Contact Us: +44 (0) 845 070 1750 

Search
Information
Online Shop

ISO 27001 in North America

You can either use our specific North American ISO27001 Information Security Site or continue here for more information.

 

There are a number of direct, practical reasons for implementing an information security policy and information security management system (ISMS) that is capable of being independently certified (sometimes called ‘registration’) as compliant with the new international information security standard ISO/IEC 27001:2005.

 

  • An ISO/IEC 27001-certificated ISMS will ensure that you are in compliance with the whole range of information-related legislation, including (as applicable) HIPAA, GLBA, SB 1386 and other State breach laws, PIPEDA, FISMA, EU Safe Harbor regulations, and so on;
  • An ISO/IEC 27001-certificated ISMS will ensure that you have in place the general control environment on which a successful SOX s404 report depends; 
  • A certificate tells existing and potential customers as well as regulators that you have defined and put in place effective information security processes, thus helping create a trusting relationship;
  • ISO/IEC 27001 certification will cost a fraction of a SAS 70 audit (which typically costs upwards of $100k) and demonstrates the existence of a best-practice based information security infrastructure;
  • The certification process also helps the whole organization focus on continuously improving its information security processes;
  • ISO/IEC 27001 is also an effective response to information risks identified in any COSO-type enterprise risk management framework.

 

Information systems are not usually designed from the outset to be secure. Technical security measures and checklists are limited in their ability to protect a compete information system. Management systems and procedural controls are essential components of any really secure information system and, to be effective, need careful planning and attention to detail, such as is contained in the ISO 27001 ISMS Documentation Toolkit.

 

ISO/IEC 27001 provides the specification for an information security management system and, in the related Code of Practice, ISO/IEC 17799, it draws on the knowledge of a group of experienced information security practitioners in a wide range of significant organizations across more than 40 countries to set out best practice in information security. An ISO 27001-compliant system will provide a systematic approach to identifying and combating the entire range of potential risks to the organization’s information assets. It will also enable a Federal organization to comply with the requirements of FISMA (the Federal Information Security Management Act) and, cross-referenced to the requirements of the PCI (Payment Card Industry) standard, is an effective way to achieve compliance with a commercially critical requirement as well. 

 

You can obtain a free copy of our briefing paper on ISO 27001 (titled Infosec 101) by supplying your email address, below:

ISO 27001 Standards, Books and Toolkits immediately available

Through our new North American ISO27001 website, you can access a comprehensive range of advice, books and tools for ISO 27001 certification, including books by internationally-recognised ISO 27001 experts Alan Calder and Steve Watkins, and a North American release of the unique, best-selling ISO 27001 ISMS Documentation Toolkit. These products can also be ordered through this, our international site.

 

International IT Governance: an Executive Guide to ISO27001/ISO17799

Nine Steps to Success & The Case for ISO 27001

Buy Standards ISO 27001 & ISO 17799

Management Guides to ISO27001/ISO17799, and to Implementing an ISMS

ISO 27001/ISO17799 ISMS Documentation Toolkit

Information security and Sarbanes Oxley

SOX specifically focuses on the accuracy of a company's financial records and controls related to income, expenses, accounting, liabilities, and so on.  Information security is a fundamental component of SOX compliance as a result of the Public Company Accounting Oversight Board (the PCAOB, which was created to define auditing standards) creating Standard #2. This states that senior management is responsible not only for financial information but also for the way that information is generated, accessed, collected, stored, processed, and transmitted, and this responsibility can only be achieved with an effective information security management system.

 

ISO 27001 provides an independent, internationally recognized best-practice framework for achieving these objectives.

 

Information security and GLBA

The Gramm-Leach-Bliley Act (GLBA), also known as the “Financial Services Reform Act of 1999” requires US “financial institutions” to establish administrative, technical and physical information safeguards to ensure the confidentiality and integrity of customer records and information.  In order to comply with this federal mandate, institutions that are significantly engaged in financial activities are required to identify and assess security risks, plan and implement security solutions to protect sensitive information, and establish measures to monitor and manage security systems.   Section 501(b) of GLBA established the required high-level privacy and security requirements with which financial institutions must comply.  The Federal Trade Commission (FTC) was authorized to implement it and issued Final Rule (16 CFR Part 314) in May 2002.  With a few exceptions, the effective date for financial institution compliance with the Final Rule was May 23, 2003 (with a two-year grandfathering of service contracts, until May 24, 2004)

In summary, the objectives of GLBA are to:
  • Protect the security and confidentiality of customers’ non-public personal information
  • Institute administrative, technical, and physical safeguards
  • Protect against anticipated threats and hazards to information security
  • Protect against unauthorized access to or use of information
  • Establish a continuous risk-based information security program with:
    • Board oversight
    • Assessment of threats and vulnerabilities
    • Risk management and controls
    • Training and Testing
    • Vendor oversight
    • Monitoring, auditing, adjusting and reporting

 

ISO 27001 provides an independent, internationally recognized best-practice framework for achieving these objectives.

 

Information security and HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (which took effect in 2003) is a set of federal standards that requires healthcare organizations (Covered Healthcare Providers, Health Plans and Healthcare Clearninghouses) to implement security standards that protect (and keep up to date) patient data and to standardize on electronic data interchange. HIPAA was originally designed to speed the processing of medical claims by implementing certain standards for transmitting medical data.  This of course raised information security concerns, so provisions were also made to protect the confidentiality of personal health information while in transit and while being stored.

The ‘Administrative Simplification (AS) Provisions’ set out the specific rules that institutions must implement in order to comply with HIPAA; these include the rules for EDI, for electronic signatures and for privacy standards. While these provisions are technology-independent, any system of information security controls that a healthcare organization implements will need to be integrated and comprehensive.

ISO 27001 provides an independent, internationally recognized best-practice framework for achieving these objectives

Information Security and SB1386, and other State Breach Laws

Senate Bill 1386 (SB-1386), also known as the California Information Practice Act, was passed into law in July of 2003.  The primary purpose of the bill is to force companies to think more seriously about information security and its impact on the residents of California.  The law focuses on companies – primarily in the US but, in reality, throughout the world - and their need to protect the personal information of California residents. SB-1386 requires any ‘state agency or entity’ holding personal data about customers (or employees) living in California, and that suffers a breach of security relating to any database that holds that personal information (unless the data is encrypted), to notify the entire class of customers where the security of even one of them may have been breached, however that breach occurred. The costs of communicating with every Californian on the database, in addition to the negative publicity and reputation damage for the organization, are significant outcomes of a failure to establish a best-practice information security management system.

 

More than 20 States have now passed security breach laws similar to SB-1386. Here is the Crowel & Moring table of state breach laws. Companies that seek to avoid the penalties of compliance failure need to implement a comprehensive information security management system that will protect the confidentiality, integrity and availability of individual data.

 

ISO 27001 provides an independent, internationally recognized best-practice framework for achieving these objectives.


Bookmark with:

What are online bookmarks?

Bookmark to DiggBookmark to Del.icio.usBookmark to RedditBookmark to StumbleUponBookmark to SlashdotBookmark to YahooBookmark to GoogleBookmark to Technorati

Featured Product
See what our staff have to say about our products
Our clients
Subscribe to our newsletter
Top 5 Sellers
Latest News
Alan Calder's Blog
38 © 2003 - 2008 IT Governance Ltd. | Website by Xanthos