Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines

Purpose This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation. Design/methodology/approach This study has followed a two-step approach; first, synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO/IEC 27001:2013. Findings The findings of this work include the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR. Originality/value This paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.

Best Practices of Auditing in an Organization using ISO 27001 Standard

International Journal of Recent Technology and Engineering - 2 ◽

10.35940/ijrte.b1128.0782s319 ◽

2019 ◽

Vol 8 (2S3) ◽

pp. 691-695

Keyword(s):

Best Practices ◽

Data Security ◽

Information Technologies ◽

Organizational Management ◽

Legal Aspects ◽

Successful Management ◽

The Status ◽

Iec 27001 ◽

Iec 27002 ◽

Iso 27001

In recent year with the intensive use of the information technologies, data security has been turned into a critical and important issue in organizational management. Various Standard and rules are there for the security of Information, for example, ISO/IEC 27001, ISO/IEC 27002. However, organization face different challenges for implementing the standard. In this paper, we present the status of the ISO/IEC 27001 execution process in a Small and Medium Sized Enterprise. By executing ISO 27001, organization got the chance to prove authenticity and show the clients that the organization is working according to recognized best practices. It helped the organization "IKSC Knowledge Bridge Pvt Ltd." in reducing cost, risks, and increases the brand value. The outcomes obtained conclude not just the need to think about the technical, legal aspects of organization but also those related to people like training, knowledge, create awareness, to achieve a successful management of information security

PENILAIAN DAN KONTROL RISIKO TERHADAP INFRASTRUKTUR DAN KEAMANAN INFORMASI BERDASARKAN STANDAR ISO/IEC 27001:2013 (STUDI KASUS: INSTITUT TEKNOLOGI SEPULUH NOPEMBER)

Sebatik ◽

10.46984/sebatik.v24i1.910 ◽

2020 ◽

Vol 24 (1) ◽

pp. 96-101

Author(s):

Anindya Dwi Lestari Sugianto ◽

Febriliyan Samopa ◽

Hanim Maria Astuti

Keyword(s):

Iec 27001 ◽

Iec 27002

Direktorat Pengembangan Teknologi dan Sistem Informasi (DPTSI) Institut Teknologi Sepuluh Nopember (ITS) Surabaya merupakan direktorat yang memiliki fungsi menangani seluruh aktivitas yang berhubungan dengan sistem dan teknologi informasi di ruang lingkup ITS. Risiko yang muncul dalam organisasi di bidang sistem dan teknologi informasi terutama pada ruang lingkup infrastruktur dan keamanan informasi, seperti adanya kerusakan aset, pencurian data, layanan yang tidak bisa diakses. Tindakan penanganan risiko terkait ruang lingkup infrastruktur dan keamanan informasi di DPTSI ITS belum diterapkan dengan baik sehingga dapat mengakibatkan terganggunya proses bisnis. Sehingga untuk memenuhi kebutuhan terkait ruang lingkup infrastruktur dan keamanan informasi diperlukan adanya standar agar dapat meminimalisir risiko yang ada. Standar yang digunakan dalam penelitian ini adalah standar ISO/IEC 27001:2013 sebagai kerangka kerja dalam proses identifikasi dan penilaian risiko terkait ruang lingkup infrastruktur dan keamanan informasi yang dibuat berdasarkan hasil wawancara dan justifikasi dari pihak DPTSI ITS. Adapun standar lain yang digunakan yaitu ISO/IEC 27002:2013 sebagai standar penyusunan kontrol dari hasil penilaian risiko terkait ruang lingkup infrastruktur dan keamanan informasi. Hasil yang diharapkan dalam penelitian ini berupa dokumen penilaian beserta penyusunan kontrol risiko yang sesuai dengan kebutuhan terkait ruang lingkup infrastruktur dan keamanan informasi di DPTSI ITS dengan menggunakan standar ISO/IEC 27001:2013 dan ISO/IEC 27002:2013.

Information technology. Security techniques. Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002

10.3403/30310928u ◽

2015 ◽

Cited By ~ 9

Keyword(s):

Information Technology ◽

Information Technology Security ◽

Iec 27001 ◽

Iec 27002

Audits in Cybersecurity

Cyber Security Auditing, Assurance, and Awareness Through CSAM and CATRAM - Advances in Digital Crime, Forensics, and Cyber Terrorism ◽

10.4018/978-1-7998-4162-3.ch007 ◽

2021 ◽

pp. 126-148

Keyword(s):

Information Technology ◽

Literature Review ◽

Best Practices ◽

Technology Infrastructure ◽

Information Technology Infrastructure ◽

Information Technology Infrastructure Library ◽

Pci Dss ◽

Comprehensive Literature Review ◽

Iec 27001 ◽

Iec 27002

The objective of this chapter is to provision a comprehensive literature review of the most relevant approaches for conducting cybersecurity audits. The study includes auditing perspectives for specific scopes and the best practices that many leading organizations are providing for security and auditing professionals to follow. The chapter reviews relevant features for auditing approaches in the following order: ISO/IEC 27001:2013, ISO/IEC 27002:2013, Control Objectives for Information and Related Technology (COBIT) 2019, Information Technology Infrastructure Library (ITIL) 4, AICPA, ISACA, NIST SP 800-53, NIST CSF v1.1, IIA, PCI DSS, ITAF, COSO, ENISA, NERC CIP, and CSAM.

Implementasi Awal Sistem Manajemen Keamanan Informasi pada UKM Menggunakan Kontrol ISO/IEC 27002

Jurnal Teknologi Rekayasa ◽

10.31544/jtera.v3.i2.2018.145-156 ◽

2018 ◽

Vol 3 (2) ◽

pp. 145

Author(s):

Rokhman Fauzi

Keyword(s):

Engineering Services ◽

Iec 27001 ◽

Iec 27002

Informasi merupakan aset organisasi yang harus dilindungi keamanannya. Sistem manajemen keamanan informasi diimplementasikan untuk melindungi aset informasi dari berbagai ancaman untuk menjamin kelangsungan usaha, meminimalisasi kerusakan akibat terjadinya ancaman, mempercepat kembalinya investasi, dan peluang usaha. Pada penelitian ini, standar internasional ISO/IEC 27001 dan analisis risiko metode OCTAVE-S digunakan dalam perancangan sistem manajemen keamanan informasi di salah satu perusahaan yang merupakan sebuah Usaha Kecil Menengah (UKM) yang bergerak di bidang engineering services. Sesuai dengan kondisi perusahaan, analisis risiko dilakukan menggunakan metode OCTAVE-S. Implementasi awal sistem manajemen keamanan informasi dilakukan menggunakan kontrol-kontrol pada ISO/IEC 27002. Prioritas utama hasil implementasi adalah penyusunan kebijakan dan prosedur serta peningkatan kesadaran keamanan informasi.