ISO 27002 (previously known as ISO17799) – Information Security Code of Practice & SB 1386.

ISO/IEC 27002:2005 (ISO 27002) – the best practice Code of Practice for Information Security Management (previously ISO 17799 until renumbered in May 2007)- provides a framework for international best practice for any organization that wishes to establish a comprehensive information security management program and/or improve its current information security practices.

The globally recognised standard ISO 27002 provides guidelines and general principals for

· Initiating,
· Implementing,
· Maintaining, and
· Improving information security management within an organization.

ISO 27002 provides a common basis for all organizations in developing their organizational security standards, and effective security management practices, while also helping to build confidence in inter-organizational activities.

ISO 27002 recommends that organizations undertake risk assessments and deploy best practice information security controls in the following areas:

Risk assessment
Security policy - management direction
Organization of information security - governance of information security
Asset management - inventory and classification of information assets
Human resources security - security aspects for employees joining, moving and leaving an organization
Physical and environmental security - protection of the computer facilities
Communications and operations management - management of technical security controls in systems and networks
Access control - restriction of access rights to networks, systems, applications, functions and data
Information systems acquisition, development and maintenance - building security into applications
Information security incident management - anticipating and responding appropriately to information security breaches
Business continuity management - protecting, maintaining and recovering business-critical processes and systems
Compliance - ensuring conformance with information security policies, standards, laws and regulations

The ISO 27002 information security controls are generally regarded as a best practice means of achieving risk reduction objectives; ISO 27002 provides vendor-neutral implementation guidance on each control. ISO 27002 recommends that you consider each of these control areas as you establish or improve your organization’s information security management program, but ISO 27002 does not mandate specific controls since specific security requirements are unique to every individual organization.

The risk assessment recommended in ISO 27002 fulfils perfectly the requirements contained in legislation such as the Californian Senate Bill 1386 (SB 1386).

SB 1386 requires any organization that maintains personal information in computerized format to disclose any breach of the security of this data to the California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person(s). By giving consumers such notice, SB 1386 gives them the opportunity to take proactive steps to ensure that they do not become victims of identity theft.

Californian law states that organizations that fail to comply with SB 1386 can be sued in a civil court by those individuals whose personal details have been compromised. The potential for numerous expensive litigations, coupled with the financial cost of a tarnished public image and the impact of a loss of customer confidence would undoubtedly have dire consequences for any organization.

The Californian State Information Security Office advocates in its ‘Information Security Program Guide for State Agencies’ for SB 1386 compliance that preventative measures implemented as a result of an ISO 27002 risk assessment will help the organization comply with SB 1386 as well as numerous other national and international breach laws.

http://www.oispp.ca.gov/government/documents/pdf/Info_Sec_Program_Guide_Final_Oct07.pdf