We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Design a network compliant with ISO 27001 ???

NetMaxtor
NetMaxtor asked
on
Medium Priority
375 Views
Last Modified: 2010-04-11
Hi Experts,

I need to design a network with couple of servers with WAN, LAN, PSTN with compliant with ISO 27001.
What are the guide lines for this ?? Please pull me some resources.

Please advice !

Thanks a lot !
Comment
Watch Question

Top Expert 2007
Commented:
Hi,

ISO 27001 is about "Information Security Management Systems Requirements" (ISMS)
Then there is ISO 17799 which is the "Code of Practice for information security management". This is a best practice and will be renamed to ISO 27002 in the future.
Both originate from BS-7999.
27001 used to be part 2 and 27002 used to be part one.
A little confusing eh?
Let me clarify:
ISO 27001 is a process approach to implement the controls defined in ISO 17799 (27002).
So you will need both. The process is as following:
1) Define an information security policy
2) Define scope of the information security management system
3) Perform a security risk assessment
4) Manage the identified risk
5) Select controls to be implemented and applied (ISO 17799)
6) Prepare an SoA (a "statement of applicability")

You can buy the ISO standard documents here:
https://eshop.bsi-global.com/ProductListing.aspx?cat=InformationTechnology%2fInformationSecurity
But, don't try to take this to the letter and implement all.
For the auditors, you do not need to implement every control. You have to keep it pragmatic and look at your business.
And then be able to document why you have exceptions.
Also: start small. Implementing this is typically a 3 years project.
So start with the basic and a simple policy. Next year go further etc ...
Auditors understand this. They will start with the basics and request more advanced controls and process for the next year.
Keep it practical, no user or manager will read a policy of 300 pages ...

For a quick start, SANS has a free checklist here: http://www.sans.org/score/checklists/ISO_17799_2005.doc

Also see:
- http://www.iso27001security.com/
- http://www.17799.com/ (a discussion forum)

J.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Thanks a lot !
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.