Where does ISO/IEC 27001 fits

ISO 27001 is a part of the bigger ISO/IEC 27000 family of standards – Information security management systems. The ISO/IEC 27000 family of standards assists commercial and governmental organizations in keeping their information assets secure.

Usage of the ISO 27000 family of standards helps the organization manage the security of various assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).

The last version of ISO 27001 is from few years ago – 2013m thus the naming convention of the current one is ISO/IEC 27001:2013.

It describes the best practices for information security management system and its purpose is to protect the confidentiality, integrity and availability of the information in a company. This is being addressed by discovering potential problems related to the information (i.e., risk assessment), and then defining what must be done in order to prevent those problems from happening.

Therefore, the main philosophy of ISO 27001 is based on managing risks: find out where the risks are, and then systematically treat them via applying proper control measures.

Basic GDPR

Away from the bit more interesting technical side of information security, there is allways the law and compliance issues. And with May 2018 aproaching, GDPR is a good topic.

General Data Protection Regulation (GDPR) is governance designed to safeguard sensitive data for all individuals and businesses based in the European Union (EU).

Once implemented in May 2018, the act will override the previous regulation installed back in 1995. It is applicable on all sovereign members, thus having an expansive scope. GDPR Compliance will guarantee consistency and transparency of personal data for all concerned.

Any organization controlling or processing data must abide by the GDPR. Companies must serve a steep cost of utilizing this classification as well.
Leading professional services firm PwC suggest that up to 68% of US based enterprises expect to spend between one and ten million dollars to comply with the GDPR. Although based abroad, any business handling EU data is also exposed to GDPR.

Failure to comply is also accompanied by precipitous costs. Penalties may tantamount to 20 million Euros or 4% of global turnover in some cases. Other estimates strongly hint that a slew of businesses will fall in the non-compliance category.

Personal data which is relevant includes basic identification, medical records, information of the cultural variety, political opinions and gender related data as well.

Security is decisive on the internet. In the past, data leakages have comprised individuals and companies alike. Under the forthcoming GDPR, if there is a breach, then the relevant authorities must be notified with immediate effect.

In the United Kingdom, this will be the Information Commissioner’s Office. Interestingly, despite the inception of Brexit, which would mean the UK exit the EU, the former are still liable to enforce GDPR. Statement whih will probably have to change depending on the ongoing Brexit activities.

The GDPR is bound to alter the landscape of data handling. The immediate need to comply with this privacy protection measure has created a sense of urgency in the region. Since there is an assemblage of stakeholders, the precedent this governance will set will not be completed swiftly.

Series: Security testing

Series: Security testing

Purpose:

  • Analyze various malware [viruses, trojans, keyloggers] in sandbox environment
  • Penetration testing [web applications, system testing]
  • Intrusion prevention/ detection system deployment, usage and testing
  • Vulnerability management
    • Testing vulnerability management solutions
    • Testing vulnerabilities them selves
  • Policy compliance

Continue reading “Series: Security testing”