A senior engineer from Hewlett-Packard once told me that the nice thing about standards was that you had so many to choose from ... this is particularly true of security standards. In this article I have reviewed the main security standards and commented on their applicability.
ISO/IEC 27001:2005
The ISO/IEC 27001:2005 standard covers all types of organisations and specifies the requirements for implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) and relates this to the organisation's overall business risks.
ISO/IEC 20000:2005
This standard was developed to reflect the best practice guidance contained within the Information Technology Infrastructure Library (ITIL) framework. It consists of two part: Specification for IT Service Management and code of practice for service management. ITIL enables organisations to define a model to manage their IT operations covering areas such as service delivery, relationship management, resolution process, control processes, release processes, changed services and service management.
ISO/IEC 18028:2006
This was developed to define a standard security architecture that describes a framework to support the planning, design and implementation of network security. This standard had major contributions from the ITU X.805 standard.
PCI DSS 1.1:2006
The Payment Card Industry Data Security Standard (PCI-DSS) includes requirements for security management, policies, procedures, network architecture, software design and other critical measures. It is desgined to help reduce the frequency and impact of security incidents in the processing of payment cards. PCI-DSS is appliable to any oragnisation that is processing card payments.
This is a brief review of four major security standards and their relevance to different types of organisation.
No comments:
Post a Comment