By Saaher Muzafer, Sales Director at SecurStore Online Backup
December 17, 2010

SecurStore Online Data Backup Expert Tips: What is ISO 27001?

ISO/IEC 27001 is one of the recently introduced standards for information management and security. This standard was published in 2005 by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC). The title of the document that was published is “ISO/IEC 27001-2005 Information Technology—Security Techniques—Information Security Management Systems—Requirements”. However, it is popularly referred to as ISO 27001.

The ISO 27001 standard covers a variety of organizations including commercial enterprises, government agencies and non-profit organizations. Micro businesses and large multinationals come within the ambit of this standard. The establishment, implementation, monitoring, review, maintenance and improvement of information management systems, is the focus of the standard. However, the information management requirements, contained in this standard, are at a very high level. It does not make mandatory any specific information security control and does not drill down to details of the management system.

The purpose of introducing ISO 27001 was to ensure sustainable, directed and continuous improvement in information security management. The ISO 27001’s Plan-Do-Check-Act (PDCA) cycles not only prescribe high level management protocols as a one time activity, but also ensures that there is a continuous monitoring and reviewing mechanism in place for sustained improvement. Vulnerabilities and impacts have to be repeated examined and information security failures will have to be flagged for evaluation, review and correction.

The standards are considered suitable for use within organizations for the formulation of security requirements and objectives. It is also seen as a cost effective means of guarding against security risks. The standards also align with the compliance requirements under various laws and can be used as a framework for implementation and management of controls that relate to specific security objectives of the organization.

The information management structure that is so built up, is very useful for the definition of management processes; identification of existing information management practices; for internal/external audit; development of security policies, directives and standards; for ensuring of uniformity of standards and procedures among trading partners and to provide security information to customers.

As stated above, the ISO 27001 standards are not prescriptive. Organizations can choose any kind of information security control and customize the same to fit in with their particular security situations. To this end an extensive list of security controls are defined for implementation with organization specific a la carte solutions (called extended control sets). However, these controls demand that the organization undertake a comprehensive assessment of information security risks before selection and customization of controls. A revised ISO 27001 standard is expected to be published sometime during 2010-2012.

Organizations implementing ISO 27001 standards can seek certification of their information management systems provided they comply with the mandatory requirements of the standard.

Auditors (accredited by ISO 27001) will generally examine whether the organization satisfy minimum requirements with reference to a set of formal items that have been detailed in the document.

While these requirements are not mandatory, they are considered minimum essentials. They will also take into consideration the scope of certification sought by the organization. The implication is that organizations seeking certification need to submit scoping documents and statements of applicability to the auditors while applying for certification.

Interestingly, while certification is optional, an increasing number of organizations, including online backup service providers are applying for certification. Customers too are eager to know whether the online backup service provider they have selected is ISO 27001 certified. This factor influences their decision as a certification is an indication that an independent auditor has examined the facilities and has opined that the online backup service has put in place the minimum essential standards and is conscious of the information security management needs of its customers.

SecurStore provides a bespoke off-site, online data backup solution catered for customers who have both mission critical data and non-critical data i.e. it provides customers with a secure & efficient backup and recovery solution which is sustainable over time. This coupled with agentless technology and advanced support for all environments and applications makes it suitable for any type of business, data centre provider or reseller.

About the Author: Saaher Muzafer is Director of Sales at SecurStore, an Asigra based cloud backup provider certified by British Standards Institute for ISO 27001 and ANAB. Established in 1991, SecurStore provides businesses and enterprise customers a technically advanced solution in UK, Europe, USA, Africa, Asia and the Middle East.

Like us on Facebook

Do you like this post? Subscribe to our RSS feed ===========================


Related posts:

  1. SecurStore Online Data Backup Expert Tips: Certification by BSI for ISO 27001 Also Applies as an ANAB Certification
  2. SecurStore Online Data Backup Expert Tips: Strategizing For Compliance
  3. SecurStore Online Data Backup Expert Tips: Standards for the Cloud — CDMI
  4. Securstore Online Data Backup Expert Tips: Symmetric Key Encryption for Cloud Computing
  5. SecurStore Online Data Backup Expert Tips: Face It! Data Security is a Pain in the Neck
  6. SecurStore Online Data Backup Expert Tips: Retention of Data in Online Backup
  7. Securstore Online Data Backup Expert Tips: Engaging with Customers – Humanizing Cloud Based Support Services
  8. Securstore Online Data Backup Expert Tips: Are You a Responsible Data Manager?
  9. Securstore Online Data Backup Expert Tips: Unwise Moves – Crossing Bridges on the Fly
  10. Securstore Online Data Backup Expert Tips: Read the Small Print in the Service Level Agreement

Tags: , , ,