(Outline of the standard)
1.ISO27001 series
The ISO 27001 series, apart from organizational security technology measures, is a third party conformity evaluation system for internationally consistent information security management (ISMS) which conducts risk assessment of the organization itself as management, decides the appropriate security level, makes plans, allocates resources, and operates the system.
ISO 17799: 2000 which is the implementation standard of ISMS (norm for ISMS practice) was revised as international standard ISO 17799: 2005 in June 2005 and then integrated into ISO 27000 series as ISO 27002.
2.Management system certification registration system
Third parties assess that products and processes conform to requirements of a specific standard, while the certification or registration bodies assess that the information security management system of the organization (company, factory, etc.) conforms to the requirements of ISO 27001.
If they are compatible, its suppliers and business operators are registered and publicized which is called the management system certification registration system.
“partial quote:Japan Accreditation Board(http://www.jab.or.jp/)”
(Construction point of ours)
Regarding as an important point to make full use of the contents of the ISO 9000 series and still to comply with the original purpose of ISO in addition to the ISO 27001 which is the subject of the review of the “Management system certification registration system”, we propose the following.
- Properly notifying what the “original purpose of information security management” is, we provide ISMS with balanced availability, integrity and confidentiality
- We provide a mechanism for growth considering the value for clients (value of information risk management). From “product out type design” to “market in type design”.
- We provide “contents that enhance information security awareness through business activities” including the following:
1)Creating a reporting, communication, consultation mechanism (for security information sharing)
2)Creating a mechanism that “does not depend too much on competence and decision of individuals”
3)Creating a mechanism for internal communication
4)Creating a mechanism of the Human Resource Management