Understanding ISO 27001 and Auditing the Security Program

Introduction

Company information such as financial information, information entrusted to the company by third parties, employee information and intellectual information amongst others are all crucial information assets which must be kept securely by a company. International and industry standards have come up with information security management systems (ISMS) to help companies manage this sensitive information. The standards have also come in handy to serve as a reassurance sign to third parties and other stakeholders that indeed all of their sensitive information is securely kept and by the industry and world standards. This paper is going to assess international standards in a bid to understand the ISO 27001 and auditing of the security program.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

When BS 7799 First Came Out?

BS 7799 is a standard developed by the British Standards Institute and was first printed in 1995. The standards were meant to provide direction and best practices to be followed when a company is protecting its information. These standards provided the code of practice or guidelines for information security management systems. BS 7799 was revised and later taken up by International Organization for Standardization (ISO) and International Electron-technical Committee in 2000. So, what is an alternative model to the bs 7799 model?

What Is ISO 27001?

Hence, BS 7799 was changed to as ISO/IEC 17799 or simply ISO 17799 but today it is referred to as ISO 27002. Owing to the different sizes and circumstances of companies, BS 7799 or ISO 17799 provide a list of control or suggestions which companies can choose to adopt according to their needs (Lamphere, 2007). The main control areas for BS 7799 include information security policy, security organization, compliance, personal security, system accesses, and control. Others are computer and network management, asset classification and control, systems development and maintenance, physical and environmental security and business community planning (SAS70, 2016).

How ISO 27001 Different From BS 7799?

One main difference between ISO 27001 and BS 7799 is that ISO 27001 information security provides more of requirements i.e. use a lot of shall or shall not. This means that the iso 27001 requirements are mandatory unlike BS 7799 which is a list of control, code of practice i.e. uses a lot of should and should not meaning that its contents are optional. ISO 27001 is a list of requirements that are to be followed when a company wants to establish ISMS.

As such the requirements are mandatory hence the use of shall in the document. BS 7799, on the other hand, is concerned with how the ISMS are to be implemented. It defines different procedures which are to be followed during implementation of information security management systems. Hence provide guidelines or controls which one can choose to follow when implementing ISMS. As such, BS 7799 uses a lot of should in the document to provide room for choice and adjustment in the guidelines followed during implementation of ISMS (IT Governance, 2016).

Why ISO 27001 Is Important?

Given the current technological height the world has reached such as cloud computing, companies must be careful with how they secure customer information. As such I believe that all companies should strive to adopt ISO 27001 security. These international standards will not only benefit the company but will also provide a sound way of maintaining company information particularly the sensitive information such financial, intellectual and third party information. Application of these international standards will provide excellent evidence of security on information and compliance, which is very crucial to external consumers (Schouboe, 2014).

ISO 27001 Benefits

By applying ISO 27001 standards, the company will positively influence its trustworthiness enabling them to associate with other companies and stakeholders well. The adoption of these international standards usually comes with several benefits. Apart from creating trust between the company and its customers, adoption of these standards helps organizations efficiently manage their business information and improve their internal business processes increasing workers efficiency and productivity. Information security protects business information from several threats ensuring the firm's continuity, minimal business risks, and maximization of returns and also helps to improve business prospects.

Conclusion

In conclusion, adoption of these international standards is very important for the sustainability and survival of business organizations in the current economy. As such, all companies regardless of their size, market share or stature should strive to adopt these standards.

References

Lamphere, P (2007). ISO 17799 -- it's a control, not a standard. Retrieved from http://www.computerworld.com/article/2545034/security0/iso-17799----it-s-a-control--not-a-standard.htmlI

T Governance (2016). The difference between ISO 17799 and ISO 27001 or ISO 27000. Retrieved from http://www.itgovernanceonline.com/information-security/difference-iso-17799-iso-27000/

SAS70 (2016). About SAS 70. Retrieved from http://sas70.com/FAQRetrieve.aspx?ID=33293

Schouboe H (2014). What is ISO 27001 and why should a company adopt it? Retrieved from http://jscconsultant.co.uk/what-is-iso-27001-and-why-should-a-company-adopt-it11/