Iso27001
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Iso27001

  1. #1
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152

    Iso27001

    ISO27001 is now out quite a bit earlier than the official date (so I'm told).

    ISO27001 will replace ISO17799/BS7799-2:2002

    Unless you are already certified to ISO17799/BS7799 all future certifications will be to ISO27001.

    ISO27002 which replaces ISO17799/BS7799 pt1 is out later next year I think.

    http://www.bsonline.bsi-global.com/search/results/1

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Am I a cynic?

    Me: All passwords are multiencrypted, transmoglified and stored at random. They are all 127 random characters.

    Everyone complies, and the passwords are changed every hour

    ISO27001: You passed

    Catch: You passed

    Me: The passwords are written on the display units with marker pens....................

    Malicious Person: Fine!





    Does the expression "real World" ring any bells?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    You're a cynic

    Depends on the organisation wether they are planing to use the standard as a basis for best practice or simply use the certification as a marketing exercise.

    We fall into the former. The standard gives us a guide from which we can develop policies/ standards and procedures to keep us reasonable secure relative to the information assetts we hold.

    We can then check compliance with the standards we've developed to check that we are staying secure.

    We've developed metrics based on the standards to let us show improvements in our security perfomance and to show gaps where we need to work in the future.

    Standards are not the be all and end all and it would be a fallacy to think that, but they are a usefull aid/tool to develop best practive within an organisation and to monitor security performance for year to year.

    The standard itself has recommendations to perform more practical tests such as pen tests. Employees writing down passwords would not be following the ISMS, developed from the standard (9.3.1 Password use) and in addition would be breaking the security policy (3.1.1).


    If you are able to come up will all the policies and documents to cover all your needs then fine you would have no need for BS7799 unless the certification would be a usefull selling point.
    But the standard provides a lot of help to organisations needing to develop their security and being comlipliant (not certified) with the standard would improve the security (and mindset) in a lot of organisation.

  4. #4
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Sheesh! I'm about to go into an audit cycle and the overarching standards are recodified. I hope the state keeps their stinking hands off stuff for the next year!

    BTW, nihil, got the lobes to post your mug on the wallpaper thread?

    I can't be the only one catching all hell for it.

    EDIT:

    I found this: http://17799-news.the-hamster.com/breaking-news-2.htm

    Says that ISO 27001 replaces BS 7799-2:2002 and will "work with" ISO 17799. Describes ISO 27001 as an information management system itself, while ISO 17799 is a code of practice.

    The toolkit for ISO 17799 has been expanded to include ISO 27001. Pricey. Guess you have to need it.

  5. #5
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Whoa... don't drag me into this... I frequently give people grief for not selecting requirements which only meet the bare minimum of their requirements. I have on more than one occasion given user grief for crazy password requirements...

    ...however if Corp X says "Here is this $100 million contract... if you meet standard Y." and Sr. Mgmt says to me... "All passwords are multiencrypted, transmoglified and stored at random. They are all 127 random characters" I will respond with... "I think we should contact Secure Computing Corp (SCC) about SafeWord."

    We'd have SCC slightly tweak SafeWord a bit (which they'd do fo cheap since after they can say it is compliant with the new standard... and really it almost hists those specs now), hit the starndard and be $100 million richer.

    And Nihil, what would you say? "The passwords are written on the display units with marker pens." Management would reply "That is no good, fix it... or we'll find someone who can."

    The two rules of solutions develoment:
    1. Anything is possible with enough resources.
    2. If something is impossible to you, don't just dismiss it as "real world" contract someone who understands the first rule.

    cheers,

    catch

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    BTW, nihil, got the lobes to post your mug on the wallpaper thread?
    Sure, but herself will get the battery today.................this is a small town, I couldn't find one locally

    Whoa... don't drag me into this...
    If you cannot stand the heat....................stay out of the kitchen?

    Hey, Catch old chap, you might just have noticed that the first two guys to wish you well were from the Northern parts of the British Isles?



    WE built "The Alabama".............................
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Actually I think that if it weren't for my blatant (by my name) Irish background (that has lead to some almost inexplicable rudeness) Brits are quite a pleasant group... much better than Americans for the most part... I actually was really looking to find a job there, but it is heaps of hassel getting a job without a visa and even harder to get a visa without a job. So, I'm stuck here with largely ignorant, puritan, self-centered Americans... few of whom wish me well.

    cheers,

    catch

  8. #8
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    Catch I wish you well,you need to come to Texas the best state in the whole damn union!
    Git R Dun - Ty
    A tribe is wanted

  9. #9
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Hey, catch, yer in the bay area. waddaya expect?

    Come on up to the Northwest.

  10. #10
    Banned
    Join Date
    May 2003
    Posts
    1,004
    My two issues with Texas would be the heat and the fact that my ideological stance is more or less diametrically oppsed to those laregely found in Texas.

    The Northwest is nice... I really like Seattle and Portland but I have had bad luck with jobs there... like reel networks scheduling me for an interview... so I fly up and when I get there they tell me that the need to reschedule for the next day... which is really great because I moved all my meetings from the day I flew to the day they wanted me to come back.

    cheers,

    catch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •