the company's information resources protection on the basis of the international standard ISO / IEC 27001:2013

"Who owns the information - he owns the world"

To date, the largest number of financial losses from incidents, information security, companies are due to financial fraud. In this case, almost no attention is paid to safety just business processes and their supporting applications.

The role of information security

Not a secret, that the activities of any commercial organization aimed primarily at making a profit. On achieving this primary objective focused core business processes of the organization (eg, production, the sale, logistics). there are also a number of supporting processes, which include, including, information technology and information security (IB), aimed at providing infrastructure for the functioning of basic processes. It is logical to assume, that the management of virtually any organization is interested in, that the processes within the organization were controlled, functioned as, both were conceived, and the number of errors or malicious actions by employees of the organization, Business Partners, as well as other parties, involved in the organization's business processes, it was minimal.

Role, played by information security measures and tools in the internal control process, should not be underestimated. for example, aspects such, as the separation of powers in the information systems in accordance with the official duties of users of these systems, functionality, not allowing to perform certain transactions (eg, above a certain limit) without the approval of the responsible persons, check the integrity of data during transmission between the systems, and other similar controls, directly related to information security, as directly affect the protection of privacy, integrity and availability of data within the company's business processes.

Business Process Safety

It talks about the relationship between business and IT are maintained for a long time, there are appropriate standards and methodologies, determining the correspondence between business goals and IT goals, giving specific recommendations for IT Management, provides relevant metrics.

However, when it comes to information security, such a connection is the business objectives of companies with appropriate measures and tools in this area is not so obvious, as evidenced by the results of various studies. Particularly acute, this problem occurs among professionals, directly responsible for information security in organizations. Sometimes the situation can be observed, when the division of information security lives his life, separate from the organization as a whole, Catching, eg, only network perimeter protection and not paying attention to the security of business applications, used by the company.

What are the goals of the business may actually be driving the information security factors?

Such purposes may include three:

– increase the manageability of business processes through the implementation of internal controls;

– ensuring compliance of the organization with applicable laws;

– business continuity and disaster recovery by improving the reliability and recoverability of IT.

business continuity:

Another pressing issue for organizations is now a business continuity. Since the involvement of organizations in e-business has been increasing, and in some sectors, such as banking and telecommunications, doing business without the use of IT in general not possible, the loss of even small delays can be disastrous.

In general, the task of ensuring business continuity – complex, which should be initiated directly by the business and include many components, often unrelated to IT and IS. However, many questions, considered in the framework of the discipline, IB is a direct duty of service, in particular:

– data classification and information systems;

– definition of requirements for backup and recovery;

– system availability management;

– management intsidentami.

It is important to note, that the introduction of technical measures is not able to close all the questions, associated with business continuity and disaster recovery. Careful study of organizational measures, related to actions in crisis situations, the formation of the recovery teams, the introduction of alternative business process operation procedures, internal and external communications, etc..

The whole process of business continuity planning should be based on risk analysis, take into account the business requirements for recovery of certain systems and data.

As practice shows, now often the whole process is given at the mercy of an IT service or IB, which may not have the authority to, to influence the business in ensuring continuity, resulting in distortion can occur in the direction of technical solutions, ie. be a situation, when the IT infrastructure of the company is ready to failures and interruptions, and alone business is not ready.

adequate assessment

To achieve the goals of business process safety, information protection and business continuity, ISO / IEC International Standard has been developed 27001:2005. Benefits, who receive the organization in the implementation of information security management systems (SUİB) and certification of ISO / IEC standard 27001:2005 It is not so much, certificate to show partners, investors and other interested parties, how much is, to build an effective infrastructure to support business processes, which would be aimed at minimizing the number of failures, errors and malicious acts, and at the same time would be a controlled. As the reference point or a road map in the construction of this infrastructure and it makes sense to use, eg, different standards, methodologies and models.

To date, the number of management systems certification for information security under ISO / IEC 27001 in the world exceeds 3,5 thousand., and their number is constantly increasing. Kazakhstan is no exception in this process, large companies are showing great interest in ISO / IEC 27001. Many companies implement an ISMS and want to obtain a certificate.

ISMS implementation of the initiative on the basis of ISO / IEC 27001

The initiative of creation and effective functioning of the system must come from the company's management – this ensures accurate performance of all employees of the company procedures and careful attitude to the process. The lack of support for management's operation of the ISMS will be difficult or almost impossible to maintain, since the process requires constant interaction between the various units, and this is one of information security department (IB) will not be able to organize.

In summary, I would like to emphasize the following basic ideas:

Information Security, although it is a complementary process, but it is an important component of the Company's operating reliability.

As with other processes, Information security must be managed. In the construction of the control system it is desirable to draw on the experience, contained in conventional models, methodologies and standards.

Efforts to comply with international standards in the field of information security in the first place should be aimed at improving the internal processes of the company.


Previous The schedule of exams 2018 year
The next Accreditation certificate
  Back to home