Information Security - ISO27001 and ISO17799
Information Security is at the heart of the Business Assurance strategy. ISO27001 and ISO17799 are the internationally recognised standards for information security, and ECA staff are qualified to work as ISO27001 and ISO17799 implementers and lead auditors. This is complementary with ECA’s expertise in government security accreditation.
ISO27001 and ISO17799 set out the standards for an Information Security Management System (ISMS), and identifies 10 key areas and controls:
- Security policy: to provide Management Direction and support for information security;
- Organisation of assets and resources: to help you manage information security;
- Asset classification and control: to help you identify and protect your assets;
- Personnel security: to reduce the risks of human error, theft, fraud or misuse of facilities;
- Physical and environmental security: to prevent unauthorised access, damage, and interference with business premises and information;
- Communications and operations management: to ensure the correct and secure operation of information processing facilities;
- Access control: to control access to information;
- Systems development and maintenance: to ensure that security is built into information systems;
- Business continuity management: to counteract interruptions to business activities and protect critical processes from the effects of major failures or disasters;
- Compliance: to avoid breaches of criminal and civil law, statutory, regulatory, or contractual obligations, and any security requirement.
An organisation using ISO27001 and ISO17799 as the basis for its ISMS and registered by BSI proves to stakeholders that it meets the required standard. ECA can help any organisation achieve ISO27001 and ISO17799 certification, with staff qualified to lead auditor status on commercial best practice and ISO27001 and ISO17799 accreditation.
In addition, ECA can provide supporting security services that cover:
- System delivery: design, construction, certification and operation of secure, resilient, energy efficient business-critical information and communication systems;
- Information security: integrity, backup, availability, business continuity, integrity, confidentiality and public confidence in information and communication systems;
- Outsourced/offshore security: ensuring the integrity of call centres and offshore services;
- Security testing: network analysis and identification of vulnerabilities including penetration testing
- Forensic analysis: gathering, investigation and analysis of data to understand what happened and prepare evidence where required.