rate.

The stage-wise programme consists of four main phases:

> Phase 1 - Security Improvement Plan
> Phase 2 - Security Management System
> Phase 3 - Internal Audit
> Phase 4 - Review and Assessments

Having successfully gained Certification to the new ISO/IEC 27001:2005, Sapphire is particularly well placed to guide others toward this internationally recognised Standard.

Training
As well as ISO 27002 (ISO 17799:2005) training Sapphire can provide general information security awareness training and internal auditor specific training, drawing on experience of a wide ranging security practice across technical and systems disciplines.

A maturing International Standard.
ISO 27002 (ISO 17799:2005) provides a strong and expanded framework for information security management, and forms a 'next step' in the increasing mature standard that will ultimately form part of the new ISO/IEC 27000 series of standards.

It is recognised that the original version of the standard had some weak areas, which have been addressed in the second version.

The released the second version of 17799 (ISO/IEC 17799:2005) has seen the standard gain more acceptance internationally, becoming one of the most widely adopted information security management frameworks.

Changes to the standard, introduced in the 2005 revision are detailed below:

2000 Edition (10 sections)	2005 Edition (11 sections)
Security Policy	Security Policy
Security Organisation	Organising Information Security *
Asset Classification & Control	Asset Management *
Personnel Security	Human Resources Security *
Physical & Environmental Security	Physical & Environmental Security *
Communications & Operations Management	Communications & Operations Management *
Access Control	Access Control
Systems Development & Maintenance	Information Systems Acquisition, * Development and Maintenance
	Information Security Incident Management
Business Continuity Management	Business Continuity Management
Compliance	Compliance

* = New Control added.

The changes to the standard have seen some new Controls, some Controls that have been moved from one Clause to another and some Controls that have been removed. Some Clauses, shown in red above, have been renamed to more accurately reflect the Controls contained within them. In addition, a new Clause has been introduced, 'Information Security Incident Management', that now addresses the critical area of Incident Response & Management.

A new 'User Friendly Interface'
The newly developed interface provides a look and feel that is more applicable on a global basis providing:

> Clarify international context - since the early BS7799 days the need for clarity in a global business environment has been vital
> Revise wording and culture - efforts have been taken to seek common definitions and agreed working to avoid any confusion or misunderstanding

contols

The changes, introduced in ISO 27002 (ISO 17799:2005) see a logical progression toward the ultimate goal of bringing the Standards that govern Information Security into a common set of ISO Standards, providing crucial links to other existing standards, such as ISO 9001.

The new series of Standards are:

> ISO 27000 – principles and vocabulary (in development)
> ISO 27001 – ISMS requirements (BS7799 – Part 2)
> ISO 27002 – best practice guidelines for information security
> ISO 27003 – ISMS Implementation guidelines (due 2007)
> ISO 27004 – ISMS Metrics and measurement (due 2007)
> ISO 27005 – ISMS Risk Management
> ISO 27006 – Requirements for bodies providing audit and certification of an ISMS
> IS0 27007 to ISO 27010 -allocation for future use

This process brings these Standards, properly into line with the International Standards Organisation.

It’s already started!
This move, toward International conformity, has already begun.

As of the 15th of October 2005, BS7799-2 has been replaced by the new ISO/IEC 27001:2005 standard for information security. ISO/IEC 17799:2005 became ISO/IEC 27002 in 2007. The other Standards will follow to produce a range of Standards capable of addressing the needs of ISMS

Computer Forensics	ISO27001
Penetration Testing	Remote Access