Posludio

"Aquello que termina o sirve de finalización a algo"

Archive for April 2007

ISO/IEC 27001 acreditation for certification bodies

leave a comment »


Actually we are a small security company with the first Colombian 27001 certificate of an ISMS. Two other companies have certificated ISMS but with the old BS7799-2. Our certification is a stone in the shoe for some companies that in Colombia do not have this certificate. The technique, FUD: Fear, Uncertainty and Doubt in some security lists in Colombia. The pattern, questioning the validity of our certificate emitted for our certification body.  Our intentions: Be the bests with facts, not with words.  Moving fast using our small size.

To solve this issue I read a lot and I think that is useful for everybody to know this summary. First of all some definitions:

1. Accreditation: Procedure by which an authoritative body gives formal recognition that a body or person is competent to carry out specific tasks.

2. Certitication: Procedure by which a third party gives written assurance (certificate of conformity) that a product, process or service conforms to specified requirements.

The main goal is the confidence related with the conformity (similar to the PKI problem). In this sense, there are some goverment organization in the country that runs the accreditation function, for instance, UKAS in England, SIC in Colombia. This organizations accredit the certification bodies, whom, in the future, runs the certification process.

Following a similar processIn the same waprocess.In

To achieve the accreditation, the certification body must comply with some requirements, but which are this requirements? For now there are three alternatives for the acreditation related with 27001.

1. ISO/IEC 27006:2007: Of course, this standard is very new, and I could not find references of certifications bodies accredited with this standard

2.EN 45012:1998 modified for information security management systems certification: The certification body BSI is actually accredited with this standard, but the scope does not cover any locations in latin america (Brazil and Mexico, for instance).

3. EA 7/03.

Additionally is possible to achieve some level of confidence, with Multi-Lateral Agreements (MLA). A multilateral agreement, recognize the validity of some kind of certification between accreditation bodies or certification bodies. For example, Icontec, now is not accredited even in ISO9000 by the SIC or another accreditation body, but have MLA with IQNet, given some kind of confidence to his certificated customers.

Another important point here, is that every certification body needs at least one audit of an ISMS in a company to get his accreditation for the accreditation body.

In this sense is important to say, that our certificate is valid only for the companies or people who trust in the independence of our certification body, because for now, they are not accredited and does not have MLA related with ISO/IEC 27001.

However there are very interesting discoveries, like BSI Brasil and BSI Mexico are not accredited certification bodies, neither with UKAS or another accreditation body.

Advertisements

Written by jalvarez

2007/04/11 at 07:08

Posted in Seguridad

Formal definitions and data models for ITIL/ITSM concepts

leave a comment »


During this holy week, I read the ITIL v2 Service Support and Service Delivery books.  Both are full of ambiguity in the descriptions of the core concepts in the IT Service Management philosophy:  Incident, Problem, Known Error, Configuration Item and so on.  However, until 6 days of only thinking in that I saw the light, this great book:

Architecture and patterns for IT service management.

Now, is more feasible to implement the multi-organization CMDB that I’ am designing for Fluidsignal Group in Twiki.   For now, I only have the prototype in our testing environment, but everything looks very good for the presentation on friday to all the company.  I think that all of these are great steps going forward our ISO/IEC 20000 certification and a better work everyday.

Written by jalvarez

2007/04/11 at 06:21

Twelve tips for managing geeks

with one comment

Written by jalvarez

2007/04/07 at 02:39

Consuelo

with one comment


“We’re all ignorant, only on different topics” – Mark Twain

Written by jalvarez

2007/04/04 at 17:29

Posted in Citas