ISO 27001
|
|
Information security is the process of protecting information. ISO/IEC 27001 is the de facto standard for an Information Security Management System (ISMS) and is a system that is created and meant for bringing information security under strict management control. |
With an increasing reliance on technology, the importance of information security has steadily been increasing. The majority of corporations have several types of information security controls in place. However, without any system, those controls are disorganized and are created on a case-by-case basis, rather than on a full, coherent system. Metricus allows organizations measure their alignment with the standard and its requirements, presenting the results in a comprehensible manner.
ISO/IEC 27001 requires the management to:
- Regularly inspect a company’s IT security risks.
- Install and maintain a coherent network of information security controls.
- Design a process for checking whether the network of security controls continues to meet the corporation’s needs.
Metricus provides guidance based on internationally accredited and recognized standards; our metrics are in line with the guidelines of ISO/IEC 27001 to ensure proper alignment with the major information security standard.
Examples:
- Risk assessment and treatment:
-
- Percentage of IT Risk Events Assessed – the percentage of known IT risk events were assessed as part of the Risk Management process during a selected time period
- Percentage of IT Risk Events Action Plan Developed - shows the known IT risk events for which an IT Risk Action plan exists
- Access Control:
-
- Percentage of Domain Accounts with a Weak Password - the % of total user domain accounts that are classified as having a weak password, that is, a password that does not comply with IT password policies
- Percentage of Servers Without a Password Policy - this metric shows the % of services that do not have a password policy implemented. A password policy is a clearly defined set of rules that dictate how passwords should be established and maintained. All servers, including development, staging, and production should adhere to a corporate password policy in alignment with corporate security standards.