The Information Security Institute of South Africa (ISIZA) is to establish an advisory board to assist it in the ratification of its certification levels and procedures.
"We are well aware that compliance with the well-known British Code of Practice (COP) on Information Security Management Systems, BS 7799, soon to be SABS (South African Bureau of Standards) 7799 may be `a bridge too far` for many companies, and may even be inappropriate," says ISIZA head Piet Opperman. "To this end, we are working hard with leading experts in practice and academia to devise a grading system that will allow organisations to show commitment and attain an appropriate level of certification."
The structures ISIZA has evolved, Opperman continues, must be ratified by practitioners and the user community in general, hence the need for an advisory board.
"Because Information Security is dynamic, and what is acceptable today may not be acceptable tomorrow, the advisory board will be a permanent structure that will continually review the criteria and procedures we have put in place," he says. "Private sector companies, government representatives and any other interested bodies are welcome to volunteer to serve on the board, which will comprise between eight and 12 members."
Established earlier this year, ISIZA is geared to providing information security certification to organisations that comply with the COP for South African information security management systems.
Organisations wishing to be Isiza-certified will be required to undergo an audit by an independent accredited auditor to determine to what extent they comply with BS 7799. An appropriate certification grading (similar to the National Occupational Safety Association star grading system) will then be issued which, says Opperman, is dependent, amongst other things, on the number of qualified and skilled information security professionals the organisation has in its employ.
He stresses that it is in a company`s best interests to certify its information security procedures. "Certification will not only enhance customers` faith in the company, but should the company be involved in a lawsuit, its certification serves as proof of its commitment to security," he says. "Furthermore, companies that participate in e-commerce can request certification from their e-commerce partners who have access to their network. In this way, critical company information will not be compromised." "South African companies that neglect information security will soon find themselves stonewalled in the new economy. Companies that do not have a security policy, or do not enforce it will eventually be labeled as being vulnerable to information attacks. Eventually, their customers will start to question their security capabilities and they could begin to lose business," Opperman concludes.
Share