For any organization, information is one of its most valuable assets. Data breaches and damage are happening everyday, some of which have cost heavily in business and reputation. Does your organization have controls in place to protect them? How can you ensure those controls are enough? The international reference guidelines for assessing information security controls have just been updated to help.
Developed by ISO and the International Electrotechnical Commission (IEC), ISO/IEC TS 27008:2019, Information technology – Security techniques – Guidelines for the assessment of information security controls, provides guidance on assessing the controls in place to ensure they are effective, and in line with company objectives.
ISO/IEC TS 27008 has recently been updated to align with new editions of other complementary standards on information security management, namely ISO/IEC 27000 (overview and vocabulary), ISO/IEC 27001 (requirements) and ISO/IEC 27002 (code of practice for information security controls).
Prof. Edward Humphreys, leader of the working group that developed the standard, said ISO/IEC TS 27008 will help organizations to assess and review their current controls that are being managed through the implementation of ISO/IEC 27001.
ISO/IEC TS 27008 Guidelines for the assessment of information security controls was developed by ISO technical committee ISO/IEC JTC 1, Information security, subcommittee SC 27, IT security techniques, the secretariat of which is held by DIN, ISO’s member for Germany. DIN is one of the primary shareholders of DQS.
ISO/IEC TS 27008 信息技術-安全技術-信息安全控制評估指南是由ISO和國際電工委員會(IEC)共同製定，旨在為現有控制措施提供評估指南，以確保其有效性，且契合公司目標。
新修訂的ISO/IEC TS 27008旨在與ISO/IEC 27000（概述和詞彙）、ISO/IEC 27001（要求）和ISO/IEC 27002（信息安全控制規程）等其他關於信息安全管理標準的新版本相匹配。該項標準是對ISO/IEC 27001 中所定義的信息安全管理體系的補充。
制定這項標準的工作組負責人愛德華·漢弗萊斯表示，ISO/IEC 27001標準幫助各組織評估和審查相應的控制措施， 通過實施ISO/IEC TS 27008 將有助於這些措施的評估與審核。
ISO/IEC TS 27008:2019 資訊安全控制評估指南 是由 ISO/IEC JTC 1 信息安全技術委員會的SC 27 IT安全技術分技術委員會制定，其秘書處是由ISO的德國成員DIN承擔 。德國標準化學會(DIN)是DQS的主要股東之一。
DQS is providing:
a) ISO 27001:2013 certification to all kinds of organizations, or parts of organizations, with sensitive information,
b) ISO 20000-1:2018 certification to organizations with IT service, and
c) non-certification audits against above standards.
To improve the personal skills, DQS Academy is providing:
a) IT Security Professional courses certified by EC Council, such as Certified Ethical Hacker and Computer Hacking Forensic Investigator, to persons in cyber security field, and
b) information security management courses certified by PECB, such as ISO 27001 Lead Auditor, Penetration Test Professional, and Data Protection Officer, to persons in information security management field, and
c) internal auditor lecturing courses by DQS HK for standards like ISO 27001, to ISMS responsible persons.
Never be too late to prepare for business sustainability.
Ref Source: ISO