The first and foremost task to do after your certification process is to mitigate all non-conformities/non–compliances that were identified during your certification audit. This must be completed before your surveillance audit is due. Auditors will not be happy to see any of their findings to re-appear again in the following audits. If any of your policy or procedure documents require to be updated, ensure that you document these changes (version control within the documnet), get these document reviewed, approved by management and circulated to authoirzed people.
Archive for April, 2007
Password Management
Apr 7
Let me narrate a small story here to show you how a server administrator and an Information Security Officer (ISO) of an organization struggle to protect organization assets.
ISO of the organization has the password policy written and it says that the user password should be
• minimum of 8 characters long
• password lock-out at 3 failed attempts
• expires once in every 45 days
• Should be a combination of uppercase, alpha-numeric and special characters
Policy handed over to the server administrator and it has been implemented across the organization.
Reasons to avoid change
Apr 4
Some reasons that is commonly given by organization members to avoid change in the process.
1. Nothing has happened for the past X years. What is going to happen now and why do you want all these security
2. How is the organization benefited out of implementing information security practices…??? How much will be the profit…???
ISMS Implementation Guide is one of my first white papers which was written out of my personal experience in implementing Information Security practices in an organization using the BS ISO/IEC 17799:2005 framework. This paper is intended to give an insight and help, those who are implementing this for the first time and for those who will be coordinating with external consultants for ISMS implementations in their organizations.
Please download the document here:
ISMS Implementation Guide
Organizations that intend to do a partial implementation of Information Security practices using BS ISO/IEC 27001:2005 need to note down these points which is a part of the standard.
Refer to your BS ISO/IEC 27001:2005 document under point 1 Scope.
1. Scope
1.1 General
This international Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). This international Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.