Managers who claim that their organizations comply with ISO/IEC 27001:2005 but that they see no need to go through the bureaucracy of getting the ‘badge on the wall’ are only deceiving themselves. The reality, I suspect, is that the vast majority of organizations that won’t submit their Information Security Management Systems (ISMS) to an external audit against ISO 27001, fear that, when it comes to the push, their systems would fail the test.

Survey after survey tells a depressingly familiar information insecurity story. Most recently, the 10th annual CSI/FBI survey revealed that, amongst the security-conscious, information security control-focused members of the CSI, computer crime continued to have a significant financial impact. The average incident last year cost $204,000, and the top two security breaches were through virus attacks and unauthorized access – both of which are comprehensively controlled through the controls and management systems mandated by ISO 27001.

ISO27001 Effectively Manages Data Security

This evidence, combined with the findings of a recent survey carried out amongst UK-based organizations that ISO27001, suggests – somewhat contradictorily – that securing information is rarely the primary driver for achieving certification. The top reason was commercial advantage, summed up by one respondent who said that a certificate ‘gives customers confidence that our data security is well managed and certified by an independent source.’

And it’s that certification ‘by an independent source’ which is the real benefit of pursuing ISO 27001 in the first place. US regulators implicitly recognized the importance of external validation for information security effectiveness when they observed that: ‘the best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of boards and CEOs.’

Achieve High Security Standards through ISO 27001

There are sectors in which the ‘badge on the wall’ debate is already history, and in which certification is now becoming a basic business requirement. UK cheque printers, for instance, are required to comply with a sectoral version of ISO27001 and suppliers to the NHS are expected to be on track for certification (there is now a health sector version of ISO17799) – even if the NHS itself still has some way to go. Business Process Outsourcing companies are finding it much simpler to provide a copy of their ISO 27001 certificate in their tender documentation than to answer detailed information security questionnaires.

Some of this might be expected: BS7799 was, after all, a British Standard, and the UK government’s Cabinet Office has, for several years now, driven take-up across the UK public sector. And as more and more local authorities and public-sector organizations become certified, so the pressure for their private-sector suppliers to achieve the standard will increase – and today’s early adopters are clearly stealing a march on their competitors.

Achieve Your Certificate in ISO 27001

Internationalised as http://www.27001.com“>ISO 27001, information security certification can also be a short cut to best-practice compliance with a wide range of data compliance and regulatory requirements, ranging from Data Protection Acts across the EU, privacy and breach legislation across the OECD, and specific legislation such as GLBA, HIPAA and Sarbanes Oxley. Determined outsourced suppliers are increasingly insisting that their certificate be taken into account when preparing for and costing their annual SAS 70 audit, with consequently substantial reductions in both the cost of, and disruption caused by, the audit.

Are organizations beginning to recognize that, in fact, it is the badge on the wall that counts? Yes, as evidenced by the increasing number of badges. It took about seven years (to December 1994) for the first 1,000 certificates to be achieved, but less than two and half years later there are more than 3,500 successes. And certification has a ripple effect: every organization that achieves ISO 27001 will expect its key suppliers to meet the standard. And this means that anyone who thinks the badge doesn’t count will have nowhere to hide when the CEO comes asking why your competitors have stolen your lunch.

Article Source:

http://EzineArticles.com/?expert=Alan_Calder

‘ITIL’ is a term that is fast gaining currency around the IT world. It is often wrongly described as ‘IT governance’ – in fact, on its own, it certainly isn’t this. ITIL is a collection of best practices that helps companies implement an IT Service Management culture. However, its growing popularity reflects the substantial impact it can make on a company’s IT and business performance and the fact that, in combination with other frameworks, it is a vital ingredient in creating true IT governance.

What is IT Service Management?

Today’s businesses are increasingly delivered or enabled using information technology. Business and IT management need guidance and support on how to manage the IT infrastructure in order to cost-effectively improve functionality and quality. IT Service Management is a concept that deals with how to define and deliver that guidance and support. In common with other modern management practice, it views things from the customer’s perspective, i.e. IT is a service that the customer or consumer receives. It can be made up of hardware, software and communications facilities, but the customer perceives it as a self-contained, coherent entity.

So what is ITIL?

Standing for ‘IT Infrastructure Library’, ITIL is a set of best practices that are at the heart of the IT Service Management approach. It provides guidance on how to manage IT infrastructure so as to streamline IT services in line with business expectations. ITIL is a best practice framework, presenting the consolidated experience of organisations worldwide on how best to manage IT services to meet business expectations.

ITIL was originally developed during the 1980s by the UK’s Central Computer and Technology Agency (CCTA), a government body, which created ITIL version 1 as an approach to incorporating various vendor technologies and serving organisations with differing technical and business needs. CCTA has now become part of the Office of Government Commerce (OGC), which, as official publisher of the ITIL library, updated it, published version 2 and continues to develop and support it.

ITIL has since become widely adopted across the world in both public and private sectors and is recognised as best practice, being deployed in organisations of all shapes and sizes.

What makes up the ITIL Library?

ITIL documentation consists of seven ‘sets’ or ‘volumes’: Service Support, Service Delivery, ICT Infrastructure Management, Security Management, Planning to Implement Service Management, The Business Perspective and Applications Management.

Of these, Service Support, Service Delivery and Security Management are considered the central components of the ITIL framework, covering vital issues such as Incident Management, Configuration Management, Change Management, IT Service Continuity Management, Availability Management and IT Security Management.

Learning about ITIL

The seven ITIL volumes are published by The Stationery Office, the official publisher of the UK government. In addition, to gain an overview and a sense of how to navigate these, it is helpful to consult one of several recommended introductory texts. ‘Foundations of IT Service Management Based on ITIL – An Introduction’ is widely accepted as the best starting point and self-study guide. ‘Implementing Service and Support Management Processes – A Practical Guide’ is a thorough and comprehensive handbook on the subject, while the ‘itSMF Pocket Guides’ provide a good overview of each of the ITIL components.

Getting certified

Part of the reason for the recent growth in ITIL awareness is the publication in December 2005 of a new global standard to which businesses can become certified. ISO 20000 (or ISO/IEC 20000:2005, to give it its correct name) is closely based upon the pre-existing British standard BS15000 – in fact, it is virtually indistinguishable. The standard comprises two parts: ISO/IEC 20000-1 is the specification for IT Service Management against which an organisation’s practices can be certified; ISO/IEC 20000-2 is the ‘code of practice’ that describes best practices and the requirements of Part 1.

BS15000 has become widely used around the world since it was published in 2003 and was adopted virtually unchanged as the national standard in Australia and South Africa. A number of companies across the USA, Europe and Asia have already become certified as BS 15000 compliant. We also recommend several excellent books that provide guidance on achieving BS15000/ISO 20000 compliance.

Upon the publication of ISO 20000, BS15000 was withdrawn and individual standards and certification bodies are drawing up their own formal transition programmes for conversion to the new standard. Companies already holding BS15000 should encounter no difficulty in converting their certification to the new standard, as this should be one of the considerations addressed by the individual certifying bodies.

Practitioners can also pursue a structured programme of ITIL examination and certification, comprising the ITIL Foundation Certificate, ITIL Practitioners Certificate and ITIL Managers Certificate. Examinations and certification in Europe are managed through two independent bodies: EXIN, the European Examination Institute for Information Science; and ISEB, the Information Systems Examination Board. Between them, these two organisations control the entire certification scheme. In the United States, HDI is a principal organiser of examination and certification, and it and similar organisations provide coverage elsewhere around the world. These organisations ensure that personal certification is fair, honest and independent of the organisations that provide the training, and accredit training suppliers to bring about a consistent quality of course delivery.

ITIL and IT Governance

When combined with certain other frameworks, ITIL makes a major contribution to the creation of effective IT governance. ITIL processes can be mapped to CobiT (Control Objectives for Information and Related Technology) processes, and the two frameworks complement each other nicely: if the CobiT control framework tells the organisation ‘what’ to do in the delivery and support areas, ITIL best practices help the organisation define ‘how’ to deliver these requirements. Similarly, ITIL works very effectively with ISO 17799, the international code of best practice for information security, providing guidance on how to manage the various processes that ISO 17799 prescribes.

By drawing upon these three complementary frameworks as appropriate to its needs, an organisation can establish an IT governance regime that delivers real and lasting competitive advantage to its business.

Article Source:

http://EzineArticles.com/?expert=Alan_Calder