As most of you know security isn’t only about firewalls, security software and appliances but it incorporates procedures, best practices and standards which may be ignored by some organizations, especially small-to-medium businesses. If your organization does not afford a certification exercise, I do recommend you to go through these frameworks and grasp the pieces you see fit for your organization. The main technology and business related ISO (International Organization for Standardization) certifications are as follows:
ISO 20000 – IT Service Management: It is an international standard for IT service delivery management and deals with helpdesk procedures, handling of computer incidents, problem resolutions. I consider it as the organization internal SLA where IT staff can specify and aim for improved response and fix times. It also deals with root cause and impact analysis. A good starting point for your organization would be the Change and configuration management of IT systems if no procedures are in place. Briefly, it helps organizations build their incident and problem management frameworks around these specifications.
ISO 27001 – Information Security Management: It is an international standard that certifies physical and logical security controls and procedures, compliance and data protection management. This security framework helps you establish security controls such as, access controls among others. It helps you build the right competencies and skills.
ISO/PAS 22399:2007 (British Standards Institution 25999) – Business Continuity Management: This international standard defines the best practices that ensure the continuity of operation of an organization in cases of major incidents. Ensuring continued availability does not only mean having the key resources moved to another site but include people and level of service factors.