Article | REF: G9060 V2

Standards ISO 2700x - Towards the governance of the security of information systems

Author: Gilles TENEAU

Publication date: April 10, 2018

You do not have access to this resource.
Click here to request your free trial access!

Already subscribed? Log in!


Overview

Français

ABSTRACT

At the end of the 1990s the British Standards Institution published a document specifying the requirements for the implementation of the Information System Management of Security (ISMS). This document has now become the series of ISO 27000 standards. It is based on a set of definitions, recommendations, and safety requirements. These standards can be applied to the security information system as well as to specific areas. The ISMS provides guarantees on the company's ability to control costs and priorities in terms of investment and budget policies concerning business challenges and security risks.

Read this article from a comprehensive knowledge base, updated and supplemented with articles reviewed by scientific committees.

Read the article

AUTHOR

  • Gilles TENEAU: Doctorate in management science, associate researcher at LEMNA (University of Nantes), professor at CNAM IDF and ESC Amiens, President of the research center for organizational resilience, ITIL Accredited Trainer.

 INTRODUCTION

Since the early 2000s, the ISO 27000 family of standards (information systems security) has been growing steadily. It seeks to answer the questions that CISOs (information systems security managers) may ask themselves:

  • how to audit IS security : ISO 27001  ;

  • how to build an ISMS (Information Security Management System) : ISO 27003  ;

  • how to manage risk : ISO 27005  ;

  • how to manage business continuity following a disaster : ISO 27031  ;

  • how to manage security incidents : ISO 27035 .

From the point of view of Sylvain Laborde, ISO 27001 auditor, a project to implement security management is a cross-functional project; while the IT department is, in fact, involved, several other departments may also be impacted. The project concerns the entire hierarchy of the organization. The success of the project depends essentially on the involvement of all the people concerned in the company, from top management downwards.

A project to implement information systems security follows the logic of the Deming wheel. The PLAN phase, which involves setting objectives, is made up of four main stages: definition of scope and policy, risk assessment, risk treatment, selection of security measures. A DO phase, comprising the following steps: planning risk treatment, generating meaningful indicators, training and raising staff awareness, day-to-day management of the ISMS, incident detection and response. The ISO 2700x suite of standards calls for the implementation of control measures: this is the CHECK phase (based on audits, controls and reviews). If deviations from objectives are detected, the ACT phase will enable corrective, preventive and improvement actions to be taken.

The implementation of a safety management system guarantees the adoption of best practices and increased reliability, while certification by an independent body ensures the confidence of the company's stakeholders (customers, suppliers, shareholders, banks, authorities, etc.). The ISO 27000 series is currently being finalized, and enjoys unanimous international support. This standard is beginning to interest more and more French entrepreneurs, not only because of its normative nature, but also because it is complementary to another standard...

You do not have access to this resource.

Exclusive to subscribers. 97% yet to be discovered!

You do not have access to this resource.
Click here to request your free trial access!

Already subscribed? Log in!


The Ultimate Scientific and Technical Reference

A Comprehensive Knowledge Base, with over 1,200 authors and 100 scientific advisors
+ More than 10,000 articles and 1,000 how-to sheets, over 800 new or updated articles every year
From design to prototyping, right through to industrialization, the reference for securing the development of your industrial projects

This article is included in

Industry of the future

This offer includes:

Knowledge Base

Updated and enriched with articles validated by our scientific committees

Services

A set of exclusive tools to complement the resources

Practical Path

Operational and didactic, to guarantee the acquisition of transversal skills

Doc & Quiz

Interactive articles with quizzes, for constructive reading

Subscribe now!

Ongoing reading
ISO 2700x standards: towards information systems security governance