|
The ISO 27001 standard was published in October 2005 as a replacement to the BS7799-2 standard. It is primarily referred to as the Information Security Management System (ISMS) certification standard. Organisations that seek to implement an ISMS are examined against ISO 27001. The objective of this standard is to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS”.
As with several global standards, the scope of this standard is far reaching, with several sets of control objectives and guidelines. Its fundamental purpose is to act as a compendium of techniques for securing IT environments and thus effectively managing business risk as well as demonstrating regulatory compliance. ISO 27001 is recognised internationally as a structured methodology for information security. A widely-held opinion is that ISO 27001 is an umbrella over other standards (such as PCI, SOX, GLBA, HIPAA and CobiT). Companies that choose to adopt ISO 27001 demonstrate their commitment to high levels of information security, as there are 11 major controls in the standard that comprise information security best practices. ISO 27001 does not, however, mandate specific procedures nor define the implementation techniques for gaining certification. Thus, companies being audited for ISO 27001 compliance deal with the same issues that plague companies facing regulatory audits: how to effectively achieve compliance and, following an audit, cost-effectively maintain it.
There are several benefits to a company getting ISO 27001 certification:
- Diverse parties working together: With standardisation, systems from different companies are more likely to work together, since they will be speaking a common language.
- An international standard: By complying with an international standard, management proves that they are taking due diligence in ensuring the security of their customer data.
- Awareness within the organisation: Complying with this standard touches a lot of aspects of a company both from a business and an IT perspective. This creates greater awareness of security and process within the organisation.
- Alignment with the organisation: Since the standard covers such a broad area, several departments need to be in alignment in order to ensure certification, thus building a better working model within the entire company.
- Fully accepted in EMEA: Because this standard is widely accepted and implemented throughout EMEA, there are numerous companies that require business partners to have certification before working with them. Certification proves to companies that their vendors have taken the necessary steps to protect customer data, and not having certification could have an economic impact through increased risk exposure. North American companies with operations in EMEA may start running into this issue as well.
The Tripwire Enterprise solution provides organisations with powerful configuration control through its configuration assessment and change auditing capabilities. With Tripwire Enterprise, organisations can quickly achieve IT configuration integrity by proactively assessing how their current configurations measure up to specifications as given in ISO 27001. This provides organisations immediate visibility into the state of their systems, and through automating the process, saves time and effort over a manual efforts.
For incorrect configurations, not only does Tripwire Enterprise report that condition as part of its risk assessment feature, it offers remediation guidance for bringing the settings into compliance. Once this known state has been achieved, Tripwire’s change auditing monitors systems for changes that could affect ISO 27001 compliance, maintaining the IT infrastructure in a known and trusted state.
There are several controls that reference IT technology in ISO 27001. Not all can be tested adequately with software, or are relevant to the IT Infrastructure. Tripwire Enterprise provides two means of coverage for the ISO 27001 controls. The Configuration Assessment policy proactively assesses settings and checks that they are compliant against the controls. If compliant, Tripwire Enterprise will also continuously monitor those settings for changes that may take them out of compliance. For settings that are not compliant, Tripwire Enterprise provides the necessary remediation steps to bring that setting back into compliance. There are some controls that Tripwire Enterprise can address by using its industry leading change monitoring. Tripwire can monitor various levels of settings as part of the Change Management controls that are specified in the ISO 27001 standard.
|
