BUSINESS STANDARDS
is the quarterly magazine of BSI Group, highlighting the vital role that standards play in today's business environment. Regular features include interviews with leading business figures, as well as news on the latest developments in management systems and standards.
Microsoft Global Foundation Services watches its assets
08 Aug 2008
Topics: Information security, ISO/IEC 27001, USA
Microsoft Global Foundation Services (GFS) has achieved certification to ISO/IEC 27001:2005, the information security standard - the first major online service provider to do so.
The standard identifies, manages and helps minimize the range of threats to which information is regularly subjected - from customer data to credit card fraud, from intellectual property to ongoing R&D. ISO/IEC 27001:2005 provides a framework for protecting confidential and sensitive corporate and personal information within an organization.
Microsoft takes the protection of their information assets seriously and has chosen to measure their ongoing information security program against the standard's rigorous requirements to ensure that their information security is properly managed and maintained.
"Microsoft Global Foundation Services has been able to extend the Microsoft Trustworthy Computing concepts from packaged software to protecting online services at global scale," says Charlie McNerney, chief information security officer of Microsoft Global Foundation Services. "This certification provides external validation that our approach to managing security risk in a global organization is comprehensive and effective, which is important for our business and consumer customers."
Certification to the standard reinforces to customers, through an independent third-party, that Microsoft operates an Information Security Management System (ISMS) in accordance with the International Organization for Standardization (ISO).
As part of the ISO/IEC 27001:2005 process, BSI performed on-site assessments, examined GFS's documented procedures and audited its overall operations. To determine continued compliance with ISO/IEC 27001:2005, BSI will periodically conduct routine surveillance audits of GFS's business operations.
Says Mark Plesnicher, a senior security compliance manager at Microsoft: "For a company of our size and complexity, auditing our information security program was quite a challenge. The BSI team worked diligently to plan and execute an assessment process that spanned multiple sites and involved many different teams."
"As the first major online service provider to earn ISO/IEC 27001:2005 certification, Microsoft is further demonstrating a commitment to making its company more secure and securing the information of its customers," adds
Todd VanderVen, president of BSI Management Systems. "By formalizing their documentation and processes and using ISO/IEC 27001:2005, Microsoft will be able to improve quality as well as security and continue to raise the bar for the industry, as they have done so well over the years.
"The GFS team is committed and uses well organized processes - ISO/IEC 27001:2005 certification can only serve to improve an already industry-leading business that is itself considered a 'standard' that many strive to achieve."
Business Standards © 2008. Editorial produced by Caspian Publishing in association with the British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.
BSI Management Systems has been awarded global ISO/IEC 17021 accreditation by the United Kingdom Accreditation Service and the ANSI-ASQ National Accreditation Board in the US.
Business continuity comes to ICT
When BSI published PAS 77IT Service continuity management. Code of practice in 2006, it sparked such interest that it set the stage for a new British Standard. The result is BS 25777 Code of practice for information and communications technology continuity, which has been published as a draft for public comment and is targeted for publication before the end of the year.
In May 2008, BSI British Standards was presented with the Continuity Insurance & Risk (CIR) Award for Industry Advancement for its work in developing BS 25999, in recognition of the outstanding contribution made by BSI to the world of Business Continuity Management. CIR is the UK's leading bi-monthly risk management and insurance journal. This ceremony marked the tenth anniversary of the awards, which recognize excellence in business continuity and operational risk management.
BSI British Standards has launched its online Draft Review system for national Drafts for Public Comment (DPCs).
With over 30,000 commercial fires handled by the fire service in the UK every year, the demand for a more fire-safety conscious approach to commercial buildings has been high for years.
Question: Why is risk management important to business?
First, there's more to risk management than just managing risk. Most organizations will talk about risk assessments, but the question is: what are they assessing? If you don't know what the threats are, then how can you conduct an effective risk assessment?
Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.
