header-banner-image

Information technology-Security techniques

Information security management systems

Date: 16th May 2017 - 12:06 pm

UNI CEI ISO / IEC 27001 Information Security, Information technology - Security techniques - Management Systems for Information Security.

The information, in any form or support is the object of the UNI CEI ISO / IEC 27001, and must be kept confidential, confidentiality, availability and integrity.
As realized by the company in participation in Consulenza Integrata is a real management system and includes: the exact definition of the certification, the documents required by the standard, conducting Internal Audits and intrusion tests in the computer system.

For the realization, implementation and maintenance of a management system for information security in accordance with the UNI CEI ISO / IEC 27001: 2014 it is necessary to identify a manager for information security and a Company System Administrator that has the appropriate skills HW and SW.


Implementation of Information Security Management System
In this stage, the Consulting will be implemented:

Defining the organization's context in accordance with ISO 31000 Risk Management Principles and Guidelines
The definition of the purpose and the scope for certification ISO / IEC 27001
The assessment and risk management of risks
The Applicability Statement (Statement of Applicability S.O.A.) as per Appendix A of ISO / IEC 27001 which provides 114 controls
The Information Security Policy
The Informatics Security Policy
Letters of appointment
The list HW equipment and SW
Applications list and licensing
Integration of Quality Manual with aspects of ISO / IEC 27001
Integration of quality procedures with aspects of the 27001
Procedures for back-up, disaster recovery, disaster recovery
Procedures for business continuity, management of cyber incidents with support, to the extent applicable, the Administrator of the System.

the points of the UNI CEI ISO / IEC 27001: 2014:

Introduction
1. Purpose and scope of application / Presentation of the Company
2. Normative References
3. Terms and Definitions
4. Context of 'Organization
4.1 Understanding the organization and its context with Risk Management according to ISO 31000 Risk Management Principles and Guidelines
4.2 Understanding the needs and expectations of stakeholders
4.3 Determine the scope of the management system
4.4 Management system for information security
5. Leadership
5.1 Leadership and Commitment
5.2 Policy
5.3 Roles, responsibilities and authority in the organization
6. Planning
6.1 Actions to address risks and opportunities, Risk Management
6.1.1 General
6.1.2 Risk assessment related to information security
6.1.3 Risk Treatment related to information security
6.2 Objectives for the security of information and planning to achieve them
7. Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented information
8. Operational Activities
8.1 Planning and Operational Control
8.2 Risk assessment related to information security
8.3 Risk Treatment related to information security
9. Evaluation of Performance
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal Audit
9.3 Management review
10. Improvement
10.1 Non-compliance and corrective actions
10.2 Continuous improvement
APPENDIX A CONTROL OBJECTIVES AND REFERENCE CHECKS

Taining course aimed at the Head of the Information Security and to all personnel involved

Identification of the person responsible for information security and a system administrator

Planning of training activities with the person responsible for IT security.

The objective of is to create, adopt and implement all the participants, in accordance with the reference standard UNI CEI ISO / IEC 27001: 2014, for an Information Security Management System, which will bring a real added value to the Organization , trying to share the concept that it must serve above all to users.

Internal Audit and Penetration Test

At this stage you need to make a "penetration testing" of computer systems and defenses provided by the Company, test that should be performed by "competent external supplier."
To complete the "penetration testing" there is an internal audit on computer security system to verify compliance with the UNI CEI ISO / IEC 27001: 2014.

Management Review
Acquisition of the necessary information and preparation of the Management Review document.

Certification audit
Assistance during the conduct of the visit by certification body CB chosen during stage 1 and stage 2.
Expected Result: certification according to UNI CEI ISO 27001: 2014.

Maintenance and improvement of a Quality Management System for Information Security

Following the certification counseling will develop in the following phases:

Internal Audit and Review

Adaptation of the Manual, the Forms and related procedures, preparing the Regular review and analysis of the information collected on the performance of the Information Security Management System

Assistance during Audit Supervisory on the part of certification body CB