Measuring the Effectiveness Of Your ISMS Implementations Based On ISO/IEC 27001

Description

With increasing international interest in the field of information security management system (ISMS) metrics and measurements, this publication brings together the different methods that are currently in use to measure controls and/or processes.

In addition, it gives further information and guidance about these various methods to measure the success of security arrangements in place.

This book provides guidance on the implementation of ISMS control requirements for auditing existing control implementations to help organizations preparing for certification in accordance with ISO/IEC 27001:2005 Information security management systems. Requirements.

The contents of this guide include the ISMS control requirements that should be addressed by organizations considering certification according to ISO/IEC 27001:2005. Clause 2 of this guide discusses each of the controls in two different viewpoints:

    * Implementation guidance - describes what to consider to fulfil the control requirements when implementing the controls from ISO/IEC 27001:2005 Annex A. This guidance is aligned with ISO/IEC 17799:2005, which gives advice on the implementation of the controls

    * Auditing guidance - describes what to check when examining the implementation of ISO/IEC 27001:2005 controls to ensure that the implementation covers the essential ISMS control requirements. It is important to emphasize that this guide does not cover the implementation or auditing of the ISMS process requirements that are covered in Guidelines on Requirements and Preparations for ISMS Certification based on ISO/IEC 27001. This is also discussed in more detail in the section Meeting ISO/IEC 27001 requirements.

CONTENTS:

* Scope of this guide

    * Field of application

    * Usage

    * Compliance

    * Meeting ISO/IEC 27001 requirements

    * Implementing and auditing ISMS control objectives and controls

    * Security policy

    * Information security policy

    * Organization of information security

    * Internal organization

    * Security of third-party access

    * Asset management

    * Responsibility for assets

    * Information classification

    * Human resources security

    * Prior to employment

    * During employment

    * Termination or change of employment

    * Physical and environmental security

    * Secure areas

    * Equipment security

    * Communications and operations management

    * Operational procedures and responsibilities

    * Third-party service delivery management

    * System planning and acceptance

    * Protection against malicious and mobile code

    * Back-up

    * Network security management

    * Media handling

    * Exchange of information

    * Electronic commerce services

    * Monitoring

    * Access control

    * Business requirement for system access

    * User access management

    * User responsibilities

    * Network access control

    * Operating system access control

    * Application and information access control

    * Mobile computing and teleworking

    * Information systems acquisition, development and maintenance

    * Security requirements of information systems

    * Correct processing in applications

    * Cryptographic controls

    * Security of system files

    * Security in development and support processes

    * Technical vulnerability management

    * Information security incident management

    * Reporting information security events and weaknesses

    * Management of information security incidents and improvements

    * Business continuity management

    * Information security aspects of business continuity management

    * Compliance with legal requirements

    * Compliance with security policies and standards, and technical compliance

    * Information systems audit considerations