ISO 27001

Service Oriented Architecture (SOA) Design Checklist:
- Are the service interfaces using message formats from the canonical model?

- Have initial service contracts been defined between all known service consumers?

- Has the project established service contracts with services being provided by other teams, third-party packages, or external providers?

- Do the service contracts include release schedules for milestone builds that are synchronized with the schedule for service consumer development?

- Have service types been identified for all services, and appropriate service implementation platforms chosen based on those types?

Information Security Assessment Methodology

1. Planning
Critical to a successful security assessment, the planning phase is used to gather information needed for assessment execution—such as the assets to be assessed, the threats of interest against the assets, and the security controls to be used to mitigate those threats—and to develop the assessment approach. A security assessment should be treated as any other project, with a project management plan to address goals and objectives, scope, requirements, team roles and responsibilities, limitations, success factors, assumptions, resources, timeline, and deliverables.

2. Execution
Primary goals for the execution phase are to identify vulnerabilities and validate them when appropriate. This phase should address activities associated with the intended assessment method and technique. Although specific activities for this phase differ by assessment type, upon completion of this phase assessors will have identified system, network, and organizational process vulnerabilities.

International Standards Organization (ISO) 17799/27001:
International standard for testing the effectiveness of most security systems

Control Objectives for Information Technology (COBIT):
http://www.isaca.org/cobit.htm
Developed by IT auditors and made available through the Information Systems Audit and Control Association (ISACA). COBIT provides a framework for assessing a security program, developing a performance baseline, and measuring performance over time.

SysTrust:
http://www.aicpa.org/assurance/systrust/index.htm
Developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Public Accountants. SysTrust provides a framework for evaluating controls for information systems assurance.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE):
http://www.cert.org/octave
Developed by the Computer Emergency Response Team at Carnegie Mellon University. OCTAVE provides measures based on accepted best practices for evaluating security programs.

Download Free ISO 27001 Data Security Classification Management Templates

This templates classify the importance of data security management, covers such the level of importance of data to the organization such as:
1. Not Important to operations
2. Important for productivity
3. Business important information
4. Business vital information

Download Free ISO 27001 IT Security Service Level Agreement (SLA) Objectives

1. Defining Roles and Accountability
It is important that both parties to an SLA understand the respective roles and responsibilities defined in the agreement. A number of industry factors have made establishing roles, responsibilities, and performance (and financial) accountability increasingly difficult on both the network and services side of the SLA equation.

2. Managing Expectations
In general, executing an SLA contractually sets the customer’s expectations regarding a product’s delivery. Once defined, agreed to, and executed, the terms and conditions that make up the bulk of the SLA contract become the customer’s entitlements with respect to the product. This guarantee enables the customer to plan and operate his or her business with a reasonable level of confidence in the availability, performance, or timeframe of a contracted product or service.

3. Controlling Implementation and Execution