ISO 27002 Compliance
ISO 27002 is an international security standard or "code of practice for information security management" published by the ISO (the International Organization for Standardization) and the IEC (the International Electrotechnical Commission). These two international standards organizations have a membership that includes the standards bodies from many countries.
ISO 27002 was originally published in October 2000 as ISO 17799. At that time, ISO 17799 was generally accepted as a replacement for the earlier BS 7799 standard which was published by the British Standards Institute. In 2007, the standard was renamed from ISO 17799 to ISO 27002 in order to align all information security standards under a common naming structure (the 'ISO 27000 series').
ISO 27001 is a specification for an Information Security Management System (ISMS.) It is the foundation for third party audit and certification. While other sets of information security controls may potentially be used within an ISO 27001 ISMS, the ISO 27002 standard is normally used in practice.
The challenge of dealing with the general controls compliance requirement for even one regulation can be intimidating and cost prohibitive. Multiply that by two or even three regulations and the complexity grows exponentially. How are mature organizations managing the challenge of demonstrating compliance with multiple regulations?
The key to success stems from identifying a common framework for implementation and mapping the regulatory requirements to that framework. Because the goal of ISO 27002 is to provide a comprehensive security framework, its requirements are very broad in their impact, typically affecting all aspects of an IT organization. This broad scope is the main reason why ISO 27002 has been adopted by many mature organizations as that common framework.
Our ISO 27002 Solutions
In addressing the requirements to meet ISO 27002 standards across the working sections, our products can help in a number of areas, including:
- Security Policy. VigilEnt Policy Center automates the process of information security policy establishment, review and approval. The first step in achieving ISO 27002 standards acceptance is the creation of a formal, written set of Information Security policies. VigilEnt Policy Manager enables companies of all sizes and industries to develop a set of policies, standards and other internal security guidelines, and publish them to all stakeholders for review. Sentinel Enterprise helps you prove compliance with security and access policies with automated security monitoring and incident response management that formalizes the process of tracking, escalating and responding to policy violations.
- Access Control. Directory and Resource Administrator gives you the ability to control administrative privilege on a granular level, enabling you to drastically reduce the number of users with elevated access to sensitive business information stored in Active Directory. It ensures consistency between the access controls of multiple systems and provides separation of duty enforcement between development and operation teams. Identity Manager automates the management of user identity and access rights throughout their lifecycle. You can grant users role-based access to resources when their relationship with your organization begins, update access rights when their role changes, streamline password management and immediately remove access rights when the relationship ends. Access Manager makes sure only authorized users can access sensitive information inside or outside your firewall—with SSL VPN, identity federation, web single sign-on and more. SecureLogin enforces security policies and restricts users' access to sensitive information
- Business Continuity Management. ISO 27002 standards require you to establish plans to reduce the risk of business interruption, limit the consequences of damaging incidents and ensure the timely resumption of operations. The AppManager Suite provides you with the capability to manage service levels, ensure compliance with SLAs, decrease recovery time and more effectively resolve root causes of system and application problems that can result in outages.
Security Manager protects against intrusions, manages and correlates security events and sends notifications to appropriate personnel. It also delivers remediation, such as deletion of unauthorized processes or services and server shutdown upon virus detection.
PlateSpin Protect is a disaster recovery software product that uses virtual infrastructure capacity to protect both physical and virtual workloads.
PlateSpin Forge is an all-in-one disaster recovery hardware appliance. It protects both physical and virtual workloads, and supplies protection logs that demonstrate successful replication and recovery tests. These logs provide the audit capabilities you need to meet regulatory requirements.
- Compliance. To achieve success in acceptance and usage of the ISO 27002 standards, compliance to the standards must be demonstrated. Secure Configuration Manager assists in this by identifying and reporting on observed or suspected security weaknesses, including malicious software, multiple user IDs and accounts, weak passwords, inappropriate user access rights and systems lacking proper audit enablement.