One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 1495736 |
| Date de publication | 2020-01-03 14:24:22 (vue: 2020-01-03 15:00:04) |
| Titre | NBlog Dec 15 - the business case for ISO27k |
| Texte |  As part of January's awareness module, I'm compiling a generic business case laying out the costs and benefits of implementing the ISO27k standards and seeking an ISO/IEC 27001 certificate.Well, that was the cunning plan anyway. So far, I have a long list of benefits and a small handful of costs - just the obvious ones to do with managing an implementation project, reviewing information risks, improving governance arrangements, writing and updating the documentation such as policies, and contracting with an accredited certification body. There may be additional costs to implement information security controls ... but not necessarily: it all depends on the information risks and decisions arising. Patently I'm a big fan of ISO27k but I honestly didn't expect the business case to be so overwhelmingly positive. It's quite a surprise.If management is willing to accept the organization's current information risk status, there's no need to splash out on additional security, at least not yet, not purely for certification anyway. The situation may change, later, once the ISMS is running sweetly and shortcomings with the risk treatments come to light, perhaps through incidents or a growing appreciation of the evolving information risks ... but that's a way down the track, post-certification. Possible future costs are not part of the business case, nor are possible future benefits.It's not entirely plain sailing though, as the implementation process involves systematically reviewing the infosec controls catalogued in ISO/IEC 27001 Annex A to be sure that nothing important has been neglected. An organization that is lacking in near-universal controls such as identification and authentication, access controls, backups, antivirus and firewalls would be hard-pressed to justify to the certification auditors that they are inapplicable. It can be done, but it's not easy. |
| Envoyé | Oui |
| Condensat | so it patently 27001 3rd: a to accept access accredited additional all annex anticipate antivirus anyway applicability appreciation are arising arrangements associated assurance auditors authentication awareness backups been benefits big body both business but can carefully case catalogued certificate certification certified clauses clearly come commodity compiling compliance consequence consider content contracting contractual controls costs cunning current customer customers cuts dec decisions depend depends didn documentation done down easy eclipse entirely especially evaluation evolving expect expectations fan far finance/accounting/tax firewalls framework from future generic goods governance graphics growing handful hard has have help higher honestly identification implement implementation implementing implications important improving inapplicable incidents information infosec instance involves isms iso/iec iso27k it/cloud its jan january just just published justify lacking later laying least legal light like list long lower management managing matter may measures module more nblog near necessarily: need needs neglected nor not nothing obvious once ones ongoing organization out overwhelmingly pages paper part parties perhaps plain plan policies positive possible post pressed process professional project prospective provides purely quite quotations regulatory relationship remains renewing requirements reviewing risk risks running said sailing scope security seeking services shortcomings should situation may change small smattering some sound specialist splash stakes standards statement status strong such supplier suppliers supply sure surprise sweetly systematically than that them there third thorough those though through too total track treatments universal update updating vital way ways: well what willing would writing yet |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.