White Papers

Jump to…

Policy, regulatory and standards conformity through an ISMS  2006-09

Abstract:  A model for how to use an ISMS to encompass and demonstrate conformity to other policy, regulation and standards which an organization is required or chooses to observe. The paper develops a four-layer approach to mapping other reference sources into the ISMS model, using the resultant Statement of Applicability to show which controls map to those other sources. It then describes a process for establishing the relationships between the ISMS and other reference sources.


ISMS – a comparison of HIPAA and the ISO/IEC 27000 series of standards  2005-12

Abstract: A comparison between the HIPAA Security Standards clauses and the ISO/IEC 27001 management system requirements and ISO/IEC 27002 code of practice which makes a comprehensive mapping demonstrating that the basic ISMS controls cover more than 90% of the HIPAA Security Standards needs and (in the full paper) providing an Extended Control Set which describes additional controls and implementation guidance which entities subject to the Security Standards should adopt to implement an ISMS which can be used to manage and demonstrate their HIPAA Security Standards compliance.

NB – this paper refers to the predecessor of 27002, ISO/IEC 17799:2005.

For details of how to have access to and apply the full papercontact us.


FISMA & ISMS Alignment  2006-12

Abstract:  The US Federal Information Security Management Act (2002) requires Federal executive departments and agencies to put in place a comprehensive information secuirty management programme.  This programme extends to contractors and suppliers where the their services are pertinent in the context of risk.  The FISMA Implementation Project has been created to support the implementation of FISMA.  Its Phase I, now virtually complete, has established a revised standard (NIST SP 800-53 Revision 1) which guides Federal entities in their implementation of FISMA.  Phase II of the Implementation Project is to establish a means for accrediting (credentialling) those organizations which will perform assessments.  This paper puts forward a case for aligning the FISMA processes with the international ISMS framework processes, and promotes such an alignment as a means to reduce overall costs and enhance overall efficiency of information security management.


The Melton Mowbray Assessment  2006-09

Abstract:  A ‘special’ report on pie tasting produced by one slightly daft ISMS expert following a rather strange request from another equally daft ISMS expert.  This is unlikely to edify too much, at least in the context of ISMSs, but it may entertain.

Obituarial note: Willie List, who features in this paper, passed away in November 2007. He was a friend and mentor to me. His character combined a degree of eccentricity, gruffness and a no-nonsense attitude with a passion for his profession and a sense of fun. One of my memories is of a couple of pints with him at his local, on a sunny late April day, 2007 – as it turned out, our last time together. He was in good form. Another was a lengthy (hands-free) ’phone conversation I had with him whilst I was driving. It was all about what was wrong with a certain institutional UK infosec body, and our discussion took me most of the way from Stratford-upon-Avon to the M4/M11 junction!! He was his usual self. He derived much amusement from our lunch and this paper.   RIP, Willy.