BrightLine is excited to celebrate 11 years. We would not be where we are without our dedicated employees and loyal clients. Thank you!
Part 1: Scoping and the approach of implementing the ISMS
Organizations currently implementing or planning to implement a management system based on ISO 27001 will have a tough decision to make in the near future: Should management implement the information security management system (ISMS) based on ISO 27001:2005 or should ISMS implementation be delayed until the issuance of the new standard, ISO 27001:2013? The decision of selecting either ISO27001 standard will have major implications as to how your organization approaches and designs your ISMS.
Organizations currently certified should not expect much difficulty in transitioning from the 2005 version to the 2013 version. Organizations that are not currently certified will be impacted by the revised 27001 standard, which is expected to be released later in 2013.
The draft version of the updated 27001 standard was recently released for review. The draft version format of the updated 27001 standard was redesigned to better align with other ISO standards, such as ISO 9001 and ISO 20000. Moreover, the draft version received slight modifications in both the management system requirements and the controls included in Annex A. These modifications better interconnect software-based infrastructures (i.e. cloud computing) that have predominantly emerged within the last few years.
The intent and focus of the standard hasn’t changed in the 27001:2013 draft. The standard remains focused on information security and an organization’s approach to design, plan, implement, and monitor a management system to effectively manage information security risk. However, the foundation for designing and planning the management system has shifted to better align with the practical matters of today’s organizational environment. This will come as a positive shift for several organizations as the scope moves away from assessing the risk approach, which organizations have historically struggled with during the implementation of their management system.
Scoping Your Information Security Management System Under ISO 27001:2013
By adopting the draft version of the standard, organizations will now have the ability to base the scope of their ISMS on the issues and objectives most meaningful to the organization’s risk environment. The draft version takes into consideration the dependencies between the organization and third parties. This is a critical component for organizations that have third party relationships (specifically data centers) that provide a key system or service to the organization. Likewise, by adopting the draft version it is assumed that the organization will have a greater acceptance and understanding of scope limitations pertaining to third party relationships and dependencies.
See below for a comparison of the 2005 and 2013 versions of the standard:
|27001:2005 Establishing the ISMS||ISO 27001:2013 Context of the Organization|
|Define the scope and boundaries of the ISMS in terms of the following:
||Determine external and internal issues that are relevant to its purpose and that affect the ability to achieve the intended outcome of its ISMS.
Determine interested parties that are relevant to the ISMS and their requirements relevant to information security.
Determine the boundaries and applicability of the ISMS to establish its scope and consider the following:
The draft version’s approach for defining the scope provides more directed guidance regarding necessary considerations which should ultimately formulate a more grounded scope. This could potentially lead to a better defined implementation process for the foundations of their ISMS. Organizations in the process of planning their ISMS or those that expect to undertake the project during the latter part of the year may have the opportunity to reassess their approach to implementation, should difficulties arise in defining the scope and/or potential scope creep.
What to do Today?
Organizations currently in the process of implementing an ISMS using the 27001:2005 standard may find it in their best interest to obtain and review the draft 27001:2013 standard so that the appropriate decision for the organization can be made. In addition, please do not hesitate to contact BrightLine to schedule a call to discuss the ISO 27001 certification process and upcoming changes. We are happy to provide your organization with a free consultation.
Via Business Wire
PCI – DSS in the Cloud: Practical Guide for Cloud Computing Security and Compliance
Tampa, FL- BrightLine CPAs & Associates Principal, Doug Barbin, will be part of a two-hour live webcast on Thursday, April 4, 2013 from 12:00-2:00pm EST. The live webcast will discuss the importance of Payment Card Industry Data Security Standard (PCI-DSS) compliance. While the PCI-DSS remains to be a challenge for many organizations, PCI-DSS compliance in a cloud computing environment can be even more daunting. It is therefore vital for financial institutions, merchants, and service providers to be informed of the latest and most significant issues with respect to PCI-DSS to help ensure cloud computing security and compliance within the organization, while at the same time minimizing the risk of any potential pitfalls.
Barbin will be part of key panel of experts discussing the fundamentals of PCI-DSS, cloud provider responsibilities, virtualization infrastructure, audit and assessments, strategic initiatives, and legal and regulatory issues. Unlike some events that often feature technology or service providers, Barbin will be the only QSA along with attorneys who specialize in cloud service agreements and breach litigation.
BrightLine is offering complimentary passes to this event to its clients and prospective clients. If you would like to claim CLE/CPE hours, a nominal fee of $49 is charged. Interested parties who would like to listen to the live webcast can click here to register.
BrightLine CPAs & Associates is a leading provider of attestation and compliance services. BrightLine is the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body and a FedRAMP 3PAO. Renowned for expertise tempered by practical experience, BrightLine’s professionals provide superior client service balanced by steadfast independence. BrightLine’s approach builds successful, long-term relationships and allows clients to achieve multiple compliance objectives using a single third party assessor.
Via Business Wire
BrightLine becomes the first US based company accredited by the WLA as an approved Certification Service Entity (CSE)
TAMPA, FLORIDA – BrightLine CPAs & Associates is pleased to announce its approval by the World Lottery Association’s Security and Risk Management Committee (SRMC) to certify compliance with the WLA’s Security Control Standards. BrightLine is the first US based company accredited by the WLA as an approved Certification Service Entity (CSE) and is now the only CSE in the world that is also a licensed CPA firm, a Payment Card Industry Qualified Security Assessor (PCI QSA) company, ISO 27001 certification body, and FedRAMP 3PAO.
The WLA Security Control Standards help provide confidence in a lottery operation. To retain the confidence of players and other stakeholders, lottery organizations need to develop and maintain a visible and documented security environment. The WLA Security Control Standard incorporates baseline requirements and controls within the organization’s overall security and risk management process – and avoids overlaps with more general security certifications. It provides lottery security professionals with a process to formally manage, update, and continuously improve its security controls.
“BrightLine is well known for performing SSAE 16 examination services, formerly known as SAS 70 audits, to many of the state lotteries,” stated Jason Rhoades, Practice Leader for BrightLine’s WLA SCS certification services. “As a Certification Service Entity, BrightLine provides WLA members with the unique opportunity to obtain both SOC examination services and WLA SCS certification through a single provider.”
Inquiries regarding BrightLine’s WLA SCS certification services can be made by calling 1-866-254-0000 or click here to submit a request for a professional consultation.
BrightLine CPAs & Associates, Inc. is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, a FedRAMP 3PAO, and a SRMC Certification Service Entity. Renowned for expertise tempered by practical experience, BrightLine’s professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives using a single third party assessor.
BrightLine becomes first CPA firm and ISO 27001 certification body accredited as 3PAO
Via Business Wire
July 27, 2012 – Tampa, FL – BrightLine CPAs & Associates, Inc. is pleased to announce that it is one of the initial companies chosen as a Third Party Assessment Organization (3PAO) accredited to perform authorization assessments for the Federal Risk and Authorization Management Program (“FedRAMP”). Out of thousands of CPA firms, BrightLine is the first and only CPA firm selected as a 3PAO. In fact, with this certification, BrightLine is the only company in the world that is a licensed CPA firm, a Payment Card Industry Qualified Security Assessor (PCI QSA) company, an ISO 27001 certification body and a FedRAMP 3PAO.
FedRAMP is a new government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant agency security assessments. As a part of the FedRAMP process, cloud service providers (CSPs) must hire a 3PAO to perform an initial system assessment and ongoing monitoring of controls to independently validate and verify that they meet the FedRAMP requirements.
“Our company already provides service organization controls (SOC) examination, PCI validation and ISO 27001 certification services to many CSPs that are affected by FedRAMP,” stated Doug Barbin, Principal and FedRAMP Practice Leader of BrightLine. “Becoming a 3PAO was a critical component of extending BrightLine’s reputation for being the only company in the marketplace that allows service providers to obtain all of these related assessment services through a single vendor.”
With the 3PAO accreditation, BrightLine can provide to CSPs the internal security controls validation which is mandatory to be a cloud service provider to federal agencies. The validation also helps demonstrate the independence and proficiency to create a trusted relationship between agencies and the CSPs that host critical data.
Since the demands for FedRAMP services are significant, many CSPs have already commenced with the pre-assessment process. Due to the complexity of the program and the comprehensive nature of the underlying National Institute of Standards and Technology (NIST) standards, CSPs are strongly encouraged to begin the FedRAMP validation process immediately.
Inquiries for FedRAMP services can be made with BrightLine at 1-866-254-0000 or by submitting a request for a professional consultation here. Further information BrightLine’s FedRAMP service offerings can found at www.brightline.com/FedRAMP.
BrightLine CPAs & Associates, Inc. is a global provider of assurance and compliance services. As the only company in the world fully accredited to provide a suite of services that includes SSAE 16 (SOC 1) examinations, SOC 2 examinations, SOC 3 examinations, PCI DSS compliance validation, ISO 27001 certification, and now FedRAMP authorization, BrightLine offers clients the unique opportunity to achieve multiple compliance objectives through a single third party assessor. For further information, please visit www.brightline.com.
TAMPA, Fla.–(BUSINESS WIRE)–BrightLine CPAs & Associates, Inc. (BrightLine) is pleased to announce that Avani Desai has joined as the firm’s first Chief Marketing and Communications Officer. Ms. Desai joins BrightLine after spending ten years in a variety of key leadership positions at KPMG.
Ms. Desai was previously head of KPMG’s technology attestation practice for Florida. She also worked at the national office to oversee methodology, marketing, and communication activities across technology attestation service-lines. In addition, Ms. Desai oversaw the development of KPMG’s internal and external privacy program and related practices leveraging her experience with healthcare (HIPAA) and emerging technologies such as, privacy, cloud computing, and virtualization.
Some of Ms. Desai’s accomplishments include the following:
“Avani’s career is a story of remarkable achievement,” stated Chris Schellman, President of BrightLine. “Avani will make a substantial contribution to the visibility of BrightLine as she assumes leadership responsibilities for communicating our value proposition to the market place.”
As Chief Marketing & Communications Officer, Ms. Desai is responsible for BrightLine’s marketing and communications activities, including strategic client and market development, industry analysis, media relations, brand management and advertising. For further information, please visit www.brightline.com.
BrightLine CPAs & Associates, Inc. is a global provider of assurance and compliance services. As the only company in the world fully accredited to provide a suite of services that includes SSAE 16 (SOC 1) examinations, SOC 2 Examinations, PCI DSS compliance validation, ISO 27001 certification, and other compliance assessments for the federal and health care industries, BrightLine offers clients the unique opportunity to achieve multiple compliance objectives through a single third party assessor.