KONSULTAN SERTIFIKASI SMKI ISO 27001 TRAINING SEMINAR PELATIHAN MANAJEMEN KEAMANAN INFORMASI

Kendali Keamanan Baru (new information security controls) Pada ISO 27001:2013

noreply@blogger.com (Unknown) — Mon, 21 Oct 2013 14:44:00 +0000

Beberapa kendali keamanan informasi baru (new information security controls) yang ditambahkan pada ISO 27001:2013 ini di antaranya:

A.6.1.5 Information security in project management
A.12.6.2 Restrictions on software installation
A.14.2.1 Secure development policy
A.14.2.5 Secure system engineering principles
A.14.2.6 Secure development environment
A.14.2.8 System security testing
A.15.1.1 Information security policy for supplier relationships
A.15.1.3 Information and communication technology supply chain
A.16.1.4 Assessment of and decision on information security events
A.16.1.5 Response to information security incidents
A.17.2.1 Availability of information processing facilities

Struktur Standar Internasional ISO 27001:2013

noreply@blogger.com (Unknown) — Mon, 21 Oct 2013 14:39:00 +0000

Struktur standar ISO 27001:2013

1. Scope of the standard

2. How the document is referenced

3. Reuse of the terms and definitions in ISO/IEC 27000

4. Organizational context and stakeholders

5. Information security leadership and high-level support for policy

6. Planning an information security management system; risk assessment; risk treatment

7. Supporting an information security management system

8. Making an information security management system operational

9. Reviewing the system’s performance

10. Corrective action

Annex A: List of controls and their objectives.

Perbedaan ISO 27001:2013 vs ISO 27001:2005

noreply@blogger.com (Unknown) — Mon, 21 Oct 2013 14:36:00 +0000

Standar internasional ISO 27001:2013 menampilkan 114 kendali (control) dalam 14 kelompok domain, dibandingkan standar sebelumnya yang terdiri dari 133 kendali dalam 11 kelompok domain. Perubahan pada persyaratan revisi 2013 ini merefleksikan perubahan teknologi yang banyak berdampak pada kelangsungan bisnis saat ini, misalnya perkembangan teknologi komputasi awan (cloud computing).

Mengenai perbedaan antara ISO 27001:2013 dan ISO 27001:2005 di antaranya adalah susunan kendali keamanan pada Annex A telah berubah menjadi:

A.5: Information security policies
A.6: Information security organisation
A.7: Human resources security
A.8: Asset management
A.9: Access controls and managing user access
A.10: Cryptographic technology
A.11: Physical security
A.12: Operational security
A.13: Secure communications and data transfer
A.14: Secure acquisition, development, and support of information systems
A.15: Security for suppliers and third parties
A.16: Incident management
A.17: Business continuity/disaster recovery
A.18: Compliance

Revisi ISO 27001:2005 menjadi ISO 27001:2013

noreply@blogger.com (Unknown) — Mon, 21 Oct 2013 14:31:00 +0000

Standar keamanan informasi ISO 27001 versi 2013 telah dipublikasikan pada tanggal 25 September 2013 oleh International Organization for Standardization (ISO). Standar ini disingkat dengan sebutan ISO 27001:2013, berisi spesifikasi bagi sistem manajemen keamanan informasi (information security management system). Dengan demikian standar ini membatalkan dan menggantikan standar versi sebelumnya yaitu ISO 27001:2005. Secara umum standar ISO 27001:2013 dikembangkan agar lebih selaras dengan standar sistem manajemen lainnya seperti ISO 9001 dan ISO 20000.

Manfaat ISO 27001

noreply@blogger.com (Unknown) — Tue, 17 Mar 2009 19:32:00 +0000

ISO/IEC 27001 is intended to be suitable for several different types of use, including the following:

use within organizations to formulate security requirements and objectives;
use within organizations as a way to ensure that security risks are cost effectively managed;
use within organizations to ensure compliance with laws and regulations;
use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
definition of new information security management processes;
identification and clarification of existing information security management processes;
use by the management of organizations to determine the status of information security management activities;
use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization;
use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;
implementation of business-enabling information security;
use by organizations to provide relevant information about information security to customers.

Audit Sertifikasi ISO 27001

noreply@blogger.com (Unknown) — Tue, 17 Mar 2009 19:23:00 +0000

Organizations may be certified as compliant with ISO/IEC 27001 by a number of Accredited Registrars worldwide. Certification against any of the recognized national variants of ISO/IEC 27001 (e.g. JIS Q 27001, the Japanese version) by an accredited certification body is functionally equivalent to certification against ISO/IEC 27001 itself. Certification audits are usually conducted by ISO/IEC 27001 Lead Auditors.

In some countries, the bodies which verify conformity of management systems to specified standards are called "certification bodies", in others they are known as "registration bodies", "assessment and registration bodies", "certification/ registration bodies", and sometimes "registrars".
The ISO/IEC 27001 certification[1], like other ISO management system certifications, usually involves a three-stage audit process:

Stage 1 is a "table top" review of the existence and completeness of key documentation such as the organization's security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP).
Stage 2 is a detailed, in-depth audit involving testing the existence and effectiveness of the information security controls stated in the SoA and RTP, as well as their supporting documentation.
Stage 3 is a follow-up reassessment audit to confirm that a previously-certified organization remains in compliance with the standard. Certification maintenance involves periodic reviews and re-assessments to confirm that the ISMS continues to operate as specified and intended.

(this article is taken from wikipedia)

ISO IEC 27001

noreply@blogger.com (Unknown) — Tue, 17 Mar 2009 18:43:00 +0000

ISO IEC 27001 International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.