Tuesday, April 01, 2008

Information Security

The ISO survey (PDF link) published in 2007 included for the first time a section on ISO/IEC 27001:2005, a management system for information security. My interest has been in ISO 9000 but there is an overlap in how management systems work through documentation and learning. Standards could be relevant for the current research project. The Management School did contribute to the KE project.

In the UK there is now declining interest in ISO9000. However the number of certificates on the planet continues to increase. I wrote a story on this for OhmyNews, mostly about the numbers in China.

Selected numbers from the 2006 survey on ISO/IEC 27001:2005

United Kingdom 486
India 369
Japan 3,790

So although the UK has some base for this, enough not to need to outsource all data management anytime soon, the number of certificates for Japan is striking. Could it be that there is some practical reason for this?

Web search finds a couple of PDF documents that help to understand what the standard is about, both from consultants so look out for rhetoric.

Form for checking readiness from ATSEC

Information Security and ISO27001 – an Introduction from ITgovernance

The form mentions four areas where records may exist-

Nonconformities
Preventative and corrective
Training plans for your employees
Regular reviews of ISMS

The introduction includes reference to the PDCA cycle

The PDCA cycle is the Plan-Do-Check-Act cycle that was originated in the 1950s by W. Edwards Deming and which says that that business processes should be treated as though they are in a continuous feedback loop so that managers can identify and change those parts of the process that need improvement.
The process, or an improvement to the process, should first be planned, then implemented and its performance measured, then the measurements should be checked against the planned specification and any deviations or potential improvements identified, and reported to management for a decision about what action to take.


This formulation implies a level of management that is not always involved in the system. Further discussion required on how this might work.

Meanwhile the British Standards Institute (BSI) have published PAS 99, a guide to an integrated management system that could include all the standards for audit and review-

* ISO 9001 Quality
* ISO 14001 Environment
* BS OHSAS 18001 Occupational Health and Safety
* ISO/IEC 27001 Information Security
* ISO 22000 Food Safety
* ISO/IEC 20000 IT Service

2 comments:

Anonymous said...

Hi

I like this post very much. It help me to solve some my work under my director’s requirements.

Apart from that, below article also is the same meaning

ISO 22000 audit

Tks again and nice keep posting
Rgs

Anonymous said...

Hi

I like this post very much. It help me to solve some my work under my director’s requirements.

Apart from that, below article also is the same meaning

ISO 22000 audit

Tks again and nice keep posting
Rgs