Strategic Consulting

Strategic Consulting
ISO/IEC 20000-1
ADSIC

About ADSIC
In 2007, the Abu Dhabi Systems & Information Centre (ADSIC) developed a strategic vision for an Information Security Programme that provides a holistic approach to enhancing information security for the Abu Dhabi Government. This programme goes beyond the traditional view of information technology to ensure that sensitive Government information is protected throughout its lifecycle within a service as well as within the automated systems where data is processed.


The vision, goals, and policy statements of the Information Security Programme are based on a set of well known standards, including ISO/IEC 27001 and 27002. These standards have been tailored to fit the specific requirements of the Abu Dhabi Government. The ADSIC standards include the following components:

 

- The Abu Dhabi Information Security Policy establishes overall direction for the Government-wide Information Security Programme and its roles and responsibilities

- Supporting Information Security Policy is the Information Security Standards document, which provides the controls necessary to meet the Programme’s management and functional policies. The controls in the Information Security Standards document relate to 51 control objectives that serve to identify the unique targets states for each of the 14 policies. These objectives constitute the major initiatives of the Information Security Programme, and are aligned with ISO 27002

- ADSIC has also developed a series of procedural and functional guides. These guides provide detailed instructions on how to implement management and functional control processes:

 

 

Procedural Guides

Abu Dhabi Risk Management Guide
Abu Dhabi Risk Assessment Guide
Abu Dhabi Information Security Planning Guide
Abu Dhabi Security Testing & Evaluation Guide
Abu Dhabi Certification & Accreditation Guide
Functional Guides

Abu Dhabi Information Security Technical Testing Guide
Abu Dhabi Policies and Procedures Guide

 

ADSIC Services
An important part of help AG’s Strategic Security Services concentrate on the implementation of the ISMS standards, several of the trainings  offered also relate to ISO/IEC 27001 and help AG has a lot of experience in providing these services (further information upon request)


help AG can assist your organization in:

Preparing for ADSIC Certification and Accreditation
Carrying out Risk Assessment and Risk Treatment
Developing the Information Security Plan
Configuration Reviews, Vulnerability Tests, Penetration Tests and Application Assessments
Joint ISO/IEC 27001 and ADSIC Implementation

Preparing for ADSIC Certification and Accreditation
More and more government entities in Abu Dhabi are aiming at achieving ADSIC certification and accreditation.  help AG can support them by leading them through the steps in implementing the ADSIC standards, such as carrying out risk assessment and risk treatment, selecting controls or developing the Information Security Plan.


Risk Assessment and Risk Treatment
An important element of the ADSIC Security Standards is risk assessment – it is used to determine the amount of information security needed by going through the following steps: Determine Scope of the Assessment; Identify and Characterise Assets; Assess Impact, Identify Threats; Identify Vulnerabilities; and Determine Risk.


This is followed by Information Security Planning — Step 2 of the Risk Management process — where the government formulates a plan on the best way to reduce identified risks and follows it up with a course of action. The ADSIC Information Security Standards document is used to determine appropriate controls for a specific risk profile.  Subsequently, the Security Testing and Evaluation determines whether risks have been properly treated.

Developing the Information Security Plan


A core document in the ADSIC Security Programme is the Information Security Plan.  This plan documents the controls that have been implemented and provides evidence about details of the implementation.

 

Joint ISO/IEC 27001 and ADSIC Implementation
As the Information Security Programme is based on ISO/IEC 27001 and ISO/IEC 27002, the combined implementation of ISO/IEC 27001 and ADSIC seems a natural choice for all those organizations having to comply with the ADSIC scheme and, at the same time, wishing to have a management system that is internationally recognised.


As several of the requirements of the ADSIC Security Standards and of ISO/IEC 27001 are similar and have considerable overlap, help AG has developed a combined methodology, which combines the requirements of both standards, where possible, to reduce double work and to minimize the time, work and resources in these processes.  This combined methodology has been discussed with ADSIC and has been successfully applied in a number of combined ISMS and ADSIC projects.

BS 25999-2

About BS 25999-2

The British standard BS 25999-2 contains requirements for a business continuity management system.  The interest in business continuity is constantly growing, and while currently no international standard for a business continuity management system exists, certificates can only be given against the British standard BS 25999-2. The corresponding international standard is currently under development.

 

BS 25999-2 is supported by another British standard, BS 25999-1, which specifies a set of controls to support the management system. Whilst BS 25999-2 contains requirements, the controls contained in BS 25999-2 are optional, and it is up to the organization applying the standards to choose from them.

 

BS 25999-2 Services

help AG’s Strategic Security Services include the implementation of BS 25999-2, and several of the trainings offered also relate to BS 25999-2 and help AG has vast experience in providing these services. In addition, help AG has developed the Business Continuity Framework for aeCERT.

 

help AG can assist your organization in:

 

  • Preparing for BS 25999-2 certification
  • Carrying out Business Impact Analyses and Business Continuity Risk Assessments
  • Gap Analysis against BS 25999-2 and BS 25999-1
  • Internal BCMS Audit
  • Implementation of Combined Management Systems
ISO/IEC 20000-1

About ISO/IEC 20000-1
IT Service Management System (ITSMS) standard ISO/IEC 20000-1 was published by ISO based on the British Standard (BS) 15000 in 2005 and has been very successful; certifications against it are constantly growing around the world.  There is a close collaboration between the standards committee responsible for ISO/IEC 20000-1 (ISO/IEC JTC 1 SC 7 / WG 25) and the standards group developing the 27000 series of standards, one of the reasons is the development of ISO/IEC 27013, more about this and also the involvement of Dr. Angelika Plate in these activities in Standards.


ISO/IEC 20000-1 specifies the requirements for an IT Service Management System (ITSMS) and organizations successfully implementing the requirements of ISO/IEC 20000-1 can be certified against this standard.  help AG offers a number of services around the implementation of this standard.


ISO/IEC 20000-1 is supported by a set of other standards and has been harmonized with the other management system standards ISO 9001:2000 and ISO 14001:2004 to facilitate combined implementations.

ISO/IEC 20000-1 Services
Implementing ISO/IEC 20000-1 is a growing business in help AG’s Strategic Security Services and several of the trainings offered also relate to ISO/IEC 20000-1.


help AG can assist your organization in:

- Preparing for ITSMS certification

- Building IT Service Management Processes

- Gap Analysis against ISO/IEC 20000-1 and other parts of the ISO/IEC 20000 series

- Internal ITSMS Audit

- Implementation of Combined Management Systems

ISO/IEC 27001

About ISO/IEC 27001

ISMS standard ISO/IEC 27001 was published by ISO on 15th October 2005 and has been a tremendous success story ever since; the number of users and certificates is constantly growing.  It was developed by the standardization committee ISO/IEC JTC1 SC27.


ISO/IEC 27001:2005 specifies the requirements for an Information Security Management System (ISMS) and organizations successfully implementing the requirements of ISO/IEC 27001 can be certified against this standard.  An ISMS uses a risk based approach to develop information security in an organization supporting its business requirements, and uses measurements to ensure effectiveness of the implemented controls. help AG offers a number of services  around the implementation of this standard.


ISO/IEC 27001 is supported by a set of other standards and has been harmonized with the other management system standards ISO 9001:2000 und ISO 14001:2004 to facilitate combined implementations . ISO/IEC 27001 has also been the basis of the ADSIC Security Standards  and help AG has developed a methodology to facilitate a joint implementation of both standards.

 


ISO/IEC 27001 Services
An important part of help AG’s Strategic Security Services concentrates on the implementation of the ISMS standards, several of the trainings offered also relate to ISO/IEC 27001 and help AG has vast experience in providing these services.

 

help AG can assist your organization in:
• Preparing for ISMS certification
• Carrying out Risk Assessment and Risk Treatment
• Gap Analysis
• Internal ISMS Audit
• Implementation of Combined Management Systems
• Joint ISO/IEC 27001 and ADSIC Implementation


 

Preparing for ISO/IEC 27001 Certification

More and more organizations are interested in achieving certification against ISO/IEC 27001.  There are many benefits and motivations for an organization to become certified, including implementing a management system to have reliable information security and better internal control, fulfilling requirements of business partners, or to give a message to customers and business partners that the organization’s operations are secure.


help AG supports organizations in achieving the ISMS certificate, by leading them through the important ISMS processes (scope definition, carrying out risk assessment and risk treatment, defining the statement of applicability, conducting internal audits, carrying out management reviews and all the other ISMS processes required).

 
Risk Assessment and Risk Treatment
The core element of an ISMS is risk assessment – it is used to determine the amount of information security needed by the organization, based on the business requirements, and risk treatment determines how information security objectives are achieved. ISO/IEC 27001 sets clear requirements for risk assessments, including asset identification, asset valuation and identification of threats and vulnerabilities and the assessment of their likelihood.


Essential questions in this context are how to get to all the relevant information, the appropriate level of detail and how to ensure that no important risks are overlooked.  help AG has developed a method for conducting ISMS risk assessments that ensures quality output, which has been successfully tried and tested in many ISMS implementations. help AG has also developed the tool RA2 art of risk to support the risk assessment and treatment activities, which helps manage the amount of information processes and eases the regular updating process.


The details on how to conduct a risk assessment might vary, depending on the requirements to be fulfilled (e.g. if a combined ADSIC and ISMS implementation is to be achieved). The requirements in ISO/IEC 27001 are flexible enough to allow other requirements to be addressed at the same time.


Carrying out Gap Analysis
ISMS Gap Analysis (also known as Readiness Assessment or Compliance Check) checks the organization's arrangements against the requirements in ISO/IEC 27001 and the controls contained in ISO/IEC 27002.  Organizations can use gap analysis to check their information security status, or how far they are from achieving ISMS certification. The results of this gap analysis identify all ISMS processes and controls that are not or not completely and correctly implemented, and identify ways of improvement.  Gap Analysis is often used as a first step in ISMS certification.

 
Conducting Internal ISMS audits
Regular conduct of internal ISMS audits is a requirement of ISO/IEC 27001, so any organization wishing to implement or already operating an ISMS needs to ensure that internal ISMS audits take place as planned. In this context, it is important to understand that the internal ISMS auditors need to be independent of the area being audited, i.e. all those people involved in the implementation and/or operation of the ISMS cannot conduct such audits.  In addition, internal ISMS auditors should be sufficiently competent to carry out ISMS audits.

 


One solution an organization can use is to employ an external party to conduct internal ISMS audits – even though that sounds contradictory, this is a perfectly viable solution.


The internal ISMS audits can also be combined with other, more technical activities, such as vulnerability assessments, penetration tests, application assessments and network security architecture reviews to carry out a comprehensive IT audit, covering all aspects of information security.

 
Implementation of Combined Management Systems
ISO/IEC 27001 can be combined with other management systems, frequently applied combinations are:


• ISO/IEC27001 and ISO/IEC 20000-1: This is a useful combination especially for IT departments or IT service providers, as especially ISO/IEC 20000-1 is highly IT oriented. Both standards have some overlap and address similar topics, just with a different aim, therefore a combination can reduce resources and time required. 


• ISO/IEC 27001 and BS 25999-2: Another useful combination of management systems is for information security and business continuity. One of the benefits of a combined implementation is that both standards need a risk assessment to be performed, and as information security incidents can lead to business continuity incidents and vice versa, it is important to have a connection between the management systems.


• ISO/IEC 27001 and ISO 9001 / 14001 / 18001: Other management system standards can also be easily combined with ISO/IEC 27001; which of these standards are chosen as combination is dependent on the business objectives of the organization applying it. All these combinations are possible and also help save time and resources as all management system standards have elements in common. This fact has led ISO to the consideration of common structure and identical text for all management systems.
 

Joint ISO/IEC 27001 and ADSIC Implementation
The Abu Dhabi Security Information Centre (ADSIC) has developed a set of security standards that are based on ISO/IEC 27001.  Therefore, the combined implementation of ISO/IEC 27001 and ADSIC seems a natural choice for all those organizations having to comply with the ADSIC scheme and, at the same time, wishing to have a management system that is internationally recognised.


As several of the requirements of the ADSIC Security Standards and of ISO/IEC 27001 are similar and have considerable overlap, help AG has developed a methodology which combines the requirements of both standards, where possible, to reduce heavy workload and minimize time and resources in these processes. This combined methodology has been discussed with ADSIC and successfully applied in a number of combined ISMS and ADSIC projects.

 
27001 Series of Standards
In addition to the development of ISO/IEC 27001, SC 27 is working on several other standards that are supporting the implementation of ISO/IEC 27001 and which might be an interesting read for all those wishing to implement an ISMS. 

 

The following is an overview of all standards currently in development in SC 27 and their status of development:

 

• ISO/IEC 27000: 2009, Information security management systems - Overview and vocabulary (1st edition, currently under revision) – this standard is freely available, contact Dr. Angelika Plate for details
• ISO/IEC 27001: 2005, Information security management systems - Requirements (1st edition, currently under revision) – Dr. Angelika Plate is the project manager of this revision
• ISO/IEC 27002: 2005, Code of practice for information security controls (1st edition, currently under rev revision)
• ISO/IEC 27003: 2010, Information security management system implementation guidance (1st edition)
• ISO/IEC 27004: 2009, Information security management measurements (1st edition)
• ISO/IEC 27005: 2008, Information security risk management (2nd edition)
• ISO/IEC 27006: 2007, Requirements for bodies providing audit and certification of certification of information security management systems (1st edition, currently under revision) – Dr. Angelika Plate is the project manager of this revision
• ISO/IEC 27007: 2010, Guidelines for information security management systems auditing (under development) – Dr. Angelika Plate is the project manager of this development
• ISO/IEC 27008: 2010, Guidance for auditors on ISMS controls (under development)
• ISO/IEC 27010: 2010, Information security management for inter-sector and inter-organizational communications (under development)
• ITU-T X.1051 I ISO/IEC 27011: 2008, Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 (1st edition)
• ISO/IEC 27013: 2010, Guidance on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001 (under development)
• ISO/IEC 27014: 2010, Governance of Information security (under development)
• ISO/IEC 27015, 2010, Information security management guidelines for financial services (under development)
• ISO/IEC 27016: 2010, Information security management -- Organizational economics (under development)

 

PCI-DSS

About PCI-DSS
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.


Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.  The latest version is 2.0 and this version needs to be adopted from 1st January 2011 onwards.


PCI-DSS Services
help AG’s Strategic Security Services include support in implementing the PCI-DSS standard.


help AG can assist your organization in:

 

  • Preparing for QSA assessments
  • Vulnerability Tests and Penetration Tests
  • Implementation of information security controls (firewalls, IPS, etc. as well as procedural controls and documentation)
Standards

Involvement in Standardization
Dr. Angelika Plate, the Director of the Strategic Consultancy Services at help AG, has been involved in information security standardization in ISO/IEC JTC 1/SC 27 since 1994, which is the standards group dealing with the ISMS standards. There, she has successfully completed the editorship of the world-wide well known standard ISO/IEC 27002:2005 Code of practice for information security management and of ISO/IEC 27006:2006 Requirements for bodies providing audit and certification of information security management systems.

In addition, she is currently editing the ISMS auditor guidelines standard ISO/IEC 27007 and has also been selected as editor of the revision of ISO/IEC 27001 Information security management system requirements, which is currently ongoing.  This revision will have a major impact on the standard as there is a new ISO initiative to harmonize all management system standards through the use of a common structure and identical text.

UAENC 27
In collaboration with ESMA (Emirates Authority for Standardization and Metrology) and aeCERT, Dr. Angelika Plate has recently established a UAE mirror committee for SC 27, which is called UAENC 27 (United Arab Emirates National Committee 27). A first meeting took place already and further meetings are planned to discuss UAE contributions into the international standards work in SC 27.

Training

Strategic Security Trainings offered by help AG
There is a set of trainings related to strategic security, management system standards and other topics related to these areas offered by help AG, including:

 

  • ISO/IEC 27001 and all related standards, including their implementation
  • BS 25999-2 and all related standards, including their implementation

These training sessions can take place in collaboration with other organizations or in-house, as it suits your organization.


In addition, other trainings concentrating on particular topics, such as business impact analysis, risk assessment, treatment and management, measuring effectiveness of information security controls and processes, and a lot more can always be offered.

Training Partners
help AG’s Strategic Security Services is currently collaborating with the following organizations to offer trainings:

 

  • ISO – Dr Angelika Plate has been chosen by ISO to be there presenter for any ISO/IEC 27001 related courses around the world, two of which have already taken place this year, more are in planning
  • IIR ME – The well known course provider is collaborating with Dr Angelika Plate to provide a set of courses
Send to friend

SERVICES

support