ISO27001 Certification and PCI DSS Compliance (below)
Adapted from the British Standards Institute (BSI) BS 7799, which was originally written by the Department of Trade and Industry (DTI), ISO 27001:2005 contains 134 controls organised into 12 main sections and specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS).

As information, electronic or hard copy, is becoming more prolific within organisations, the risk and impact on the business through the loss or corruption of information also increases.  Gaining compliance to ISO 27001:2005 affirms that your organisation has established and can demonstrate that confidentiality, integrity and availability of information is adequately addressed, providing:

  • A common organisational security objective and standard
  • Identification and clarification of existing information security management processes
  • Effective management of security incidents and risks
  • Confidence to existing and prospective customer base
  • A competitive advantage and market differentiator over competitors

Moreover, information security is now an important factor in the selection of service providers for most organisations, particularly those within the finance, health, public and IT sectors and will soon become a contractual or service level agreement requirement.

ISO 27001:2005 is aligned with both the ISO 9001 (quality management systems) and ISO 14001 (environmental management systems) standards. The three standards share system elements and principles, including adopting the PLAN, DO, CHECK, ACT cyclic process.

Fairland assist clients to initiate, create, maintain and provide training and awareness for staff in ISO 27001:2005, fully supporting the organisation throughout the implementation process.

Fairland also consult and assist in the creation of policies & procedures, working with all relevant internal departments, to provide a solution that suits the organisation and enables staff to operate with a full understanding of its requirements, the type of information to secure and how they should report incidents.

As part of this process, Fairland perform a comprehensive review of your existing security processes and procedures, including levels of information security risk, and compare them to those required in the ISO 27001:2005.  The results of which will form the basis for a gap analysis / risk assessment, which can be developed into a comprehensive programme for cyclic improvement.

The final process is to demonstrate to an independent auditor that your internal controls meet corporate governance and business continuity requirements.  Fairland’s consultants can direct your organisation through and be involved with the process of gaining certification, which can prove to be invaluable.

PCI DSS COMPLIANCE
The accurate Scoping and Documentation of Cardholder Data Environments is critical to a project's success. Any system that stores, processes or transmits Card Holder Data post-authorisation is in scope for PCI DSS v1.2. This applies also to any 3rd party, contractor or Service Provider whom may have access to such systems (directly or indirectly), or manage all or part of a Cardholder Data Environment.

A Fairland PCI DSS Gap Analysis gives you an immediate snapshot of where you are on what you need to do to achieve PCI DSS Compliance. Our Consultants have solid QSA experience, but more importantly, have business experience and know how to ensure your Project is a success.

Security Testing is an important verification control (in addition to auditing) to ensure your systems are built securely. Testing should be approached holistically and not focus on one Attack Vector (eg Applications, Networks, Wireless). Good Security Testing will incorporate areas of Risk identified from your Risk Assessment and should cover processes and social engineering in addition to 'traditional' application and network testing.