For anyone who has only recently come across ISO 27001 and wants to know what all the fuss is about, I can recommend checking out this podcast. The sound quality is a little patchy but the rationale for certification is well covered.
Progress on both sides of the Atlantic in strengthening national laws against cybercrime. In the States, the House Judiciary Committee has approved a bill that proposes some fairly robust measures against transgressors. This seems the sort of toughening up that is needed in response to the increasing professionalism of cybercriminals. However, current debate in the UK’s House of Lords shows that hastily drafted legislation that carries a big stick can create unintended consequences. Let’s hope that the US bill receives thorough consideration before it passes the House and Senate.
Officials in Westchester County, New York have recently attracted attention for their new law that requires businesses to secure their wi-fi hotspots. I’ve spoken before about the need for proper wireless security but, as usual, when businesses fail to take voluntary action sooner or later a regulator will pass a law to force them to act.
This is actually a pretty sensible law, but inevitably the reaction from many businesses will be to complain about the growing weight of legislation with which they have to comply. However, legislators all over the USA and elsewhere will be watching closely, so expect to see a spate of similar laws coming into force around the world soon.
I’ve said often that ISO 27001 will experience the same level as take up as ISO 9001 did, and now it appears that others are coming to the same view. In an article announcing that the Federal Reserve Bank of New York is the first US institution to achieve the standard, Victor Garza asks whether ISO 27001 will be the new ISO 9001.
It will.
Sales of The Case for ISO 27001, Nine Steps to Success and of our ISO 27001 Toolkit have been growing so fast that we can already see how important this standard is becoming. We’ll soon be in “What? You’re not ISO 27001-certified?” territory.
I’ve just returned from a terrific three days in Dubrovnik, Croatia, where I attended (and spoke) at InfoSeCon 2006. Ably staged, hosted and managed by ZIK, this was an event that made networking very easy.
From the rapid transition through the arrivals hall at Dubrovnik airport, the equally quick transfer to the Hotel Croatia (spectacularly set right on the edge of the Adriatic) , to the smooth organization of the conference itself, everything was memorable. Dubrovnik itself was fascinating; Stanko and Biljana Cerin laid on a trip across Dubrovnik bay in a replica of a medieaval Dubrovnik galleon (which is also where we had dinner that evening) and the car-less fortified city was a fascinating place to visit. Walking an entire circuit of the city walls certainly built an appetite!
World-class speakers dealt with subjects that ranged from the technical (Snort rules) to the general (regulatory compliance) and, while it’s clear that information security threats are continuing to evolve, the underlying discussion at the conference seemed to be about who should drive IT and information security – the business management or the IT management?
As you know, I think that the business should drive the IT strategy, and the security of its IT systems – that, after all, is what IT governance is about. It’s clearly a debate that will run and run – InfoSeCon 2007 will probably be a good event at which to contribute to the evolution of this industry – one on which the security of personal and corporate data really does depend.
The UK’s Department of Trade and Industry periodically undertakes its own survey on IT security threats. The latest one, conducted for the DTI by PriceWaterhouseCoopers, has revealed that amid the general improvement in the level of preparedness by companies, small and medium-sized businesses are less likely to be adequately prepared and are suffering as a consequence.
In response to this, we have decided to launch a series of low-cost IT security courses to give growing firms the knowledge and skills to protect themselves.
‘ISO 27001: Introduction and Overview’ is a one-day course designed for business owners and executives, IT managers and project managers who are at the initial stages of investigating information security management systems. It helps delegates to understand the key concepts and benefits of ISO 27001 as the best practice solution to countering IT threats. It also gives an overview of how ISO 27001 implementations can be managed in-house without calling in expensive consultants. I am leading this course and basing it upon my books, ‘The Case for ISO 27001’ and ‘Nine Steps to Success: an ISO 27001 Implementation Overview’. The first course will be held in London on 29th June, with further courses to be held in July and September. Delegate fees are £395.00 and bookings may be made here.
For ISO 27001-project leaders and their teams, the ‘ISO 27001 MasterClass’ provides three days of intensive tuition on the entire implementation process, including project scoping, risk assessments, documentation, management review and preparation for a successful certification audit. I am leading the course jointly with Steve Watkins and we are basing the sessions upon our definitive guide to information security management, ‘IT Governance: a Manager’s Guide to Data Security and BS7799/ISO17799’, which is the core text of the Open University’s postgraduate course in Information Security. The first MasterClass will be held in London on 6 – 8 June, with further sessions planned for July and September. Delegate fees are £1,495.00 and bookings may be made here.