The introduction to ISO 27002:2005 includes this statement: “This International

Question

The introduction to ISO 27002:2005 includes this statement: “This International Standard may be regarded as a starting point for developing organization-specific guidelines. Not all of the controls and guidance in this code of practice may be applicable. Furthermore, additional controls and guidelines not included in this standard may be required.” Explain how this statement relates to the concept of strategic alignment. The introduction to ISO 27002:2005 includes this statement: “This International Standard may be regarded as a starting point for developing organization-specific guidelines. Not all of the controls and guidance in this code of practice may be applicable. Furthermore, additional controls and guidelines not included in this standard may be required.” Explain how this statement relates to the concept of strategic alignment. The introduction to ISO 27002:2005 includes this statement: “This International Standard may be regarded as a starting point for developing organization-specific guidelines. Not all of the controls and guidance in this code of practice may be applicable. Furthermore, additional controls and guidelines not included in this standard may be required.” Explain how this statement relates to the concept of strategic alignment. The introduction to ISO 27002:2005 includes this statement: “This International Standard may be regarded as a starting point for developing organization-specific guidelines. Not all of the controls and guidance in this code of practice may be applicable. Furthermore, additional controls and guidelines not included in this standard may be required.” Explain how this statement relates to the concept of strategic alignment.

Explanation / Answer

Answer:

Explain how this statement relates to the concept of strategic alignment.

strategic alignment.

=> Information security is not an end unto itself.

=>Information security is a business discipline that exists to support business objectives, add value, and maintain compliance with externally imposed requirements. This type of relationship is known as strategic alignment.

=> Organizational commitment to information security practices should be codified in a written policy. The information security policy is an authoritative document that informs decision making and practices.

=> As such, it should be authorized by the Board of Directors or equivalent body. Derivative documents for specific audiences should be published and distributed.

=> This includes an Acceptable Use Policy and Agreement for users, a third-party version for vendors and service providers, and a synopsis for business partners and clients.

=> An information security audit is a systematic evidence-based evaluation of how well the organization conforms to established criteria.

=> A capability maturity model (CMM) assessment is an evaluation of process maturity for a given area. In contrast to an audit, the application of a CMM is generally an internal process. Audits and maturity models are good indicators of policy acceptance and integration.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.