We are not safe when it comes to information security. At least not by default. The best way I have heard described our current state is that “the neighborhood has gotten dangerous”. Today, cybercrime is impacting millions of individuals, such as the 500 million who had their Yahoo acounts hacked recently. This is happening because virtual activities provide relatively low risk when compared with traditional crime, is effective and provides high returns when compared to the effort that needs to be put forth.
An effective Information Security Framework:
- Provides management with a clear picture of Information Security risks.
- Accounts for the detection, containment and learning from security incidents.
- Includes an independent assessment of the security posture of the organization.
- Is a management system, which is much more than a set of controls.
ISO 27001 is a baseline reference for what it was created: An Information Security Management System. Beyond the requirements for specific controls mentioned in Annex A, ISO 27001 provides guidance on how to identify information security assests or what to protect, perform a security risk assessment, select controls using a risk-based approach and monitoring the effectiveness of controls. For more information see ISO 27001 a blueprint for success.