Services - ISO 27000
ISO 27000 iis an information security management system (ISMS) standard published in October 2005
by the International Organization for Standardization (ISO) and the International Electrotechnical
Most organizations have a number of information security controls. However, without an information
security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been
implemented often as point solutions to specific situations or simply as a matter of convention. Security
controls in operation typically address certain aspects of IT or data security specifically; leaving non-IT
information assets (such as paperwork and proprietary knowledge) less protected on the whole. Moreover
business continuity planning and physical security may be managed quite independently of IT or information
security while Human Resources practices may make little reference to the need to define and assign
information security roles and responsibilities throughout the organization.
ISO/IEC 27001 requires that management:
Systematically examine the organization's information security risks, taking account of the threats,
vulnerabilities, and impacts;
Design and implement a coherent and comprehensive suite of information security controls and/or other
forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are
deemed unacceptable; and
Adopt an overarching management process to ensure that the information security controls continue to
meet the organization's information security needs on an ongoing basis.
What We do ?
We assist in creating a management framework for information (Preparation of the quality manual
conforms to the requirements of ISO 27001, This sets the direction, aims, and objectives of
information security and defines a policy which has management commitment)
Assisting in identification and assessment of security risks (Security requirements are identified
by a methodical assessment of security risks. The results of this assessment will help guide and
determine the appropriate management action and priorities for managing information security risks.)
Selection and implementation of controls (Once security requirements have been identified, controls
should be selected and implemented. The controls need to ensure that risks are reduced to an
acceptable level and meet an organisation's specific security objectives. Controls can be in the
form of policies, practices, procedures, organisational structures and software functions. They will
vary from organisation to organisation. Expenditure on controls needs to be balanced against the
business harm likely to result from security failures.
Assistance for Certification