Information Technology and IT Service Industry Specific Standards:
- ISO 27001:2013-Information Security Management System;
- ISO 20000-1:2018-IT Service Management System;
- ISO 27017:2015- IT-Security Techniques-Code of Practice for Information Security Controls for Cloud Services;
- ISO 27018:2019- Security Techniques -Code of practice for Protection of Personally Identifiable Information (PII) in Public Clouds acting as PII Processors;
- ISO 27701:2018- Security Techniques- Extention to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management.
1.Introduction to ISO 27001:2013-Information Security Management System.
In today’s business environment, information is the lifeblood for any organization. Increasingly, organizations and their information systems are exposed to security threats from a wide range of sources including computer assisted fraud, espionage, sabotage, vandalism, fire, flood etc. Computer viruses, hacking and denial of service attacks have become more common and sophisticated.
2.What is ISO 27001-Information Security Management System
An Information Security Management System (ISMS) is a systematic approach for managing sensitive company information and information entrusted to companies by third parties so that it remains secure. It encompasses people, processes and IT systems.
3.Why ISO 27001: 2013
- Increase in trust with, respect to partners, customers and the public;
- Systematic detection of vulnerabilities:
- Control of IT risks;
- Reduce the chances of security breaches with the IT environment;
- Keeping the confidentiality of information.
4.What are the Benefits:
- To mitigate the risk and information security breaches
- To demonstrate due diligence and due care
- To have a proactive approach to legal compliance, regulatory and contractual requirements
- To assure the internal controls of organizations
- Management’s commitment to the security of business and customers’ information
- Helps organization to have competitive advantage
Suitable for any organization, large or small, in any sector. The standard is especially suitable where the protection of information is critical, such as in the banking, financial, health, public and IT sectors. The standard is also applicable to organizations which manage high volumes of data, or information on behalf of other organizations such as data centers and IT outsourcing companies.
1.Introduction to ISO 20000-1:2018-IT Service Management System
Service businesses exist to supply their customers with intangible benefits such as providing amenities, facilities, or advice. Perhaps to an even greater extent than physical goods, success in the service sector means understanding and meeting your customers’ expectations. But, in a fast-paced, digital world, these expectations constantly change.
In today’s dynamic service environment using ISO/IEC 20000-1:2018 can be incorporated with popular management methods (such as Agile, Lean or DevOps), service management frameworks and methodologies (ITIL®, COBIT®, CMMI-SVC®), and additional standards (ISO 9001, ISO/IEC 27001, ISO 31000) into the IT service management system.
2.What is ISO 20000-1:2018
It is an international standard for quality management that specifically focused on IT service. It ensures that the organizational service delivery is carried out in a way that drives customer satisfaction through improved service.
This standard specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an IT SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.
3.Why ISO 20000-1:2018
- To improve quality of company services;
- Demonstrate organizations ability to meet customer requirements
- To get competitive advantage,
- To demonstrate reliability.
4.What benefits it bring to business:
- Reduction in incidents, improved incident management, response time and interruptions to IT service
- Clarity in understanding roles and objectives
- Legal compliance and awareness
- Approach towards an integrated process to deliver IT services
- Improved customer satisfaction and client retention
- Service and delivery consistency.
5. Applicable to:
- Any organization seeking services from service providers and requiring assurance that their service requirements are fulfilled;
- Any organization that requires a consistent approach by all its service providers, including those in the supply chain;
- Service providers who intend to demonstrate their capability for the design, transition, delivery and improvement that fulfil requirements;
1.Introduction to ISO 27017:2015-Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
World over, organizations are increasingly getting aware of the business value that cloud computing brings and are taking steps towards transition to the cloud. A smooth transition entails a thorough understanding of the benefits as well as challenges involved. One of the key challenges of cloud computing is how it addresses the security and privacy concerns of businesses planning to adopt it and those of cloud service providers (CSPs) implementing it.
The fact that the valuable enterprise data will reside outside the corporate firewall raises serious concerns. Hacking and various cyber-attacks to the cloud infrastructure can have a domino effect and affect multiple clients even if only one site is attacked.
As the global usage of cloud technology continues to grow, businesses must strategically consider the risk of storing protected information and explore viable security options in order to protect their information systems.
2. What is ISO 27017?
ISO/IEC 27017 is a standard developed for cloud service providers and users for securing the cloud-based environment and minimising potential risk of a security incident.
ISO/IEC 27017 is designed to assist in the recommendation and implementation of controls for cloud-based organisations. This is not only relevant to organisations which store information in the cloud, but also for providers which offer cloud-based services to other companies who may have sensitive information.
This standard is built upon the ISO 27002 standard, but allows for specific controls to be added for the needs of cloud organisations and their end-users.
The assessment is normally structured in tailor-made steps of verification. The output of this verification process can be made available both internally within the company and publicly. The organisation may also choose to define a boundary for assessment in relation to the core issues of the standard, focusing on the ones that are most crucial to the organisation itself and their business practices
3. Why is ISO/IEC 27017 Important?
Cloud data security is vital, as clients will want to be sure that their data is safe while stored in the cloud. ISO/IEC 27017 standard allows the organisation to commit to a long-term goal.
The organisation will have an internationally standardised framework to base their Cloud Security. Upon the internalisation of the requirements needed, the organisation will be able to reduce operational and reputation risks and work towards a sustainable future.
The standard extensively covers topics like asset ownership, recovery action if the CSP gets dissolved, disposal of assets with sensitive information, segregation and storage of data, alignment of security management for virtual and physical networks and others.
4.What benefits it brings to business:
- Develop a long-term strategy;
- Increase transparency;
- Reduce reputation risks;
- Win customer trust;
- Inspires trust in your business;
- Competitive advantage;
- Protects your brand reputation;
- Protects against fines;
- ISO 27017: 2017 is applicable to
Cloud service providers and cloud service customers.
1.Introduction to ISO/IEC 27018:2019-Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
This standard provides guidance aimed at ensuring that cloud service providers (such as Amazon and Google) offer suitable information security controls to protect the privacy of their customers’ clients by securing Personally Identifiable Information entrusted to them.
The standard will be followed by ISO/IEC 27017 covering the wider information security angles of cloud computing, other than privacy.
- What is ISO 27018:2019:
It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
- Why ISO 27018:2019:
- Vast quantities of data are held in the public cloud, necessitating thorough protection requirements.
- Data breaches can include individual loss of rights and freedoms, identity theft, monetary penalties and huge loss of reputation for the responsible data controller.
- Compliance to protect personal data and ensure it is treated in accordance with the law.
- What benefits ISO 27018 brings to business:
- Competitive advantage,
- Protects your brand protection,
- Reduces risks – ensures that risks are identified, and controls are in place,
- Protects against fines,
- Help grow your business.
- Applicable to
- Any organisation, large or small, in any sector. The standard is especially suitable where the protection of personal data such as payroll, HR or clients payment details are stored in a cloud environment.
- If your organisation is already implementing ISO 27001 ISMS then you are covered for 70% of the regulations within ISO 27001. However, if you are operating using cloud base technologies then ISO 27018 has been seen as an effective bolt-on standard as companies wish to demonstrate GDPR compliance specifically with data that is stored on the cloud
1.Introduction to ISO/IEC 27701:2019-Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
ISO/IEC 27701:2019 is a data privacy extension to ISO 27001. This newly published information security standard provides guidance for organizations looking to put in place systems to support compliance with GDPR and other data privacy requirements. ISO 27701, also abbreviated as PIMS (Privacy Information Management System) outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage data privacy. Privacy information management systems are sometimes referred to as personal information management systems.
This can be used by all types of organizations, which are Personally Identifiable Information (PII) controllers and/or PII processors processing PII, within an ISMS, irrespective of their size, complexity or the country they operate.
2. What is 27701:2019
ISO/IEC 27701 specifies the requirements and provides guidance for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS). It builds on the requirements in ISO/IEC 27001, the information security management system (ISMS) standard, and the code of practice for information security controls in ISO/IEC 27002.
ISO/IEC 27701 provides the management system framework to protect personally identifiable information (PII). It covers how organizations should manage personal information and assists in demonstrating compliance with applicable privacy regulations.
3. Why is ISO/IEC 27701
This reduces risk to the privacy rights of individuals and to the organisation by enhancing an existing Information Security Management System.
This standard is a great way of demonstrating to customers, external stakeholders and internal stakeholders that effective systems are in place to support compliance to GDPR and other related privacy legislation.
Organizations looking to get certified to ISO 27701 in order to comply with GDPR will either need to have an existing ISO 27001 system or implement ISO 27001 and ISO 27701 together as a single management system. ISO 27701 is a natural expansion to the requirements and guidance set out in ISO 27001.
This standard is essential for every organization that is responsible and accountable for PII as it provides requirements on how to manage and process data and safeguard privacy. It enriches an already implemented ISMS, to properly address privacy concerns, by assisting the organizations to understand the practical approaches involved in the implementation of an effective management of PII.
4. What benefits it brings to business:
- Protect the organization’s reputation
- Build customer’s trust
- Increase customer satisfaction
- Increase transparency of the organization’s processes and procedures
- Maintain the integrity of customers’ and other interested parties’ information
- Ensure information within the company secure and effective
- Ensures information is available on time
- Prevents loss, abuse and unauthorized modification of information
- Ensures information is only accessible to authorized persons
- Assists compliance with legal requirements and data protection
- Whom ISO 27701 is applicable:
Software development, Cloud companies, and IT support, Banks, Insurance companies, brokerage houses, Internet providers, Government agencies, Healthcare, pharmaceutical and food processing.
- Our Consulting approach:
- Gap Analysis: Assessment of existing management system practices against the selected standard requirements.
- Project Plan: Prepare a implementation project plan based on the time lines looking for;
- Orientation Training: Top/Senior Management orientation on selected standard requirements and implementation action plans preparation;
- Developing different levels of documentation ( Tier 1-3/4): Identification of processes required for the products produced and services provided; External and internal issues affecting the business, interested parties needs and expectations, Framing draft quality policy, organizational objectives, role, responsibility and authority, various risks affecting and opportunities arises, functional and system procedures, different implementation formats and checklists;
- System Implementation: Implementation of the selected management system as per the developed documentation;
- Company-wide Training: Training on detailed clause wise requirements and relating them to their departments and Internal audit.
- Internal Audits: Periodic assessment of system implementation and corrective actions.
- Pre assessment: Initial audit by Certifying agency, and, implementation of corrective actions.
- Final Assessment: Certification audit by the Certifying agency and recommendation for certification.