IT Security Standards: What Is Best for My Organization (Part 1)

While it was a common concern for computing people to implement security measures within their information assets, there has to be a “de facto”, meaning, the standards which focuses on the minimum solutions that addresses information security concerns on an industry or on a regulatory manner.

 ISO/IEC 27002

(also known as the Code of Practice for Information Security Management)

ISO/IEC 27702 refers to a code of practice for information security management and is a common basis and practical guideline for developing enterprise and business security standards and how to manage these standards. This standard contains guidelines and best practices and recommendations for several information security domains like:

  • ISMS or information security management policy
  • The organization of information security asset management
  • Human resources (HR) security
  • Physical and environmental security
  • Communications and day to day management of operations
  • Access control of data and information, to include acquisition, development and maintenance of these items
  • Incident management and
  • Business continuity and compliance.

In our opinion, all organization should have to have these standards in place to satisfy control objectives and to protect information against threats to confidentiality, integrity and availability.

ISO/IEC 27001 or the Information Security Management System Requirements

The ISO/IEC 27001 is quite different from ISO/IEC 27002 due to the mere fact that ISO/IEC 27001 details the requirements for establishing, implementing, maintaining, managing and improving an ISMS in an organization. Where ISO/IEC 27002 points out the management of the business concepts per se, ISO/IEC 27001 details each business cycle, business component, information asset to a cycle model  known as the PDCA (Plan Do Check Act) model that aims to establish, implement, monitor and manage the information security cycle.

Often, ISO/IEC 27001 is implemented together with ISO/IEC 27002 for ISO/IEC 27001 defines the requirements and uses ISO/IEC 27001 as an outline.

ISO/IEC 27002 is a code of practice, while ISO/IEC 27001 details the process.

ISO/IEC  15408 or Evaluation Criteria for Information Security

This standard defines the common criteria that should be used to evaluate, validate and certify the security assurance of a product or solution against a number of factors such as functional requirements in information security, which is outside of the user or system functional requirements in systems and solutions development and works independently of the usual Systems Development Life Cycle (SDLC) or any other processes involved in the acquisition, management or modification of new information assets.

While ISO/IEC 15408 is not that used extensively in most countries, acquisition of new information assets as well as enhancements of current information assets should also be looked into using this standard for it will integrate within the existing information systems that may compromise information security of these assets and components.

Next part of the IT Security standards article will be isuued next Monday. Keep on following us.