Information Security Blog

Information Security Management Systems Merit Growing Awareness

These ISO 27001 links are part of a weekly series, Ethical Hacker Roundup, featuring recent information security and cyber security related articles that we’ve read over and thought worth sharing.

These articles were emailed to us, shared on Twitter @pivotpointsec and our Google+ page, and read in RSS subscriptions this week.

New ISO/IEC 27012:2012 Standard Now Available

ISO recently made available the ISO/IEC 27013:2012 standard: Information technology – Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.

The new standard is intended for those organizations that intend to:

  • Simultaneously implement both ISO 27001 and ISO 20000-1
  • Implement ISO 27001 where ISO 20000-1 has already been adopted, or vice versa
  • Integrate and coordinate existing ISO 27001 and ISO 20000-1 management systems

The goal of any of these approaches is the implementation of an integrated information security and IT service management system. The new ISO 27013 standard advises users on the processes and supporting documentation required to implement the complementary ISO 27001 (ISMS) and ISO 20000-1 (ITSM/ITIL) standards. ISO 27013 offers a framework for prioritizing and organizing efforts like aligning ISMS and ITSM objectives; coordinating multidisciplinary activities; and developing a collective system of processes and supporting documents.

Among the business benefits envisioned for combining the two systems would be the ability to audit them both simultaneously, while more effectively meeting business, customer and service provider cybersecurity requirements with less time, money and effort.

Inspector Generals Find Good News/Bad News in FISMA Evaluations

Inspector general’s offices for a number of key federal agencies have released Federal Information Security Management Act (FISMA) audit reports in recent days. For example, while the Social Security Administration’s information security program and practices were found to be generally consistent with FISMA guidelines, an internal penetration test enabled examiners to seize control of an SSA network and pilfer many records containing personally identifiable information.

The Department of Transportation fared even worse, failing again in 2012 to patch persistent weaknesses that leave the department vulnerable to major security breaches. 21 of 35 open recommendations made since 2009 remain open, according to auditors.

Similarly, a report from the Environmental Protection Agency’s inspector general’s office found serious deficiencies in the EPA’s network security, which could compromise the integrity of agency data – which includes confidential business information, scientific research data, and data used in regulatory enforcement actions. “Known vulnerabilities remain unremediated…,” said the report.

Compliance with comprehensive standards like FISMA or ISO 27001 requires the implementation and operation of an Information Security Management System (ISMS). Good practices dictate a strategic approach from design through operation, including providing assurance/attestation to stakeholders.

Thai Government Leverages ISO 27001 to Thwart a Cyber Security “Crisis”

According to an article in today’s Bangkok Post, Thailand’s Ministry of Defence and Ministry of Information and Communications Technology (ICT) are “ramping up efforts to boost cybersecurity, with one expert describing the security situation in Thailand as a ‘crisis’.”

Speaking at a cybersecurity conference, ministry officials said the risk of cyberthreats was growing across Thailand’s public sector due to the increasing use of social media combined with deficient cybersecurity systems. Likewise, cybersecurity systems in most state agencies were thought to be “completely inadequate.” A further problem is that Thailand’s legal framework has yet to be adapted to address cybersecurity, online access and similar issues.

Officials are working with their counterparts in other Asian nations to develop synergistic legislation to address transnational cyberthreats and improve cybersecurity within and among nations. So far, 59 organizations in Thailand have earned ISO 27001 certification for their ISMS implementations and processes.

ISO 27001 Consulting

It is the ability to certify the operation of an Information Security Management System (ISMS) that makes 27001 unique and makes it ideal to be used as a form of independent attestation to the design and operation of an Information Security program. Pivot Point Security can help your business achieve ISO 27001 certification. See how we can help.


Is ISO 27001 Right for (Y)our Organization?


Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Five Best Practices for SIEM


The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Download: A Best Practices Guide to Database Security

database security roadmap

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Whitepaper: Stop Wasting Money on Penetration Testing


Penetration Testing is most frequently performed to:

  • Substantiate the net effectiveness of a mature control environment
  • Prove to a third party that an environment is secure/trustworthy
  • Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
  • To validate that significant changes did not have unanticipated results

Best Practices for Firing A Network Security Administrator

Firing A Network Security AdministratorWant to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

About the Author:

Marketing at Pivot Point Security

Add a Comment

Share This