 PCI
retains its certification status and achieves IS0 27001 accreditation.
PCI was first successfully audited against BS7799
for Information Security Management and the EU eSignatures Directive
in 2003 by Certification Europe. PCI subsequently undergoes surveilance
audits twice a year against these standards and a full audit every
three years for re-certification. The scope of the audit addresses
all aspects of the company's operations that are involved in the
management and delivery of its Internet Hosting, Post.Trust and
Postbank operations.
Following a full Information Security audit conducted
over the 5th, 6th and 7th of September, 2007 by Certification Europe,
PCI has been successfully re-certified to ISO 27001 (transitioned
from BS 7799) and the EU eSignatures Directive 1999/93/EC. The ISO
27001 standard has enhanced the content of BS7799 and harmonises
it with other international standards such as ISO 9001:2000 (Quality)
and ISO 20000.1(Service Management).
The on-site audit process which was conducted over
three days, involved two auditors from Certification Europe. The
audit process is extremely thorough involving interviews with PCI
management and staff. PCI has maintained certification standards
based on the ‘Plan, do, check, act’ (PDCA) model which
is fundamental in applying ISO 27001. This certification embodies
significant controls relating to Operations, Product, Service and
Supplier. In total, the company was evaluated against 11 separate
separate security control categories with more than 100 sub-category
controls. An overview of the controls is listed below:
- Security Policy
To provide management direction and support for information security
in accordance with business requirements and relevant laws and
regulations.
- Organizing Information Security
To manage information security within the organization.
- Asset Management
To achieve and maintain appropriate protection of organizational
assets.
- Human Resources Security
To ensure that employees, contractors and third party users understand
their responsibilities, and are suitable for the roles they are
considered for, and to reduce the risk of theft, fraud or misuse
of facilities.
- Physical and Environmental Security
To prevent unauthorized physical access, damage, and interference
to the organization’s premises and information.
- Communications and Operations Management
To ensure the correct and secure operation of information processing
facilities.
- Access Control
To control access to information.
- Information Systems Acquisition, Development and Maintenance
To ensure that security is an integral part of information systems.
- Information Security Incident Management
To ensure information security events and weaknesses associated
with information systems are communicated in a manner allowing
timely corrective action to be taken.
- Business Continuity Management
To counteract interruptions to business activities and to protect
critical business processes from the effects of major failures
of information systems or disasters and to ensure their timely
resumption.
- Compliance
To avoid breaches of any law, statutory, regulatory or contractual
obligations, and of any security requirements.
These standards are recognised worldwide and are designed to measure
an organisation’s ability to protect the information assets
of itself and its customers against loss, damage or misuse. This
could result from any one of a number of different events including
malicious attack, unauthorised physical or electronic access, fraud,
human or system error, or even environmental disaster such as fire,
explosion or flooding.
Any organisation that holds information of a confidential or sensitive
nature in either hard copy or electronic form must consider the
controls required to ensure the security of that information. This
arises due to obligations in risk management, legislative compliance,
regulatory demands and good business practice. External organisations
know that PCI's procedures and documentation attest to these standards.
back to top
|
