Why is it important to know about national and ...?

Networking/Security Forums -> General Security Discussion

Author: turbomenLocation: Hong Kong PostPosted: Sat Nov 13, 2010 9:08 am    Post subject: Why is it important to know about national and ...?
Dear All,

Why is it important to know about national and international standards such as AS/NZS31000 or AS/NZS 27001/27002
AS/NZS 31000 Risk Management
AS/NZS27001 & 27002 Security System Management


Author: krugger PostPosted: Sat Nov 13, 2010 11:27 pm    Post subject:
In theory when you implement these standards your organization should have improved efficiency and security because every procedure was carefully created to work in perfect harmony with all other procedures. So all your departments will be able to work together, and as all procedures are followed the overall security of your network will improve.

In the real world the main advantage is that it is a requirement for working with certain organization. The main problems are that either your procedure are not actually followed by the workers mainly because the procedures become obsolete faster than your procedure creation process can produce them. Also it generates tons and tons of reporting on stuff.

In theory I am all for implementing it, but so far I haven't found a good working implementation of it, in which the workers really see the benefit.

Coming back to your question, it is important to know about it because it will be something you will come across sooner or later. Either as a consultant or as a manger.

Your can also sell it for hundreds of thousands of dollars. It is almost a whole business branch.

Author: Dezaxa PostPosted: Mon Nov 15, 2010 3:57 pm    Post subject:
I would add the following:

1. You may be working for a company which is entering into a contract that involves sharing or managing data. The parties may decide to say that they will conform to the ISO 27000 standard as a shorthand way of specifying all the security requirements.
2. Your employer is likely to be subject to information security audits, either internal or external. Auditors often use 27000 as a way to structure their audits, so it will help you to be familiar with it.
3. If you work for a computer services company, you may want to certify your organisation against these standards, as a way to improve your competitive standing.
4. Even if you don't wish to pursue certification, organisations have legal obligations to protect confidential information, and in practice this often translates into being able to demonstrate that you follow accepted standards of good practice. 27000 is an important source of such standards.

Networking/Security Forums -> General Security Discussion

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group