Data Losses

Businesses risk losing over $1 trillion from loss or theft of data and other cybercrime, according to a recent study by security technology firm McAfee. They found that malware increased by 400 percent last year.

The malware is being designed to steal your data, steal your identity, or steal your money. The scale, as well as the sophistication, was very alarming according to McAfee. The survey found 80% of the malware is aimed at making a financial gain, rather than the traditional viruses and worms which just have nuisance value.

The increase in the availability and power of removable storage, such as mobile phones, laptops, and USB sticks, has made data loss or theft much easier. And, global supply chains mean that sensitive data is often stored abroad; often in countries with little intellectual property law.

Data lost accidentally, or through theft, can be expensive to replace or damaging to a company’s reputation or brand. In the survey, 42 percent of companies said that laid-off employees were the single biggest threat to their data security.

ISO 27001

Knowing the magnitude of the threat, it could be time for your organization to implement ISO 27001:2005, Information technology – Security techniques – Information security management systems – Requirements.

ISO 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented “Information Security Management System” within the context of your overall business risk. It specifies requirements for the implementation of security controls customized to the needs of an individual organization.

The standard is designed to help select adequate and proportionate security controls that protect information assets and give confidence to interested parties. It is intended to help:

  • formulate security requirements and objectives;
  • ensure security risks are cost effectively managed;
  • ensure compliance with laws and regulations;
  • provide a process framework for implementing and managing controls that ensure specific security objectives are met;
  • define new information security management processes;
  • identify and clarifying existing information security management processes;
  • determine the status of information security management activities;
  • determine the degree of compliance with the policies, directives and standards;
  • provide relevant information about information security policies, directives, standards and procedures to trading partners;
  • implement business-enabling information security;
  • provide relevant information about information security to customers.

ISO 27002

ISO 27002:2005, Information technology – Security techniques – Code of practice for information security management, is a companion document for ISO 27001.

ISO 27002 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. It contains best practices of control objectives and controls in the following areas of information security management:

  • security policy;
  • organization of information security;
  • asset management;
  • human resources security;
  • physical and environmental security;
  • communications and operations management;
  • access control;
  • information systems acquisition, development and maintenance;
  • information security incident management;
  • business continuity management;
  • compliance.

The control objectives and controls in ISO 27002 are to be implemented to meet the requirements identified by a risk assessment. The standard is meant to be a practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.

ISO 27005

ISO 27005:2008, Information technology – Security techniques – Information security risk management, provides guidelines for information security risk management. It supports the general concepts specified in ISO 27001 and is designed to assist the implementation of information security based on a risk management approach.

Note: Knowledge of the concepts, models, processes, and terminologies described in ISO 27001 and ISO 27002 is important for a complete understanding of ISO 27005.