Security Bulletin Breakdown:

• 2 bulletins affect Microsoft operating systems
• 3 bulletins affect Microsoft Office and server-based products
• 5 bulletins are rated as Important
• 3 vulnerabilities fixed could lead to Remote Code Execution
• 2 vulnerabilities fixed could lead to Elevation of Privilege

Affected Products:

• All supported Microsoft operating systems
• Office 2003, 2007, 2010 (Excel)
• Groove Server 2007
• SharePoint Workspace 2010
• Excel Viewer
• Office Compatibility Pack 2007
• SharePoint Server 2007, 2010
• Office Forms Server 2007
• Groove Server (Data Bridge Server) 2007, 2010
• Office Web Apps 2010 (Excel)
• SharePoint Services 2.0, 3.0
• SharePoint Foundation 2010

With this ‘light’ patch Tuesday, you will also want to take a look at the new Microsoft Security Advisory released yesterday.  Microsoft Security Advisory 2607712 addresses a high profile issue with DigiNotar digital certificates.  Microsoft has released an update to move all DigiNotar certificates into the Untrusted Certficiate Store to prevent fraudulent certificates from being accepted by your machines.

Mozilla has followed suit with this issue by releasing updates to their programs Firefox, Thunderbird and SeaMonkey.

I will be going through each bulletin thoroughly next Wednesday, September 14th at 11:00am CDT in part of our monthly Patch Tuesday webinar.  Click here to register for the webinar.

Around 300,000 unique requesting IPs to Google.com have been identified. Of these, 99 percent, allegedly, originated from Iran.

The latest versions of browsers, including Microsoft’s Internet Explorer, Google’s Chrome and Mozilla’s Firefox, are now rejecting certificates issued by DigiNotar. Dutch web security firm, DigiNotar is one of many companies which sell the security certificates widely used to authenticate Web sites and guarantee secure communications between a browser and a Web site. A record compiled in an Excel file and posted on a blog shows that the security of the users of U.S. secret service agency CIA and UK’s MI6 Web sites was compromised by the fake security certificate.

		SSL 101: A Guide to Fundamental Website Security

It seems a tad unrealistic that both the U.S. and U.K. intelligence agencies chose the Dutch firm to secure their biggest secrets, but I’ve yet to read an explanation on that point. I mean, we all know there are plenty of options here in the states and across the pond, so why go to The Netherlands to get a certificate? The claim that the Iranian government cooperated in the hacks has not been substantiated, but there is an implicaton that they were spying on dissidents and this emanated from those hacks.

From the NYTimes: “Technology experts cite a number of reasons to believe the attack is connected to Iran. Notably, several of the certificates contain nationalist slogans in Farsi, the language spoken by most Iranians. This, in combination with messages the hacker left behind on DigiNotar’s Web site, definitely suggests that Iran was involved,” said Ot van Daalen, director of Bits of Freedom, an online civil liberties group.”

Hopefully, they have more proof than language but often incidental evidence such as that is used to implicate the perpetrators. I would guess that Iranians know that they are under scrutiny and they aren’t the only nationals who speak Farsi.

Current browsers perform an Online Certificate Status Protocol (OCSP) check as soon as the browser connects to a SSL website protected through the https (hypertext transfer protocol secure) protocol.

The hacking implies that the current network setup and procedures at DigiNotar are not sufficiently secure to prevent this kind of attack. In theory, a fraudulent certificate can be used to trick a user into visiting a fake version of a Web site, or used to monitor communications with the real sites without users noticing.

However, in order to pass off a fake certificate, a hacker must be able to steer his target’s Internet traffic through a server that he controls. Only an Internet service provider or a government that commands one can do it easily.

Although no users in the Netherlands are known to have been victimized directly, the breach has caused a major headache for the Dutch government, which relied on DigiNotar to authenticate most of its Web sites.

Ambiguous Terms

Some of the requirements in the standard are rather unclear:

• Clause 4.3.1 c) requires that ISMS documentation must include… “procedures and controls in support of the ISMS” – does that mean that a document must be written for each of the controls that are applied (there are 133 controls in Annex A)? In my view, that is not necessary – I usually advise my clients to write only the policies and procedures that are necessary from the operational point of view and for decreasing the risks. All other controls can be briefly described in the Statement of Applicability since it must include the description of all controls that are implemented.
• (Un)documented policies and procedures – in many controls from Annex A, policies and procedures are mentioned without the word “documented”. In effect, this means that such policies and procedures do not have to be written down, but this is not clear to 95% of the readers of the standard.
• External parties / third parties – these terms are used interchangeably, which may cause confusion. It would be much better if one term was used.

	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -
		Business VoIP Buyers Guide
	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -

Organization of the Standard

Some of the requirements in the standard are either scattered, or unnecessary duplicated:

• Some controls are simply located in a wrong place – for instance, A.11.7 Mobile computing and teleworking is located in section A.11 Access control. Although when dealing with mobile computing one has to take care of access control, section A.11 is not the most natural place to define issues related to mobile computing and teleworking.
• Issues related to external parties are scattered around the standard – in A.6.2 External parties, A.8 Human resources security and A.10.2 Third party service delivery management. With the advance of cloud computing and other types of outsourcing, it is advisable to gather all those rules in one document or one set of documents which would deal with third parties.
• Employee awareness and training is required both in clause 5.2.2 of the main part of the standard, and in control A.8.2.2. Not only is this duplication unnecessary, but it also causes additional confusion – theoretically, each control from Annex A could be excluded, so you may end up excluding a requirement that is actually not possible to exclude because it is required by the main part of the standard. The same thing happens with Internal audit (clause 6 of the main part of the standard) and control A.6.1.8 Independent review of information security.
• Some of the controls from Annex A can be applied really broadly, and they can include other controls – for example, control A.7.1.3 Acceptable use of assets is so general so that it can cover for example A.7.2.2 (Handling classified information), A.8.3.2 (Return of assets upon termination of employment), A.9.2.1 (Equipment protection), A.10.7.1 (Management of removable media), A.10.7.2 (Disposal of media), A.10.7.3 (Information handling procedures) etc. I usually advise my clients to make one document that would cover all those controls.

Problems Or Not?

Here are a few issues that are usually brought to attention as problematic, however I disagree with them:

• The standard is too vague, it does not go into enough detail – if it did go into more detail about the technology that is to be used, it would soon be outdated; if it did go into more detail about the methods and/or organizational solutions, it wouldn’t be applicable to all sizes and types of organizations – a large bank has to be organized quite differently than a small marketing agency, however both should be able to implement ISO 27001.
• The standard allows too much flexibility – by this the critics mean the concept of risk assessment where certain security controls can be excluded if there are no related risks. So they ask – “How would it be possible to exclude backup or anti-virus protection?” Actually, with the progress of technologies like cloud computing, this kind of protection might not be the responsibility of the organization implementing ISO 27001. (However, in such case the risks of outsourcing would be rather high so other kind of security controls would be necessary.)

Now What?

This standard will certainly need to change – the current version of ISO/IEC 27001:2005 is now six years old, and hopefully the next revision (expected in 2012 or 2013) will address most of the above issues.

Although these shortcomings can often cause confusion, I think that positive sides of the standard outweigh the negative ones in large measure. And yes, I really am convinced this standard is by far the best framework for information security management.

The steps I’m about to present to you are designed based on my experience with various kinds of clients, large and small, government or private, for-profit or non-profit – I find these steps applicable to all of them. Actually, these steps are applicable to any kind of policies and procedures, not only those related to ISO 27001 or BS 25999-2.

1 Study the requirements

First you have to study very carefully various requirements – is there a legislation which requires something to be put in writing? Or maybe a contract with your client? Or some other high level policy that already exists in your organization (perhaps a corporate standard)? And of course the requirements from ISO 27001 or BS 25999-2 if you want to comply to those standards.

2 Take into account the results of your risk assessment

Your risk assessment will determine which issues you have to address in your document, but also to which degree – for instance, you may need to decide whether you will classify your information according to its confidentiality, and if so, whether you need two, three or four levels of confidentiality.

This step may not be relevant in this form if your policy or procedure is not related to information security or business continuity. However, risk management principles are applicable to other areas as well – quality management (ISO 9001), environmental management (ISO 14001), etc. For instance, in ISO 9001 you have to determine to which extent a process is crucial for your quality management and accordingly to decide whether you will document it or not.

3 Optimize and align your document(s)

An important thing to consider is the total number of documents – are you going to write ten 1-page documents or one 10-page document? It is much easier to manage one document, especially if the target group of readers is the same. (Just don’t create a single 100-page document.)

Moreover, you have to be careful to align your document with other documents – the issues you are defining may be already partially defined in another document. In such case, it may not be necessary to write a new document, maybe only expand the existing one.

	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -
		Choosing the Right Security Solution: Moving Beyond SSL to Establish Trust
	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -

If you are writing a new document about an issue that is already mentioned in another document, be sure to avoid redundancy – to describe the same issue in both documents. Later it would become a nightmare to maintain those documents; it’s much better that one document makes a reference to another, without repeating the same stuff.

4 Structure your document

You also need to take care that you observe your corporate rules for formatting the document – you already may have a template with pre-defined fonts, headers, footers etc.

If you already implemented ISO 27001 or BS 25999-2 (or any other management standard), you’ll need to observe a procedure for document control – such a procedure defines not only the format of the document, but also the rules for its approval, distribution etc.

5 Write your document

The rule of the thumb is – the smaller the organization and the smaller the risks, the less complex your document will be. There is nothing more useless than deciding to write a lengthy document no one is going to read – you have to understand that reading the document takes time, and the level of one’s attention is inversely proportional to the number of lines in your document.

One good technique to overcome the resistance of other employees to this document (no one likes change, especially if that means something like an obligation to change passwords on a regular basis) is to involve them in writing or commenting this document – this way they will understand why it is necessary.

6 Get your document approved

This step is rather self-evident, but its underlying importance is this – if you are not a high ranking manager in your company, you won’t have the power to enforce this document.

This is why someone with such a position has to understand it, approve it, and actively require its implementation. Sounds easy, but believe me – it is not. This step (and the next one) are the ones where implementation most often fails.

7 Training and awareness of your employees

This step is probably the most important, but sadly it is one that is very often forgotten. As mentioned before, employees are tired of constant changes, and they surely won’t welcome another one especially if it means more work for them.

Therefore, it is very important to explain to your employees why such a policy or procedure is necessary – why it is good not only for the company, but also for themselves.

Sometimes training will be necessary – it would be wrong to assume that everyone possesses the skills to implement new activities. For you, who wrote this document, it may seem easy and self-evident, but for them it may seem like brain surgery.

End of story?

If you thought you’ve reached the end of your document-implementation story, you’re wrong – the journey has just begun. It is not enough to have a perfect policy or procedure that everyone just loves, you also need to maintain it.

Someone has to take care this document is up-to-date and improved, or else no one is going to observe it anymore – and that someone is usually the same person who has written it. Not only that, someone has to measure if such a document has fulfilled its purpose – again, it may be you.

As you may have noticed reading this article, it is not enough to have a nice template for a successful policy or procedure – what is needed is a systematic approach to its implementation. And in doing so do not forget the most important fact: the document is not an end in itself – it is only a tool to enable your activities and processes to run smoothly. Don’t let the opposite happen – that such a document makes these activities and processes run with more difficulty.

Cross posted from ISO 27001 & BS 25999 blog – http://blog.iso27001standard.com

One important note here – since ISO 22301 hasn’t been published yet, the final version of the standard still doesn’t exist, so some of the things I’ve written here may not exist in the final version. I am using a draft version published in February 2011 on the BSi Draft Review website.

ISO 22301 will have this title: ISO 22301, Societal security – Business continuity management systems – Requirements. Although “Societal security” may sound a little strange in relation to business continuity, here is how ISO defines it: “… standardization in the area of societal security, aimed at increasing crisis management and business continuity capabilities, i.e. through improved technical, human, organizational, and functional interoperability as well as shared situational awareness, amongst all interested parties.”

At first sight, it is obvious that the structure of ISO 22301 is very different from BS 25999-2, although all the basic elements of BS 25999-2 still do exist in ISO 22301.

	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -
	Choosing the Right Security Solution: Moving Beyond SSL to Establish Trust
	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -

Let’s take a deeper look.

Similarities…

The biggest similarity is that all core business continuity elements in BS 25999-2 will be present in ISO 22301 too: business continuity policy, business impact analysis, risk assessment, business continuity strategy (in ISO 22301 it will be called “business continuity options”), business continuity plans, exercising and testing etc.

Business impact analysis will probably be broken down in several clauses, demanding more precision. The requirements for business continuity plans, including response procedures and recovery plans, are much more detailed too – e.g. the communication part.

The management part of BS 25999-2 will also be transferred to the new standard – document control, internal audit, management review, corrective and preventive actions, human resources management etc. (by the way, these elements exist in all other management standards – ISO 9001, ISO 14001, ISO 27001…).

However the documentation will be called “documented information”, and preventive actions will be called “actions to address issues and concerns”.

… and differences

Plan-Do-Check-Act (PDCA) model is even less clearly stated in ISO 22301 compared to BS 25999-2, although BS 25999-2 is not as clear in that respect as ISO 27001. However, in my view that won’t affect the clarity of the process through which the standard should be implemented since the main sections of the standard are organized in a rather logical way.

ISO 22301 will obviously put much greater emphasis on setting the objectives, monitoring performance and metrics – therefore bringing business continuity much closer to top management way of thinking.

Following that line, ISO 22301 puts clearer expectations on management and summarizes them in a single section.

ISO 22301 will resolve one of the shortcomings of BS 25999-2, and will require much more careful planning for and preparing the resources needed for ensuring business continuity – those requirements are now extended and more clearly structured.

Finally, what will be different about ISO 22301, being an international standard, is that certification bodies will push certification against this standard much harder, so it will gain its popularity much faster.

As a conclusion, all the basic elements of BS 25999-2 will probably be present in ISO 22301 too, only ISO 22301 will be more precise and more demanding. Organizations that have already implemented BS 25999-2, and want to “upgrade” to ISO 22301, will have to pay more attention to detail and will have to invest more time into preparing and maintaining their system. On the other hand, ISO 22301 will certainly help them raise their level of resilience and their level of credibility – the same thing that ISO 27001 did 6 years ago when it replaced BS 7799-2.

Cross posted from ISO 27001 & BS 25999 blog at http://blog.iso27001standard.com

First of all, the total cost of implementation will depend on the size of your organization (or the size of the business unit(s) that will be included in the ISO 27001 scope), the level of criticality of information (for instance, information in banks is considered more critical and demands a higher level of protection), the technology the organization is using (for instance, the data centers tend to have higher costs because of their complex systems), and the legislation requirements (usually the financial and government sectors are heavily regulated with regards to information security).

Second, you won’t be able to calculate the exact costs before you know which level of protection you need – first you have to perform risk assessment, because such analysis will tell you which security measures are required.

	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -
	Choosing the Right Security Solution: Moving Beyond SSL to Establish Trust
	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -

When you know the results of risk assessment, you will have to take into account the following costs:

1. The cost of literature and training

Implementation of ISO 27001 requires changes in your organization, and requires new skills. You can prepare your employees by buying various books on the subject and/or sending them to courses (in-person or online) – the duration of these courses varies from 1 to 5 days (read How to learn about ISO 27001 and BS 25999-2).

And don’t forget to buy the ISO 27001 standard itself – too often I run across companies implementing the standard without actually seeing it.

2. The cost of external assistance

Unfortunately, training your employees is not enough. If you don’t have a project manager with deep experience in ISO 27001 implementation, you’ll need someone who does have such knowledge – you can either hire a consultant or get some online alternative (this is what we do at Information Security & Business Continuity Academy).

The greatest value of someone with experience helping you with this kind of project is that you won’t end up in dead end streets – spending months and months doing activities that are not really necessary or developing tons of documentation not required by the standard. And that really costs.

However, be careful here – do not expect the consultant to do the whole implementation for you – ISO 27001 can be implemented by your employees only.

3. The cost of technology

It might seem funny, but most companies I’ve worked with did not need a big investment in hardware, software or anything similar – all these things already existed. The biggest challenge was usually how to use existing technology in a more secure way.

However, you do need to plan such investment if it proves to be necessary.

4. The cost of employees’ time

The standard isn’t going to implement itself, neither can it be implemented by a consultant only (f you hire one). Your employees have to spend some time figuring out where the risks are, how to improve existing procedures and policies or implement new ones, they have to take some time to train themselves for new responsibilities and for adapting to new rules.

5. The cost of certification

If you want to obtain public proof that you have complied with ISO 27001, the certification body will have to do a certification audit – the cost will depend on the number of man days they will spend doing the job, ranging from under 10 man days for smaller companies up to a few dozen man days for larger organizations. The cost of man day depends on the local market.

You have to be very careful not to underestimate the true cost of ISO 27001 project – if you do, your management will start looking at your project in a negative light. On the other hand, forecasting all costs correctly will show your level of professionalism; and don’t forget – you always have to present both the cost and the benefits – read Four key benefits of ISO 27001 implementation.

Cross posted from ISO 27001 & BS 25999 blog – http://blog.iso27001standard.com

The specific factors considered for Japan were as follows:

1. Reliability of power grid—Yearly power loss in Japan is several minutes; in the U.S., 86 minutes; and in the U.K., 68 minutes. Japanese data centers can rely on the commercial grid more, and facilities do not need the elaborate power-failure schemes necessary in the U.S. and the U.K.

2. Earthquake risks—Both Japan and California have the same level of earthquake risk, but Japan’s construction law is much more stringent. If the two areas are compared using PML (Probable Maximum Loss), Japan has less risk of earthquakes.

3. Reliable equipment—Japanese equipment, such as UPS, in general is more reliable and may not require the same level of redundancy as U.S. and U.K. equipment.

	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -
		Virtualization: Optimized Power and Cooling to Maximize Benefits
	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -

On the basis of these factors, JDCC developed required and optional sets of evaluation items. The table below summarizes the required items. Note that the building law and the unit to measure the severity of earthquakes are specific to Japan.

The optional items will be given in the upcoming blog.

Here I am not going to write about whether it was legal for WikiLeaks to publish such information or not, whether the information should have been made public because of the public interest or not, what is going to happen to its founder (at the time of writing this article Julian Assange was in custody) etc.

The problem is – if WikiLeaks is going to be shut down, a new WikiLeaks will appear. In other words, the threat of leaking information to the public is constantly increasing. (By the way, before he was jailed, Julian Assange had announced he would publish incriminating information about a major U.S. bank and its malpractice.)

	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -
	Proof Positive – Extended Validation SSL Increases Online Sales and Transactions
	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -

I want to touch here on the corporate point of view – what if we are the next target of WikiLeaks or its clone? How to ensure the security of our information and prevent the damage of such a large incident?

Simple example

But how does information security look like in practice? Let’s take a simple example – for instance, you leave your laptop frequently in your car, on the back seat. Chances are, sooner or later it will get stolen.

What can you do to decrease that risk? First of all, you can make a rule (by writing a procedure or a policy) that laptops cannot be left in a car unattended, or that you have to park a car where some kind of physical protection exists. Second, you can protect your information by setting a strong password and encrypting your data. Further, you can require your employees to sign a statement by which they are legally responsible for the damage that may occur. But all these measures may remain ineffective if you didn’t explain the rules to your employees through a short training.

So what can you conclude from this example? Information security is never a single security measure, it is always more of them together. And the measures are not only IT-related, but also involve organizational issues, human resources management, physical security and legal protection.

The problem is – this was an example of a single laptop, with no insider threat. Now consider how complex it is to protect the information in your company, where the information is archived not only on your PCs, but also on various servers; not only in your desk drawers but also on all your mobile phones; not only on USB memory sticks but also in the heads of all employees. And you may have a very disgruntled employee.

Seems like an impossible task? Difficult – yes, but not impossible.

How to approach it

What you need to solve this complex problem is a framework. The good news is that such frameworks already exist in the form of standards – mostly widespread is ISO 27001, the leading international standard for information security management, but there are also others – COBIT, NIST SP 800 series, PCI DSS etc.

I’m going to focus here on ISO 27001 – I think it gives you good ground for building the information security system because it offers a catalogue of 133 security controls, and offers flexibility to apply only those controls that are really needed in relation to risks. But its best feature is that it defines a management framework for controlling and directing the security issues, therefore achieving that security management becomes a part of the overall management in an organization.

In short – this standard enables you to take into account all the information in various forms, all the risks, and gives you a path to carefully resolve each potential problem and keep your information safe.

Consequences for business

So, should the corporations be afraid that their information will leak to the public? If they are doing something illegal or unethical, they certainly should.

However, for companies operating legally, if they want to protect their business, they cannot think only in terms of return on investment, market share, core competence, and long term vision. Their strategy must also take into account the security issues, since having insecure information can cost them much more than for example a failed launch of a new product. By security I mean not only physical security because it is simply not enough anymore – the technology makes it possible for information to leak through various means.

What is needed is a comprehensive approach to information security – it doesn’t matter whether you use ISO 27001, COBIT or some other framework, as long as you do it systematically. And it is not a one-time effort, it is a continuous operation. And yes – it is not something your IT guys can do alone – it is something the whole company has to participate in, starting from the executive board.

Cross posted from ISO 27001 & BS 25999 blog – http://blog.iso27001standard.com

Note: in this blog post I will not write about other mandatory documents like ISMS Scope, ISMS Policy, Risk Assessment Methodology, Risk Assessment Report, Statement of Applicability, Risk Treatment Plan, etc. – here I focus on procedures only.

The procedure for the control of documents (document management procedure) should define who is responsible for approving documents and for reviewing them, how to identify the changes and revision status, how to distribute the documents, etc. In other words, this procedure should define how the organization’s bloodstream (the flow of documents) will function.

The procedure for internal audits must define responsibilities for planning and conducting audits, how audit results are reported, and how the records are maintained. This means that the main rules for conducting the audit must be set.

The procedure for corrective action should define how the nonconformity and its cause are identified, how the necessary actions are defined and implemented, what records are taken, and how the review of the actions is performed. The purpose of this procedure is to define how each corrective action should eliminate the cause of the nonconformity so that it wouldn’t occur again.

The procedure for preventive action is almost the same as the procedure for corrective action, the difference being that it aims at eliminating the cause of the nonconformity so that it wouldn’t occur in the first place. Because of their similarities, these two procedures are usually merged in one.

But why is it that ISO 27001 requires documented procedures that are not related to information security, while security procedures are not mandatory?

The answer is in risk assessment – ISO 27001 does require you to perform risk assessment, and when this risk assessment identifies certain unacceptable risks, then ISO 27001 requires a control from its Annex A to be implemented that will decrease the risk(s). The control can be technical (for instance, anti-virus software for decreasing the risk of malicious software attack), but could also be organizational – to implement a policy or a procedure (for instance, implement a back-up procedure). Therefore, the procedures are becoming mandatory only if the risk assessment identifies unacceptable risks.

One important note though – as opposed to the four mandatory procedures which must be documented, the procedures arising from controls in Annex A do not have to be documented. It is up to the organization to estimate whether such a procedure is to be documented or not.

	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -
		Proof Positive – Extended Validation SSL Increases Online Sales and Transactions
	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -

You could consider the four mandatory procedures as the pillars of your management system (together with the security policy) – after they are firmly set in the ground, you can start building the walls of your house. This becomes obvious when you look at other management systems – the same four procedures are mandatory there, too – in ISO 9001 (quality management systems), ISO 14001 (environmental management systems), and BS 25999-2 (business continuity management systems). As a consequence, you can use these procedures as the main link between different management systems if you want to develop the so called “integrated management system”.

Cross posted from ISO 27001 & BS 25999 blog – http://blog.iso27001standard.com

The first is the list of in-person courses – these courses are still prevalent, but steadily losing share in favour of online courses (explained at the end of this article).

ISO 27001 or BS 25999-2 Lead Auditor Course

This is the most popular course for either ISO 27001 or BS 25999-2 – it lasts 5 days, and finishes with a written exam. The exam is quite difficult, so one could consider that this is the top course for those two standards. If you do pass the exam, you can become an auditor for a certification body, but that is not its main benefit – it is the most useful for professionals implementing the standards because it gives an excellent overview of the standards and provides in-depth explanations of what the certification auditors will ask for at the certification audit. Therefore, it is useful for both auditors and implementers.

The target audience for this course are professionals with moderate or significant experience in information security, business continuity, auditing or IT. You should choose only accredited courses (e.g. by IRCA www.irca.org).

ISO 27001 or BS 25999-2 Lead Implementer Course

This course is somewhat similar to, but not so popular as ISO 27001 or BS 25999-2 Lead Auditor Course. The difference is that it focuses on implementation techniques rather than auditing techniques – therefore, if the certification is not your concern, you may find this course more suitable.

Here the target audience is similar – professionals with moderate or significant experience in information security, business continuity or IT.

ISO 27001 or BS 25999-2 Internal Auditor Course

This course is a “light” version of ISO 27001 or BS 25999-2 Lead Auditor Course – it usually lasts 2 or 3 days, could be with or without an exam, and the content is a condensed version of Lead Auditor Course. The main difference is that with this course you cannot pursue a career as an auditor in a certification body; however, if you want to get a systematic introduction to the world of ISO 27001 or BS 25999-2 or you plan to be an internal auditor in your company, this course is the right choice for you.

The target audience are professionals with little or moderate experience in information security, business continuity or IT.

ISO 27001 or BS 25999-2 Foundation Course / Introduction Course

These courses usually last for one or two days – their purpose is not to teach you about auditing or implementation techniques, but to give you an overview of the requirements and implementation issues. If you don’t have a lot of time to spare and you want to know what you company will be experiencing during implementation, do think about one of these courses.

	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -
		CRM Comparison Chart – Compare Top 19 CRM Brands In USA
	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -

The target audience are members of the management, or professionals with no experience in information security or business continuity.

Other information security / business continuity courses

You may have heard of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP) – although I consider these courses very useful for your information security or business continuity career, they are not directly relevant to ISO 27001 or BS 25999-2. Therefore, you should attend CISA, CISM and/or CISSP after you complete courses directly related to the two standards.

Online courses

In addition to the above mentioned in-person courses, online courses (either in the form of e-learning or live webinars) are becoming increasingly popular, partly because of the lower costs – no traveling expenses, no lost time away from office. There are more and more vendors on the Internet, offering more and more quality content (including our Information Security & Business Continuity Academy) – you can find courses lasting from 1 hour (e.g. free webinars) to a few weeks (e.g. e-learning courses).

The main benefit of online courses is that you can receive more relevant knowledge in a shorter period of time and for less money, although the question of real effectiveness of such courses still remains unanswered.

But, regardless of which form or type of course you take, be sure about one thing – the return on investment will show very quickly.

Cross posted from ISO 27001 & BS 25999 blog – http://blog.iso27001standard.com