SBG (O&M) CERTIFIES TO ISO 27001:2005
INFORMATION SECURITY MANAGEMENT SYSTEM

Bureau Veritas Certification (BVC) auditors visited the offices of SBG (O&M) in August for the final audit before certification. After thoroughly surveying all the elements of the Information Security Management Systems (ISMS) and its alignment with the clauses of ISO 27001:2005 standard, BVC recommended SBG (O&M) to be certified to ISO 27001:2005 standard.

The certification was the outcome of 2 years of tedious effort by the ISMS committee and all the departments in SBG (O&M) head office to establish implement and monitor the ISMS.

All employees shared in the effort to understand, implement and operate the system established by the Management. On top of all was the strong commitment of the Executive Management without which the effort would have lacked the support and the proper resources needed.

Certification to ISO 27001:2005 is not common around the world and only 4 companies are certified in the Kingdom. SBG (O&M) comes as No. 5 in the Kingdom and No. 1 in the field of contracting.

In simple words certification to ISO 27001:2005 means that SBG (O&M) has established, implemented and maintained an information security Management system where by the Information Assets of SBG (O&M) and its clients are handled in such a way so as to ensure confidentiality, Integrity and Availability of Information. Confidentiality means ensuring that information is accessible only to those authorized to have access. Integrity is safe guarding the accuracy of information and processing methods. Availability is ensuring that authorized users have access to information and associated assets when required.

The system was established by first defining the scope and boundaries of the ISMS in terms of the characteristics of the business. A general announcement of policy for SBG (O&M) was declared and approved by the Management. Risk assessment was identified and the criteria of accepting risk (base line) were defined by the Management. Risk assessment identified the risk to information and the vulnerabilities that might be exploited by the threats.

Risks were analyzed and evaluated, and then a risk treatment plan was implemented to reduce the risk to the acceptable risk. Policies were written based on the control objective selected in the following domains:

1. Security policy
2. Organization of Information Security
3. Asset Management
4. Human Resources Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Information Systems acquisition, Development and Maintenance
9. Information Security Incident Management
10. Business Continuity Management
11. Compliance

Nowadays, Information has critical impact on all the business decisions of companies, availability of information can lead to success and improvement of business.

  
©2005 SBG-OM All rights reserved.
 Site Map | Careers | Video | News & Events | Contact Us