Экономические науки

Экономические науки. Маркетинг и менеджмент

D. Sikorskyi

Taras Shevchenko Kyiv National University, Ukraine

Information security process based on the Information Security Management System

Any activity of a company can be followed by the events that can bring positive possibilities as well as danger for the company. Risk monitoring during development of a corporate strategy allows to be more prepared for any possible situations.

One of the risks is information. Information risk is a measure of the information security which shows a possibility of danger appearance and the size of loss for the object [1].

The purpose of this work is an international standard analysis of the information security ISO / IEC 27001 which is going to be a platform for the information risk evaluation modelling.

It is recommended to use standards, guides and regulations for risk evaluation. There are documents of the international organizations on standardization ISO, IEC (ISO / IEC) firstly.

In 1992 Department of Trade and Industry of Great Britain published Code of Practice for Information Security Management. Just this Code at a later date was a main core of the information security international standard.

The international standard ISO / IEC 27001:2005 “Information Security Management Systems. Requirements” sets requirements for information security management systems to demonstrate company capability to defend its own information resources [6].

Information Security Management Systems includes important operation procedures such as risks management, documents management, records management, internal audit, constant improvement [ 8].

A new version of this standard was published in 2013 with a name ISO 27001:2013 “Information Technology – Security Techniques - Code of Practice for Information Security Management”. The main goal of this standard is to provide more flexible, optimized approach to ensure effective risk management [3; 4].

A new version includes security factors to ensure actuality of standard and capability of application to current risks, namely: private data theft, threat due to mobile devices usage and other network vulnerability [4].

So, now because of a new structure of the company standard while providing a few information security standards there will be a high saving of money due to the integration policies and procedures implementation. There is a necessity to integrate the information security system ISO 27001:2013 with such system as business management continuity ISO / IEC 22301, management system of IT services ISO / IEC 20000-1, quality management system ISO 9001 [4].

Organization certified under standard ISO 27001:2000 will need to update the information security management system to comply with the requirements of the new standard version. British Standards Institution and other certified bodies haven’t published a plan of transition to a new version of the standard yet, but there are some plans which were used in a similar situation with other standards. Transition period for update is going to be two years approximately since the moment of publishing of a new version [3; 4].

There is an increase of quantity of compulsory items in the new version of the standard from five to seven (tab. 1) [8].

Table 1

Comparison of two revision of the International Standard ISO / IEC 27001

Structure of ISO / IEC 27001:2005	Structure of ISO / IEC 27001:2013
0. Inrtoduction	0. Inrtoduction
1. Scope	1. Scope
2. Normative references	2. Normative references
3. Terms and Definition	3. Terms and Definition
4. Information Security System	4. Information Security System
5. Management Responsibility	5. Leadership
6. Internal ISMS audits	6. Planning
7. Management review	7. Support
8. ISMS improvement	8. Operation
	9. Performance evaluation
	10. Improvement

The auditor information security management system detects the presence of mandatory items standard. If any item is missing or ineffective, the auditor is unable to recommend the company to issue the certificate or may be deprived of it.

Information Security Management System based on ISO 27001 will:

− make the most of information assets understandable to the company's management;

− identify the main security threats to existing business processes;

− calculate risks and make decisions based on the business objectives of the company;

− ensure effective management system in critical situations;

− adhere to a security policy (find and correct the weaknesses in the system of information security);

− define personal responsibility;

− to achieve cost reduction and optimization support system security;

− facilitate the integration subsystem security business processes and integration with ISO 9001:2000;

− to demonstrate to customers , partners, business owners their commitment to information security;

− obtain the international recognition and gain the authority of the company on the domestic and foreign markets;

− emphasize business transparency before the law.

Standard ISO 27001 has been internationally recognized as the standard of information security. If organization has certificate ISO 27001, it means that it was tested and satisfies the requirements of the highest criteria for information security management [5].

Thus, the new redaction of the International Standard for Information Security ISO / IEC 27001:2013 facilitates leaders involvement in information security management processes. Standard gives instrument, which makes it possible more effective interaction between leaders and risk- managers.

Some requirements have become less stringent; it gives choice flexibility of methods and protective measures. Requirements and measures of the previous version have been significantly optimized and, therefore, many contentious issues have been overcome.

Harmonization of ISO / IEC 27001:2013 with all current standards issued by the International Organization for Standardization, enables companies to integrate their information security management system in existing processes more effectively (if processes are built on the methodology of standards ISO).

So, there are many standards of information security. But the use of any standard is benefits: a good image of the organization, the demonstration its stable position and so on.

References:

1. Analytic agency Smyslographiya (2014), available at: http://www.s-graph.ru/Glossary/37/ (Accessed 31 March 2014).

2. Publishing House “Komizdat” (2014), “Security and Risk Management”, available at: http://www.comizdat.com/index_.php?in=ksks_articles_id&id=567 (Accessed 31 March 2014).

3. Information Security (2014), “The Global Standart ISO / IEC 27001:2013. Projection into the Future of the Industry”, available at: http://www.itsec.ru/articles2/pravo/mezhdunarodnyy-standart-iso-iec-270012013.-vzglyad-v-buduschee-industrii-ib/ (Accessed 31 March 2014).

4. Official site of International Organization for Standardization (2014), “The new version of the Global Standart ISO/IEC 27001 will help more effectively to combat particular risks in the sphere of Information Technologies. 5. Новая версия стандарта ISO / IEC 27001”, available at: http://www.iso.org/iso/ru/home/news_index/news_archive/news.htm?refid=Ref1767 (Accessed 31 March 2014).

5. Official site “Avista consulting” (2014), available at: http://avista24.ru/sertifikaciya/iso_27001/ (Accessed 31 March 2014).

6. TÜV NORD (2014), “Information security management system on the demand of the Global Standard ISO / IEC 27001:2005”, available at: http://www.tuev-nord.com.ua/index.php/sertsm/isoiec-27001 (Accessed 31 March 2014).

7. Information Security (2014), “Standardization in the information security management sphere: international experience”, available at: http://www.itsec.ru/articles2/pravo/standartiz-v-oblasti-ib-zarubezhn-oput-chast-2 (Accessed 31 March 2014).

8. Intercert Ukraine (2014), “The Global Standart ISO / IEC 27001:2013”, available at: http://intercert.com.ua/articles/posts/292-standart-iso-iec-27001-2013 (Accessed 31 March 2014).

9. TMS Ukraine (2014), Information security management ISO / IEC 27001:2013, available at: http://tms-ua.com/standarts/iso-27001-2013/ (Accessed 31 March 2014).