/   Blog   /   Explaining standards

Explaining standards

/ 15 August, 2011
Dr Angelika Plate, director of strategic security consulting, HelpAG

The government of Abu Dhabi has realised their increased dependence on information and information processing systems and therewith the importance of information security.  To be proactive, the Abu Dhabi Systems and Information Centre (ADSIC) has put an Information Security Programme in place, which aims at protecting sensitive government information against a wide range of risks. This Information Security Programme includes the provision of a set of standards, guidance documents and templates, which can be used by the Abu Dhabi government to implement information security as part of their business operations, and ADSIC provides certification against their Information Security Programme.  It is mandatory for Abu Dhabi governments to achieve such certification, currently at least for one of their IT services.

ISO/IEC 27001,on the other hand, is an international standard that defines requirements for an information security management system – the aim of this standard, which can be used by any organisation irrespective of size and type of business, is to specify what an organisation needs to do to achieve a managed framework to establish and maintain information security.  It is possible to achieve certification against ISO/IEC 27001 by independent accredited certification bodies, which provides confidence in the way the organisation is handling information security.  The decision whether to aim for ISO/IEC 27001 certification and what to certify (all or a part of the organisation) is entirely left to the enterprise that wishes to claim compliance against this international standard. ISO/IEC 27001 has been used by many organisations around the world; ISO had counted the certifications at the end of 2009 (the latest count is still outstanding) and identified more than 12000 certificates around the world.

The ADSIC standards have been developed based on ISO/IEC 27001 and on other documents in the ISO 2700x family of standards. Other documents, such as guidelines developed by the US National Institute of Standards (NIST) have also been used in the development of the ADSIC Security Standards.  All these documents have in common is that they want to help organisations – in one way or another – to secure their information.  In all these standards, special importance is given to risk assessment and risk treatment, which has the aim of ensuring that an organisation identifies the information security risks to its business and takes appropriate solutions to counter these risks.

Because of the obvious similarities of the ADSIC Security standards and ISO/IEC 27001, there is a lot of benefits for organisations which want to apply for both. A lot of the processes specified in detail in the ADSIC Security Standards are also required at a higher level by ISO/IEC 27001, so any organisation wishing to achieve both types of certification can use the methodologies prescribed by ADSIC to address requirements from ISO/IEC 27001.

Whilst this still leaves some things to do for each for the two certifications (a detailed assessment for the technical security in place for ADSIC and several management system processes for ISO/IEC 27001), the overlap is large enough to considerably reduce the cost if both standards are implemented together.