Information Security (aka Info Sec) is an essential capability in most
organisations today because of the growing numbers and types of threats/vulnerabilities with which we have to contend. It is
also an accepted part of IT Governance and Privacy disciplines.
A misconception exist regarding Info Sec in the sense that many managers believe that it can largely be controlled by technology.
In reality this is not true because a significant percentage of Info Sec is dependent on People and Process issues, as much as 70% in
fact. As mentioned on the IT Governance page, one of the King III recommendations is the implementation of an Information Security Management
System (an ISMS).
Apart from the King III recommendation mentioned above, an ISMS is beneficial in the sense that is lays a solid foundation for the management
of security in terms of relevant processes and controls. This may seem a little academic but the following benefits to name a few, can be
- The implementation of applicable processes makes the management and
review of security related policies and procedures an automated process which becomes part of everyday life in your organisation;
- A living ISMS becomes the absolute core and fabric of your security
capability as the associated processes become embedded in your organisation. As a result you find that challenges such as PCI (Payment
Card Industry) compliance become very easy to address because the ISMS will have taken care of these requirements already.
The most widely adopted standard for Information Security internationally is the ISO/IEC 27000 series of standards. The series includes:
In South Africa , the South African Bureau of Standards has adopted the main ISO 27000 standards as South African National Standards. These
are identical implementations of the equivalent ISO/IEC standards. The local standards are:
- ISO 27000 - Information Security Management Systems - Overview and
- ISO 27001 - the specification of an ISMS;
- ISO 27002 - the code of practice for Information Security;
- ISO 27003 - provides help and guidance in implementing an ISMS;
- ISO 27004 - provides guidance on the development and use of measures
relating to an ISMS;
- ISO 27005 - provides guidelines for information security risk
- ISO 27006 - provides guidelines for organizations offering
certification and registration for an ISMS.
IACT has sound knowledge of the SANS standards shown above and will gladly assist you in implementing an ISMS based on these standards in your
organisation. We offer an Information Security Assessment Service and would welcome the opportunity of discussing this with you
in more detail.
We also offer the best ISMS Implementation toolkits available. Click on the link below for more information.
ISMS Tooklits - a
range of options to fast track your ISMS implementation project.
Please click here to go from the Information Security page to the Service
Offerings page to see our range of services.
- SANS 27000:2009 - Information Security Management Systems -
Overview and Vocabulary;
- SANS 27001:2006 - the specification of an ISMS;
- SANS 27002:2008 - the code of practice for Information Security;
- SANS 27005:2009 - provides guidelines for information security risk