At the HelpAG Security Spotlight Forum, held today in Dubai, the company delved into the world of compliance standards focusing on a comparative analysis between Information Security Management Standards (ISMS) and Abu Dhabi Security and Information Centre (ADSIC) standards and the latest revisions that is likely to come into place across the ISO certification guidelines.
Angelika Plate, director of strategic security consulting at HelpAG introduced the popular ISO 27001 and ISO 27002 by describing the basic difference between the two. According to Plate, “Where ISO 27001 broadly defines a set of requirements for the implementation of an effective information security management system (ISMS), the ISO 27002 exhibits policies and procedures and other controls that must be put in place for effective implementation of ISMS in an organisation.”
Elaborating on the revision of these standards, Plate said, “The standards body ensures that the new versions of the ISO standards are easy to implement while maintaining a link to previous standards. The idea is to make as little change as possible and as much as necessary.” Plate also pointed out that the ISO revisions will align the updated standards with the ISO 31000 standard, a set of guidelines surrounding holistic and comprehensive risk management in organisations.
Plate also pointed out that the Technical Management Board in 2009 decided to define a set of guidelines encompassing all management systems, “from quality management, information security management, IT management, food security management etc. The board is working in two groups, one that focuses on defining the structure and text for these guidelines and the other focusing on the terms and definition of content in the guidelines.” The board is expected to complete this set of guidelines by the end of 2011.
In Plate’s opinion, “These standards will have an immense impact on the existing management systems and because they will combine all the management systems operating within an organisation we have to get it rightThe revisions to the ISO 27001 standards are expected to be complete by 2013 and the ISO 27002 revisions may take just a little longer than that.”
She also shed light on a new standard being developed focusing on information security controls for the use of cloud computing services based on the ISO 27002 standard, which is in what the standards body calls the “study period” or the period during which the committee decides on the necessity for such a standard and the content therein.
Speaking on the recent ADSIC certification requirements, Plate defined the standard as being a combination of the ISO 27001, ISO 27002 and other sources. “ADSIC and ISMS standards both require risk assessment, risk treatment and control implementation, in that the control guidelines across both these standards are quite similar with some differences. Organisations can get certified across both standards,” explained Plate.
She then went on to provide necessary guidelines on how companies can get certified across both the ISMS and ADSIC standards by planning and combining the requirements for certification across every process from assessment to implementation.
She was followed on stage by Symantec’s Andreas Zengal, CISSP security architect, who spoke at length about Symantec’s email encryption solutions.
“In the current environment, IT has become less system centric and more information centric. Data is more collaborative, unstructured and distributed. People are the new perimeter. We realise that the key trends in security now include sophisticated attacks, a complex heterogenous infrastructure, information explosion and increased incident cost. Faced with this, organisations need to go beyond on premise protection and traditional perimeter protection to implementing security solutions that focus on people and growing mobility,” said Zengel.
He defined the Symantec strategy as encompassing data loss prevention (DLP), encryption as well as authentication to protect organisation from new threats. Zengal stressed on the fact that email is the one of the organisation’s most vulnerable information asset. “An organisation’s email resides at multiple points and is exposed to innumerable risk at every one of these points. From the organisation’s server to the recipient’s server and then finally to the system, information on Email may be compromised at any point and therefore SSL/TLS security alone is never sufficient.”
He then used the opportunity to elaborate on Symantec’s email encryption solutions available today and demo-ed some of them to the end-users as well.
Palo Alto Networks, FireEye and BlueCoat are set to speak at the forum later in the day, giving end users an opportunity to witness presentations of new products and solutions developed to cater to the increasingly complex security needs of organisations in the region.
The HelpAG Security Spotlight Forum is organised every quarter to highlight latest trends in security solutions and software, while discussing the evolving threat landscape and best practices to mitigate risk.
For live event updates follow us at www.twitter.com/computernewsme.