ISO recently made available the ISO/IEC 27013:2012 standard: Information technology – Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.
The new standard is intended for those organizations that intend to:
- Simultaneously implement both ISO 27001 and ISO 20000-1
- Implement ISO 27001 where ISO 20000-1 has already been adopted, or vice versa
- Integrate and coordinate existing ISO 27001 and ISO 20000-1 management systems
The goal of any of these approaches is the implementation of an integrated information security and IT service management system. The new ISO 27013 standard advises users on the processes and supporting documentation required to implement the complementary ISO 27001 (ISMS) and ISO 20000-1 (ITSM/ITIL) standards. ISO 27013 offers a framework for prioritizing and organizing efforts like aligning ISMS and ITSM objectives; coordinating multidisciplinary activities; and developing a collective system of processes and supporting documents.
Among the business benefits envisioned for combining the two systems would be the ability to audit them both simultaneously, while more effectively meeting business, customer and service provider cybersecurity requirements with less time, money and effort.
Inspector Generals Find Good News/Bad News in FISMA Evaluations
Inspector general’s offices for a number of key federal agencies have released Federal Information Security Management Act (FISMA) audit reports in recent days. For example, while the Social Security Administration’s information security program and practices were found to be generally consistent with FISMA guidelines, an internal penetration test enabled examiners to seize control of an SSA network and pilfer many records containing personally identifiable information.
The Department of Transportation fared even worse, failing again in 2012 to patch persistent weaknesses that leave the department vulnerable to major security breaches. 21 of 35 open recommendations made since 2009 remain open, according to auditors.
Similarly, a report from the Environmental Protection Agency’s inspector general’s office found serious deficiencies in the EPA’s network security, which could compromise the integrity of agency data – which includes confidential business information, scientific research data, and data used in regulatory enforcement actions. “Known vulnerabilities remain unremediated…,” said the report.
Compliance with comprehensive standards like FISMA or ISO 27001 requires the implementation and operation of an Information Security Management System (ISMS). Good practices dictate a strategic approach from design through operation, including providing assurance/attestation to stakeholders.
According to an article in today’s Bangkok Post, Thailand’s Ministry of Defence and Ministry of Information and Communications Technology (ICT) are “ramping up efforts to boost cybersecurity, with one expert describing the security situation in Thailand as a ‘crisis’.”
Speaking at a cybersecurity conference, ministry officials said the risk of cyberthreats was growing across Thailand’s public sector due to the increasing use of social media combined with deficient cybersecurity systems. Likewise, cybersecurity systems in most state agencies were thought to be “completely inadequate.” A further problem is that Thailand’s legal framework has yet to be adapted to address cybersecurity, online access and similar issues.
Officials are working with their counterparts in other Asian nations to develop synergistic legislation to address transnational cyberthreats and improve cybersecurity within and among nations. So far, 59 organizations in Thailand have earned ISO 27001 certification for their ISMS implementations and processes.
ISO 27001 Consulting
It is the ability to certify the operation of an Information Security Management System (ISMS) that makes 27001 unique and makes it ideal to be used as a form of independent attestation to the design and operation of an Information Security program. Pivot Point Security can help your business achieve ISO 27001 certification. See how we can help.