Information security control reviews and technical compliance testing should be integral parts of any enterprise-wide information security programme. if you are involved in auditing information security controls then the new ISO27008:2011 is essential.
The new ISO/IEC TR 27008:2011 Standard provides guidance on reviewing implementation and operation information security controls within an organisation. It supports the risk management process in ISO/IEC 27001 and the information security controls in ISO/IEC 27002.
This new standard is applicable in any type of organisation and of particular benefit to those undertaking security reviews and technical compliance checks.
|ISO27008 (ISO/IEC 27008) Guidelines for Auditors on Information Security Controls
This new Standard will help your organisation to:
- Identify potential problems in your organisations implementation and operation of information security controls
- Identify and understand the potential organisational impacts of inadequately mitigated information security threats and vulnerabilities
- Prioritise information security risk mitigation activities
- Confirm that previously identified or emergent information security weaknesses or deficiencies have been adequately addressed, and/or
- Support budgetary decisions within the investment process and other management decisions relating to improvement of the organisation’s information security management