International Standards Organization (ISO) Compliance
The ISO 27000 series of standards are a catalog of international standards focused on information security and published by the International Standard for Organization. The most prominent from the series are ISO 27001, a management standard that can be audited, and ISO 27002, which prescribes best practices and controls - but is not a certification standard.
Overview:
ISO 27001
ISO 27001 was recently updated after being first released in 2005, is a specification for an information security management system (ISMS). The standard lays out mandatory requirements that are able to be audited and certified. It contains a cycle of four phases that must continually be implemented.
| The Plan Phase | The Do Phase | The Check Phase | The Act Phase |
|---|---|---|---|
| Identify business objectives Obtain management support Select implementation scope Define method of risk assessment Prepare inventory of information assets to protect |
Manage risks Enact policies and procedures Allocate resources and train staff |
Monitor implementation of ISMS Prepare for certification audit |
Conduct regular assessment audits |
ISO 27002
ISO 27002 is not a formal specification and is not certifiable. Instead, it supports ISO 27001 by recommending detailed guidance for addressing information security objectives related to data confidentiality, integrity and availability, and deploying an ISMS. ISO 27002 also recently was updated and contains 114 controls listed under the following main sections:
- Structure
- Securiy Policy
- Organization of Information Security
- Human Resources Security
- Asset Management
- Cryptography
- Physical And Environmental Security
- Operations security
- Communications Security
- Information Systems Acquisition, Development, Maintenance
- Supplier Relationships
- Information Security Incident management
- Information Security Aspects of Business Continuity
- Compliance
- Access Control
Solutions:
Trustwave provides a comprehensive portfolio that can help organizations of any size respond to the ISO 27000 series of standards.
Plan and Prepare
Conducting a Risk Assessment is the first step to identifying and implementing safeguards necessary to meet compliance. Trustwave helps you find gaps that may exist between your current security posture and ISO guidance. The customizable assessments, scaled individually for your organization, include identification of key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.
Address Gaps and Vulnerabilities
Trustwave products and services help organizations respond to the controls listed in the ISO standards and implement best practice suggestions Here’s how we can help:
SIEM
Helps you gain broad visibility of threats to your network and improve your compliance process through logging, monitoring, and analysis of events.
Network Access Control
Ensures managed and unmanaged devices connecting to the network comply with policies and do not introduce malware.
Data Loss Prevention
Allows you to discover and classify sensitive data and prevent it from leaving the network.
Security Awareness Education
Instructs your employees and contractors to understand the threat of social engineering and follow best practices for security, including password management and the safe use of web and social media tools.
Incident Readiness and Response
Prepares your staff to proactively identify the indications of a breach and contain it quickly and efficiently.
Compliance
Identifies areas of risk and establishes the business and technical requirements needed for an effective information security program.
Automate and Manage Compliance
TrustKeeper Compliance Manager helps you to centrally automate and manage controls, policies and procedures across multiple compliance frameworks. Compliance Manager is delivered through our cloud-based management portal TrustKeeper, which provides a real-time view into the status of your compliance and security programs and offers access to all of your managed services. Through one easy-to-use dashboard, you can submit support requests, see event history, run reports and manage your account at any time.
Documentation:
Download the Trustwave Solutions for the Financial Services Industry Data Sheet (PDF).