Take-up continues of ISO certification
OMAN Refinery Company (ORC) has become the latest organisation in the region to be certified with the ISO27001 security standard in a bid to better protect information held on its IT systems.
Security services provider Paladion Networks, which enabled ORC to become ISO27001 compliant in partnership with Khimji Ramdas Computer & Communication Systems (KRCCS), claimed the Omani firm is the first oil refinery in the world to achieve the standard which is designed to secure data held on IT systems.
As reported last month (See IT Weekly 14 - 20 October 2006), an increasing number of companies in the region have adopted the standard, including Dubai Aluminium Company (Dubal), Saudi Binladin Group and Mobile Telecommunications Company (MTC) in Bahrain.
ISO 27001 requires companies to meet standards in a number of categories, which fall into three broad areas — confidentiality, integrity and availability.
It replaced the BS7799 this year as the only certifiable security governance standard and allows companies to comply with regulations such as the US’s Sarbanes Oxley laws and the UK’s Data Protection Act.
Amour Nasser Al-Muharzy, manager of corporate information and communication for ORC, said: “Compliance to the ISO 27001:2005 standard has ensured that applicable security controls have been implemented to counter various threats to the critical information of ORC and has improved the preparedness of the staff towards handling any security incidents.”
In order to prepare ORC to be certified Paladion and KRCCS carried out a risk assessment of the firm’s security polices then implemented an information security management system (ISM) that would comply with the ISO287001 standards. According to Rohit Kumar, Middle East business head for Paladion Networks, the risk assessment did reveal some areas of vulnerability in ORC’s existing information systems.
“There were some weaknesses that were found and there were controls which could have been more effective. Risks were discovered across various areas and a number of risks were reported,” revealed Kumar.
“The risks were discovered across the areas of business processes, in the IT controls, in the applications, on the system side,” he said, adding that it was important for ORC to ensure that sensitive data held on its IT systems is protected.