• Plexent
• itDNA
• itDNA Framework
• ISO 27001

ISO 27001

The impact of current privacy concerns, regulatory requirements and legislative security protection has forced organizations to consider information security system frameworks, such as that of the International Standards Organization (ISO). The ISO 27001:2005 introductory course provides the necessary background for organizations to take a tactical and organizational approach to securing an effective information security policy.

This rigorous approach is essential to organizations that use and distribute sensitive information. In 2005 alone, there were more than 100 publicly reported incidents in which personal and confidential information was breached. These incidents can be reduced, if not eliminated, through the careful review of formalized processes that manage risk through applications, administration and security maintenance.

Plexent Information Security Consulting Services, which is part of the itDNA® suite of methodologies, knowledge and tool kits, is based on the information security management system (ISMS) framework presented by ISO in ISO 27001:2005 Information Technology - Security Techniques - Information Security Management Systems - Requirements.

What ISO 27001 Addresses

In its current version, ISO 27001 was published in October 2005 replacing BS7799. Further standards will be issued to create a series of standards to support information security. ISO 27001 is a key to providing a standard against which certification and auditing is completed.

The implementation of ISO 27001 aims to address the following:

• Defined method, which is documented for the entire organization
• Outlined security goals for benchmarking
• Completed risk analysis to determine strengths and weaknesses
• Documented security controls
• Ongoing review and improvement

The Plexent Security Management Framework emphasizing the importance of:

• Understanding the organization's internal and external security influences (e.g. PCI, GLBA, HIPAA, DITSCAP, SLA) and the need to establish policy and objectives for information security
• Implementing and operating controls to manage information security risk in the context of the organization's overall business risks
• Monitoring and reviewing the performance and effectiveness of the Security Management Program
• Ensuring continual improvement of the Security Management Program based on objective measurements

Recognized as an important business differentiator, and many times a prerequisite, when establishing a business relationship, ISO 27001:2005 is implemented internationally. Plexent Information Security Consulting Services will strive to ensure that effective information security activities are coordinated and performed at the strategic, tactical and operational levels of the organization. The allocation of information security tasks can be mapped directly to the transfer of power and responsibilities from executive level management to the lower levels of the organization and are aligned with the Plan, Do, Check and Act processes defined by the Security Management Program.

Strategic: At this level, the organization's security objectives are defined and a process framework is established by which the objectives will be achieved. Executive management establishes their commitment to and vision of information security and creates the organization's Corporate Information Security Policy.

Tactical: At this level, the organization's Corporate Information Security Policy is translated into an organizational structure and into more detailed plans that define the processes that will be implemented, the assets that will be deployed and the process outputs expected. Risk assessments are performed to identify, classify and prioritize risks, determine risk treatment and assign the appropriate control mechanisms. Output from the risk assessment process is input to the planning and implementation processes that establish the security policies, standards and operational procedures for the organization. Links to other IT processes such as Change Management, Release Management, Capacity Management and Incident Management are also defined and documented at this level.

Operational: At this level, the organization's Security Management Program is executed. Firewalls are configured, access controls are implemented and administered, network perimeters are established and monitored and the effectiveness of security controls are continuously evaluated, and if necessary improvements are made to achieve the security objective.

ISO 27001-based Information Security Services

Plexent offers the following ISO 27001-based Information Security services include consulting services and training. Plexent consultants collaborate with organizations to tailor these services and training to meet organizational needs.

Information Security Consulting

Plexent's IT security consulting services enable customers to:

• Meet the information security requirements of:
  • ISO/IEC 27001:2005
  • HIPAA
  • PCI
  • Sarbanes Oxley
  • GLBA
  • DITSCAP/DIACAP
  • FISMA
  • State Privacy Regulations
• Create Information Security Policies, Standards and Procedures
• Perform External Penetration Testing/Ethical Hacking
• Conduct Host and Network Vulnerability Scans and Results Analysis
• Develop Information Security Awareness and Training Programs
• Perform Security Technology Evaluations and Recommendations

Training

• ISO 27001:2005 Introduction – Requirements for an Information Security Management System
• Introduction to ISO17799:2005 – Code of Practice for Information Security Management
• Introduction to PCI Data Security Standards