ISO and IEC help beef up information security management systems

ISO and IEC have added to their toolbox of information security standards, with guidance for the successful design and implementation of ISO/IEC 27001:2005.

IT securityISO/IEC 27003:2010, Information technology – Security techniques – Information security management system implementation guidance, gives advice that will be useful for all types of security-conscious organizations, regardless of their size, complexity and risks.

Today, information security is constantly in the news with identity theft, breaches in corporate financial records and threats of cyber terrorism. An information security management system (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems.

The successful design and implementation of an ISMS (ISO/IEC 27001:2005) will reassure customers and suppliers that information security is taken seriously within the organizations they deal with because they have in place state-of-the-art processes to deal with information security threats and issues.

Prof. Edward Humphreys, Convenor of the working group, which developed the new standard, comments: "By using ISO/IEC 27003:2010, the organization will be able to develop a process for information security management, giving stakeholders the assurance that risks to information assets are continuously maintained within acceptable information security bounds as defined by the organization."

ISOIEC 27003:2010 covers the process of ISMS specification and design, from inception to the production of implementation plans. It provides guidance on how to obtain management approval, and gives the concepts on how to design and plan the ISMS project to ensure its successful implementation.

ISO/IEC 27003:2010 is intended to be used in conjunction with ISO/IEC 27001:2005 and ISO/IEC 27002:2005. It is not intended to modify and/or reduce the requirements specified in either.