What Is ISO 20000 Certification?

The ISO 20000 certification is also known as the ISO/IEC 20000 certification and has been designed to fully replace and improve upon the BS 15000 certification (British Standard). This new international certification details the set standards for which any business much accomplish in their Information Technology service management in order to qualify for the certification. IT services are an integral part of any business with a growing heavy reliance on computerised technology in order to complete every day business tasks.

ISO 20000 certification is designed to ensure your business meets the needs of its staff and customers as well as the needs of the business. In order to achieve this, the ISO 20000 certification has produced what is known as an ITSMS (IT Service Management System). Using this system will enable you to utilise the internationally recognised best practices for IT services management within your business and demonstrate as such to your customers and clients.

The certification is published in two separate sections to cover IT Service Management. The first part specifies the standards required for IT Service Management and is used as the basis for audits and your minimum requirements for certification. The second part of the certification outlines the code of practice that is internationally recognised as the standard for best practices in the IT services area. This details specific practices for the management process to fall in line with the best standards of the ISO 20000 certification.

Any business whether it is large or small is able to participate in the ISO/IEC 20000 certification process. Primarily the course is best suited for business with a large focus on IT services including those with call centres, IT departments, Internal IT providers and even IT outsourcing. This will ensure the ISO/IEC 20000 certification makes a positive impact on your business as it has with many other leading companies in the IT sector from telecommunications to finance.

Not only is the ISO/IEC 20000 certification designed to mirror the best practices of the ITIL framework (Information Technology Infrastructure Library) but it is also designed to support additional frameworks such as the Microsoft’s Operations framework. This enables you to fully integrate the ISO/IEC 20000 standards into the everyday procedures of your working business.

There are many websites available online that can tell you more about the ISO/IEC 20000 certification as well as a variety of training courses and additional resources to help you or your business successfully integrate the ISO/IEC 20000 certification standards. You can also obtain ISO/IEC 20000 certification for yourself as an individual if necessary or you can purchase certification for a business as a whole. Online resources and informational portals can direct you to the right software, programs, training courses and conferences to help you get started on the standardisation of your business IT Service Management practices. You could also choose to obtain ISO/IEC 20000 compliance instead of certification. Whether you choose to complete the compliance route or the certification route both of these can dramatically improve your IT services management and your business as a whole.

ISO 27001 Certification Process

Certification is carried out by independent, accredited certification body. Businesses that are seeking independent certification of their ISMS (Information Security Management System) should always go to an accredited certification body, such as the International Organization for Standardization.

The International Organization for Standardization (ISO) has developed a new series of security standards, the rest of which is ISO 27001. ISO 27001 is the replacement for British Standard 7799. Additional International Organization for Standardization in the 27000 family includes IS) 27003, covering security guidance; ISO 2700, for measurements: and ISO 27005, covering risk. However, claims of obtaining ISO 27001 certification are often misinterpreted, or used as a guarantee where they should not be. The expectation of certification is that its implementation will be in the hands of qualified people. Many certification bodies offer ISO 27001 lead auditor training classes.

ISO 27001 describes how to build what ISO calls ISMS. If an ISMS is developed on a standard of acceptance or rejection of the assessed risk, and using 3rd party certification to provide outside verification of the level of assurance, is an excellent tool and will create a management system for information security.

Why Certify against ISO 27001?
No government codes or regulations require ISO certification, so why bother? ISO certification can support business and marketing goals of the company. It is becoming increasingly common for ISO 27001 certification to be a pre-requisite in service specification procurement documents and, as buyers become more sophisticated in their understanding of the ISO 27001 accredited certification scheme, so they will increasing set out their requirements are specifically, not only in respect to the scope of the certification and the level of assurance they require.

This rapid maturing in the understanding of buyers, as they seek greater assurance from the accredited certification to ISO 27001, is driving organizations to improve the quality of their ISMS and, by definition, to improve the granularity and accuracy of their risk assessments.

Certification is applying a discipline to information security to be better at planning, implementing, and maintaining information security and achieving a highly effective information security program that enables a business to achieve ISO 27001 certification. An external certification auditor should be assessing the ISMS against the published standard, not against the advice of a scheme manager, a consultant or any third party. It is critical that those responsible for the ISMS should be able to refer explicitly to its clauses and intent and be able to defend any implementation steps they have taken against the Standard itself. Outside certification is absolutely needed for any ISO certification. It gives management an initial and ongoing target to aim for and ensures that the organization has effectively implemented the standard.

To ensure integrity is to guard against unauthorized modifications or destruction of information. Integrity ensures a safeguard against unwanted outside access. Availability ensures information is ready to use. A loss of availability is the disruption of access to or the use of information or an information technology. The three cornerstones of information protection are confidentiality, integrity, and availability.

To ensure a proper security plan, business should focus on three cornerstones of security; they are confidentiality, integrity, and availability. How can an organization manage information security and maintain the three cornerstones of security? One answer is to implement an ISMS and use the ISO standards as a guide to develop an effective ISMS. Plan-Do-Check-Act (PDCA) provides an effective ISMS and the ISO 27001 process provides the guidance on the implementation of a ISMS by adhering to the PDCA process.

Using ISO 27001 Consultants For Information Security Audit

In today’s technological development and fast paced innovations, threats to information and data compiled in systems are quite common. IT companies, application developers, web based systems, mobile software developers, and many other sectors have loads of information present in their database. Whenever, so much of data is stocked, getting these breached can be a common phenomenon, if protection is not adequate. To test the adequacy of protection, implemented by companies, the information security audit is to be done from time to time, by companies. This kind of audit helps in exposing the vulnerabilities faced by companies, which they are not aware of, until such auditing is done.

ISO 27001 consultants are experts who have extensive knowledge of ISO 27001 certification. This is a specification for information security, applicable to almost all kinds of commerce activities and not confined only to electronic systems. Every form of information and data storage is possible to be audited by ISO 27001consultants. When this particular certification is obtained, companies can develop the trust in their customers, trading partners, stakeholders and even in their own employees. In the market, the credibility and trust of the company is increased because now people know that the information shared with these companies, is in safe hands. Going for the information security audit by such certification consultants will ensure that information security measures are strictly being adhered to at all levels of the organisation.

From time to time, ISO 27001 consultants can be asked to carry out an external audit of Information Technology company for maintaining the confidentiality, integrity and availability of information. The process of auditing will involve defining objectives, organisation security, communication and operations management, access control, and compliance with the most recent standards in application security.

Under the system of information security audit, a number of processes are involved, which only experts in the ISO 27001 standardisation can be able to carry out. Starting from documentation to the pointing out of lacunas in the system, everything is looked at by ISO 27001 consultants. Applicability of recommendations by internal audit is also checked. After the policies and guidelines are laid down according to the most recent standards, companies need to implement these policies at the earliest. When, at a later date, there is an onside external information security audit, everything should be in place, so that ISO 27001 certification is granted.

A penetration test is basically an ethical means of breaching the security system in place, for an IT related company or developer. By undertaking penetration testing, application security controls are highlighted, particularly those, that can be exploited. In such a scenario, IT companies ask security companies to understand the vulnerabilities by this particular modality of testing, which is a manual method. As a result of penetration testing, complete details are derived related to security issues, exploitation results, tactical and strategic recommendations.

A lot of companies are nowadays having specified ISO 27001 consultants to carry out internal and external audits for their clients. For the best business and information security practises, such standards have been defined, which, if a company is adhering, then there will be a lot of advantages at its end.

ISO 27001 Security Management: What Can It Do For Your Business?

ISO 27001 security management is an example of best practice in information security for any business, whatever its size, and can lead to significant cost savings.

The international standard ISO 27001 covers the planning, implementation, monitoring and improvement of an information security management system. It is cast in general terms, applicable to any size of organisation, and is dependent on human expertise for its application in a specific case. Its sister standard, ISO 27002, is a code of practice for information security, often used together with it.

Since its publication, there has been a growing need for ISO 27001 security management on the part of companies, especially those that are subject to regulation in this area.

There is a wide range of ISO 27001 security strategies, and the details will vary from one organisation to the next. Not every firm will require all possible information security countermeasures. Small firms, especially, may require only a minimum of procedures and technology in order to be compliant with the standard. This makes it all the more important that a firm’s information security management should be carried out by someone with expertise and experience of both the ISO 27001 standard and the field of information security in general, since the standard itself (intentionally) gives very little guidance as to how to apply it to specific situations.

So the question then becomes one of either developing an in-house ISO 27001 function, or hiring specialist expertise from a security firm. Many factors determine which is the best solution for your business, such as: the size of your business, the skill-sets of existing employees, the complexity of your computers and networks, what regulations the business is subject to, and (of course) the available budget.

For larger organisations, it can be more cost-effective to develop their own in-house function for undertaking ISO 27001 security management, which can then become a resource for all other sections of the company. This applies even if the company is multinational, since the ISO 27001 standard is an international one.

In the case of smaller companies, however, it might be difficult to justify committing significant resource to a function which is not a core business process. It may be more cost-effective to outsource their ISO 27001 security management to a specialist information security firm, especially if information security requirements are fairly straightforward. This type of management solution will avoid the need to hire a full-time dedicated employee at a professional-level salary, and will also minimise the need to buy specialised software.

Whichever the type of solution, appropriate ISO 27001 security management can lead to cost savings:

It is clear that ISO 27001 security management is a major aspect of information security for any business, whatever its size, and deserves to be taken seriously – not least because it can lead to significant cost savings.

ISO Focus+ Zeroes in on Crisis Management, ISO Celebrates With MPEG

The May 2012 issue of ISO’s official magazine, ISO Focus+, is off the press. The latest issue, according to ISO, focuses on crisis management amidst recent natural and manmade disasters, hack attacks on IT networks, and terrorist threats.

Dealing with the aftermath of disasters is a major management undertaking and so emergency preparedness becomes the linchpin of the strategy to containing the aftereffects. The latest issue offers readers an overview of the various types of calamity, as well as how international standards can be used to best advantage to manage the different stages to recovery.

The new issue, although certainly not as immediate in its effect on everyday life as is the impact of, say, the standards ISO 9001 or of ISO 27001, demonstrates how truly widespread the need is today for ISO standards and the training associated with them (for instance, ISO 9001 training and ISO 27001 training).

Of special interest to crisis managers are the topics on: mitigating the consequences of a nuclear accident, ISO safety signs and graphic symbols for helping lessen risks to people, and future ISO guidelines for crisis management to help protect the all-important water utilities. The issue also features the lessons learned from the recent earthquake disaster that befell Christchurch, New Zealand.

In addition, ISO Focus+ May has an exclusive interview with Jim Ingram, CEO of Medair, a nongovernmental organization that delivers life-saving relief and rehabilitation to areas of disaster, conflict, and other crises.

Meanwhile, coming up in a future issue of the ISO Focus+ is the “MPEG 100 Event,” the hundredth meeting of the Moving Picture Experts Group, better known as MPEG for their spectacularly successful digital compression products led by the similarly named MPEG-2.

MPEG 100 Event, held from April 30 to May 4, 2012 in Geneva, Switzerland, attracted top-tier executives of ISO (International Organization for Standardization) and the International Electrotechnical Commission (IEC). ISO and IEC work together under the joint technical committee ISO/IEC JTC 1, Information technology, under which MPEG operates as subcommittee SC 29, Coding of audio, picture, multimedia and hypermedia information, working group WG 11, Coding of moving pictures and audio.

The event celebrated nearly 25 years of progressive innovation-involving thousands of digital media experts from hundreds of companies in dozens of countries coordinating to advance digital compression technology-that have seen MPEG develop and put into homes worldwide audio and video digital compression standards such as MP3, MPEG-2, MPEG-4, and popularize in unprecedented ways digital multimedia enterprises such as the multimillion-dollar MP3, set-top box, DVD, and mobile communication industries.

Also attending the event was the International Telecommunication Union (ITU). MPEG and ITU have collaborated on two video compression standards in the past and are currently working on the High Efficiency Video Coding (HEVC) standard, and the World Intellectual Property Organization (WIPO).