Skip to main content

The Difficulty of Achieving ISO 27000 Standards

5th Oct 2016

The Difficulty of Achieving ISO 27000 Standards

ISO/IEC 27000 series is an ever expanding family of International Standards (formulated by International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) for Information Security Management Systems). Organizations, whether they are large or small, hold their information security in very high regard. Information security actually protects and promotes the success of a company (or leading organization). A secure organization is a functional network of humans and machines that keep the infrastructure of a company intact, fully functional and protected from outside attacks. To achieve this level of information security, the ISO/IEC 27000 series (for Information Security Management Systems) was created and is regularly updated to remain relevant.

The ISMS and its succeeding standards do not only protect an organization's best kept secrets. Information, accounts, data, profile, resumes, important user information (employees), members and clients are protected by the Information Security Management System. Unauthorized (outside) access can be extremely damaging, and criminals often go after essential data; which may include bank accounts, governmental information, ID's, licenses / license numbers, the possibilities are endless.

Actually using the ISO/IEC 27000 series is not something that any layman can do. Even the most experienced IT employee or Computer Engineer may encounter several blunders when trying to implement the ISO/IEC 27000. Some of the pitfalls encountered by early users of ISO/IEC 27000 series were related to lack of proper definition and explanation. This is obviously a huge problem for those trying to maintain the information security standard presented. The ISO/IEC 27000 series recently added a new addition to their ISO/IEC 27000 family, the ISO/IEC 27000 Information security management systems ? Overview and vocabulary (2009). This International Standard serves as an overview or a reference for the terms used when formulating an information security plan. This is just one of the many functions that ISO/IEC 27000 provides (along with the other members of the family).

ISO/IEC 27000 Information Security Management Systems (ISMS) (bearing the title of Information technology ? Security techniques ? Information security management systems ? Overview and vocabulary).

ISO/IEC Information Security Management Systems (ISMS) (bearing the title of Information technology ? Security techniques ? Information security management systems ? Overview and vocabulary) further expands its reach to include many untouched areas of information security, including;

  • formulating new standards
  • keeping the Information security management system(s) updated (to help organizations maintain their information security background and ensure that they are providing the very best information out there)

First, let's point out the differences between computer security and information security. Information security (unlike computer security where defenses specifically protect the computer system and ensure that access to the machine's operations are not made available) protects the information and data stored and processed inside a computer by ensuring that data confidentiality, integrity and availability is not comprimised in any way (whether it was copied using external devices, print, forwarded, emailed, etc). Computer security and information security differ in their functionality, mechanisms and pathways toward achieving their respective goals. Nevertheless, both security systems work well together and they both share their vision of protecting the CIA triad for information security (also known as confidentiality, integrity and availability;this is an important information security service which has helped big operational agencies, companies, government agencies, finance, business and the military forces itself).

The ISO/IEC 27000 International standard also provides an updated look into ISO/IEC 27000 series as a whole, which provides a complete overview of the essential standards inherent to the ISO/IEC 27000 family of Information Security Management Systems (ISMS). In the new edition of the ISO/IEC 27000 series there is a unique set of terms included, these are fundamental terms that are used throughout all of ISMS. This vocabulary set (and overview of the whole series) provides a significant solution to the most common problem facing most authors that were using the previous series. Unfamiliarity and ignorance of the essential fundamental terminology used in ISMS is a common issue faced by many authors. The constant change and influx of information from the world wide web make things difficult to predict. Inevitably, confusion and error will occur before a truly successful system of information security is implemented by most users.

Another serious problem is the inability of most authors to adhere to the standards presented in ISO/IEC 27000. Some of the ISO/IEC 27000 International standard users do not take the time to fully grasp the terms used or neglect to understand their purpose. This approach creates a serious problem when formal assessments of a system are being measured. Many of the previous formal assessments that were devalued were noted to have had terms that were intentionally complicated or difficult to understand.

Being the overview and guide for the other International Standards, the ISO/IEC 27000 helps guide users toward creating the most efficient Information Security Management Systems possible.

________________________________

Want to know more about the ISO/IEC 27002 standard and want to prepare for a formal certification exam?Register for the ISO/IEC 27002 Foundation Class.

!