An ISO/IEC technical report (TR) providing technical controls and compliance
guidelines for auditors can improve the effectiveness of an organization’s
information security system.
ISO/IEC TR 27008:2011, Information technology –
Security techniques – Guidelines for auditors on information security
controls, aims to instill confidence in the controls underpinning
an organization’s information security management system. The review applies to
all parts of the organization, including business processes and its information
systems environment.
“The business environment is constantly changing – along with threats to a
company’s survival. Organizations need to be ahead of the game, and an excellent
defence can be built around audit of the controls used to support the
information security,” says Edward Humphreys, leader of the working group that
developed the new document.
“ISO/IEC TR 27008:2011 supports a rigorous organizational security audit and
review programme for information security controls, to enable the organization
to have confidence that their controls have been appropriately implemented and
operated and that their information security is ‘fit for purpose’.”
ISO/IEC 27008 provides guidance on reviewing the implementation and operation
of controls, including technical compliance checking. The document is
principally aimed at information security auditors who need to check the
technical compliance of an organization’s information security controls against
ISO/IEC 27002 and any other control standards used by the organization. ISO/IEC
TR 27008 will help them to:
- Identify and understand the extent of potential problems and shortfalls of information security controls
- Identify and understand the potential organizational impacts of inadequately mitigated information security threats and vulnerabilities
- Prioritize information security risk mitigation activities
- Confirm that previously identified or emergent weaknesses or deficiencies have been adequately addressed
- Support budgetary decisions within the investment process and other management decisions relating to improvement of organization’s information security management.
ISO/IEC 27008 will thus be of benefit to all types of organizations,
including public and private companies, government entities, and not-for-profit
organizations. It is the eight document available in a series of standards
(ISO/IEC 27000) on information security management systems.
Edward Humphreys adds, “In every business model and organizational structure,
every business sector and every business relationship, information is a key
commodity and the ISO/IEC 27000 series of standards can be utilized to protect
this important business commodity.”
ISO/IEC TR 27008:2011, Information technology – Security techniques
Guidelines for auditors on information security controls, costs 136 Swiss
francs and is available from ISO national member institutes (see the complete
list with contact details) and from ISO Central Secretariat through the
ISO
Store or by contacting the Marketing & Communication department (see
right-hand column)
Ref.:1485.2011-11-08
Mrs. Sonia Rosas FriotAssistant, Marketing
Services
Marketing, Communication and Information
Tel. +41 22 749 03 36
Fax +41 22 749 09 47
E-mail sales@iso.org
Marketing, Communication and Information
Tel. +41 22 749 03 36
Fax +41 22 749 09 47
E-mail sales@iso.org
No comments:
Post a Comment
prueba