ISMS based ISMS ISO/IEC 27001
BRS ISMS (Information Security Management System) provides security management system certification through an independent third-party assessment of competent professionals. BRS
ISMS requires that organization meet their legal obligations, regulatory requirements and contractual agreements, which provides for ISO / IEC 27001 takes the role as management tool
for regulatory basis. BRS certification provides confidence to stakeholders that the security of information management practices and methods are effective. Consideration needs be given to ISMS as follows;
Security Policy Establishes the basis for implementation and the directive relevant to security and protection of
information such that is concurrent with business objectives in promoting continual competence and actions enhancing security.
Organizational Security Requires implementation of the fundamentals to manage and control flow of information
under secure protocols within the organization's premises and outsourced activities.
Classification and Control of Assets
Identification, evaluation and assets risk assessment such that are controlled and protected to the magnitude of impact to the business activities
Security & Personnel Providing guidance and awareness on internal and external threats in support of the policy and technostructure
objectives assisting the continuity of business activities such that information flows into knowledge.
Access Control and Systems (Physical & Micro Environment) Controlling access of data and information such
that the threat of intrusion is prevented, minimized or eliminated through network protection and standardized practices
in the physical or virtual realm. Protection control includes wireless communication / technology on-site or remote. In
the 2013 version organizations have freedom of choice in identifying, analyzing and controlling threats.
Computer & Network Management for Communications and Operations Given consideration to a normalized scheme to safeguard the integrity of information and data entered, retained and recoverable throughout the network
environment; including supporting maintenance activities to reduce system failures and plan for contingencies.
Controls for Accessing Establishing and maintaining the necessary controls to access and communicate information through a network (WI FI, LAN...).
Business Requirements for Controlling Access Information security requires controls allowing access to those needing and authorized to use system assets to information.
Development and Maintenance; Hardware, Software and Firmware Implementing security as an integral
component of the organization's routine activities such that confidentiality and authenticity are inclusive in support of the
integrity of the information, which includes maintaining updates, patches and evaluation to preclude impact by discontinuance of technology.
Physical and Security Environment The physical security of the premises is an integral component of successful
information security strategy assisting in the achievement of the security policy such that minimizes the impact to business continuance created by any breach in the physical or virtual environment.
Compliance Identify and establish responsibilities and provide awareness relevant to regulatory obligations and its
implications and impact. (consider within the USA HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley Acts and many others sectors and ruling specifics, and the national equivalents).
Business Continuity Management
Requires strategic planning, test, and reliable continuance of operations through a disaster recovery policy.
is typically a three-step plan:
- Initial Analysis... investigation of causes and affects...
- Coordination... coordinate with the investigative team including those affected or potentially affecting... identify action(s)...
- Decision... implement mitigation and place back the affected system promptly... and acting on best viable preventive measures and implementation...