For large, small and medium sized businesses information security is a minefield. If you get it wrong, you can end up losing a lot of money, or your business, or you might event end up in prison. You might think that you are unlikely to get virus or a worm if you have anti virus software. You might think that you are unlikely to get hacked because the bad guys are not out to get you. Think again!

Prevention is better than the cure - if you know how to go about it. There is a lot of mystique about information security and it can be difficult to decide what to do.

Information and Information Security

Information is an asset, which like other important business assets, is essential to an organisation's business and consequently needs to be suitably protected.

Information Security is the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities.

Information - A Valuable Asset

Without suitable protection, information can be:

• Given away, leaked or disclosed in an unauthorised way
• Modified without your knowledge to become less valuable
• Lost without trace or hope of recovery
• Can be rendered unavailable when needed

Information should be protected and properly managed like any other important business asset of an organisation.

TMS Services

TMS Consultancy can assist your organisation in implementing an effective Information Security Management System (ISMS) based on the new International Standards such as ISO 27001 and ISO 17799. TMS have already implemented our own ISMS and have identified a management objective of gaining certification of our ISMS to ISO 27001 within 2006.

Types of Information

From a security perspective, appropriate protection should be applied to all forms of information:

• Paper (printed or written)
• Databases
• Films
• View Foils
• Tapes
• Diskettes
• CD ROMs/DVDs
• Conversations
• Post
• eMail

Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected.

Information Security

Information Security is characterised as preservation of:

• Confidentiality: ensuring that information is accessible only to those authorised to have access
• Integrity: safeguarding the accuracy and completeness of information and processing methods
• Availability: ensuring that authorise users have access to information and associated assets when required.

In some organisations, integrity and/or availability may be more important than confidentiality

International Standards

BS 7799-Part 1 is the equivalent of ISO 17799:2005

This is a standardised code of practice for information security management.

BS 7799-Part 2 is the equivalent of ISO 27001:2005

The standard provides a specification for ISMS and the foundation for third party audit and certification

Irish Standards

I.S. 17799-2: 2000 is the Irish adoption of the Specification produced by the 17799 International User Group, which is currently being aligned more closely with other management system standards such as ISO 9001 and ISO 14001 to make it suitable for international adoption by ISO/IEC. (NSAI website)

The Process for Implementing an ISMS

1. Define an information security policy
2. Define scope of the information security management system
3. Perform a security risk assessment
4. Manage the identified risk
5. Select controls to be implemented and applied
6. Prepare an SoA (a "statement of applicability")

Documentation Requirements

TMS can work with your organisation to develop all of the documentation you need to implement an effective ISMS to meet the requirements of International Standards. Documentation requirements include the following;

• ISMS Policy Statement
• Documented Scope of the ISMS
• Procedures and Controls in support of the ISMS
• A description of the Risk Assessment Methodology
• The risk assessment report
• The Risk treatment plan
• Documented procedures needed to ensure effective planning, operation and control of ISMS
• Records required by the standard
• The Statement of Applicability