|Preview ISO 27001 -- real life practice.pdf|
Is the ISO 27001 standardization equally efficient in practice and theory?
Is this time and money requiring standardization worth sacrificing?
Why the human factor and the ISO 27001 are closely interconnected and how to overcome that?
Should it be implemented in all types of organizations?
The answers for these and other not less important questions are waiting for you in the new issue. Let’s figure out the role of the ISO 27001 standardization in a new issue of the PenTest Magazine. This full of experts’ opinions unique publication is waiting for you. Hope that it will be a pleasure for you to take a journey to the ISO 27001 world.
The issue is based on the experts’ opinions from all over the world, about fifteen top professionals shared their experience with our journal. We have done our best to provide you with relevant experiences. Our editors always manage to find something new and creative on any topic, and the ISO 27001 is no exception. We decided to provide you with critical opinions about the ISO 27001, to find out whether it is worth the sacrifice. In the journal we will reveal all the myths of the ISO 27001 practical usage. Despite the fact that ISO 27001 is one of the pioneers among information security standardizations, there are still a lot of doubts and concerns.
Our editorial team is really concerned about your opinion, so we are counting on your feedback.
In case you like the issue, we would really appreciate if you shared and promoted the magazine in your social media network.
Let’s begin our journey into the world of ISO 27001.
Thank you for your support,
Editorial team of the PenTest Magazine
TABLE OF CONTENTS
ISO 27001: More than standard, a partner
by Jorge Mario Ochoa Vasquez
When we talk about ISO 27001, it’s a little more difficult to convince senior management about the need to implement this Information Security Standard, especially when the risk assessment is not an exact science, that is, we can only estimate the probability to have a malware attack or a confidential information leakage that could result in a significant financial, regulatory or image impact.
ISO/IEC 27001 Certification: Is It Worth It?
by Lassaad Fridhi
ISO/IEC 27001 is a complex standard and getting certified is even more involved than many organizations anticipate, not to mention the cost of implementation as well as the audits leading up to being certified. The question that many organizations ask themselves is whether the certification is worth all this work.
Practical Usage of the ISO 27001
by Samer Omar
I have evolved my career in parallel to that of ISO 27001:2013, which started out as British Standard 7799. It is important to state for the purposes of this article, I am focusing on ISO 27001:2013 and its practicality. This is not a tutorial on ISO 27001:2013 and this article should not be read as such.
Is ISO 27001 a Necessity or a Frill?
by Vinod Kumar Vasudevan
The objective of ISO 27001 is to “provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)”. ISO 27001 was completely rewritten and re-issued in September 2013.
ISO Main Challenges: Implementing and Maintaining in Good Shape
by Marlon Fraile Cestari
Before discussing the main challenges to implementing and maintaining in good shape an ISO 27001 certification, we need to put into context some key concepts. One of them is the Information Security Management System (ISMS) definition and we used the ISO/IEC 27000:2014 as a reference. This document provides an overview of an information security management systems (ISMS), terms and definitions commonly used in the ISMS family of standards, and describes an Information Security Management System (ISMS).
Sharing Experience of Working in the ISO 27001 Environment
by Ramiro Cid
I started to work with ISO 27001 in 2007 when I was in charge of doing ISO 27001 adequacy consultancy projects for customers (at that time, I worked as an IT Security consultant). During that time, I had the opportunity to see different uses of ISO 27001 in different organizations, which give me a broader view, and finally I worked on the ISO 27001 certification we finally obtained on 2008 for my own company.
Using Attack Trees for Enterprise Security
by Dr. M.A.C. Dekker
Traditional enterprise security standards, like ISO 27001, generate flat lists of risks and flat lists of security measures. This can easily lead to a naive defensive strategy of doing a bit of everything. As cyber attacks are becoming more advanced, involving multiple steps, it becomes more important to analyze better the relation between different lines of defense, tradeoffs and defense-in-depth. This article explains how attack trees work and how they can be used in enterprise security, extending more traditional approaches.
ISO 27001 and NESA’s Information Assurance Standard – A Parallel Journey to Information Security
by Irene Corpuz
I crave the ability to implement the ISO 27001, and therefore, I decided to implement it in parallel with ADSIC Standards in 2013, and now, with NESA IAS. Doing so gives me an opportunity to understand similarities and differences between the standards and gain a wider perspective of various security standards’ implementation strategies. All of these cover the information security triad anyway – Confidentiality, Integrity and Availability.
ISO 27001: Challenges of Implementation in Small and Medium Size Companies
by Caria Giovanni Battista
The ISO 27001 is treated as the complex control standard and the standardization occupies all spheres of a company’s life. Most international corporations have already implemented the norm, although when the situation comes to implementation of the standard in small and medium size companies, the reality seems different.
A Comparison between ITIL and ISO 27002 Security Management Methodologies
by Suzanne C. Hall
While the International Standards Organization (ISO) 27002 and Information Technology Infrastructure Library (ITIL) 2011 are similar frameworks, there are differences that should be considered by organizations when planning implementation of an information security management methodology. Some companies leverage both in order to ensure that there is an effective information security management lifecycle within their organization. Lack of strong information security practices, such as those outlined in both frameworks, have led to disastrous and very public results for the companies involved.
Miguel Veida Puente