Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

New ISO/IEC technical report provides information security control guidelines

A new ISO/IEC technical report (TR) providing technical controls and compliance guidelines for auditors can improve the effectiveness of an organization’s information security system, says ISO.

ISO/IEC TR 27008:2011, ‘Information technology – Security techniques – Guidelines for auditors on information security controls’, aims to instill confidence in the controls underpinning an organization’s information security management system. The review applies to all parts of the organization, including business processes and its information systems environment.

“The business environment is constantly changing – along with threats to a company’s survival. Organizations need to be ahead of the game, and an excellent defence can be built around audit of the controls used to support the information security,” says Edward Humphreys, leader of the working group that developed the new document.

“ISO/IEC TR 27008:2011 supports a rigorous organizational security audit and review programme for information security controls, to enable the organization to have confidence that their controls have been appropriately implemented and operated and that their information security is ‘fit for purpose’.”

ISO/IEC 27008 provides guidance on reviewing the implementation and operation of controls, including technical compliance checking. The document is principally aimed at information security auditors who need to check the technical compliance of an organization’s information security controls against ISO/IEC 27002 and any other control standards used by the organization. ISO/IEC TR 27008 will help them to:

  • Identify and understand the extent of potential problems and shortfalls of information security controls;
  • Identify and understand the potential organizational impacts of inadequately mitigated information security threats and vulnerabilities;
  • Prioritize information security risk mitigation activities;
  • Confirm that previously identified or emergent weaknesses or deficiencies have been adequately addressed; Support budgetary decisions within the investment process and other management decisions relating to improvement of organization’s information security management.


•Date: 9th November 2011 • Region: World •Type: Article • Topic: BC standards

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here