ISO/IEC 27001 Information Security Management Systems - FAQ

What is ISO/IEC 27001?          

Most organizations have a number of information security controls. The security controls in operation typically address certain aspects of IT or data security, specifically, leaving non-IT information assets (such as paperwork and proprietary knowledge) less well protected on the whole. Business continuity planning and physical security, for examples, may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.

ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.

The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. It is the specification for an ISMS, an Information Security Management System. BS7799 itself was a long standing standard, first published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems. It is intended to provide the foundation for third party audit, and is 'harmonized' with other management standards, such as ISO 9001 and ISO 14001. Today in excess of a thousand certificates are in place, across the world.

The basic objective of the standard is to help establish, implement, operate, and maintain an effective information management system, using a continual improvement approach.

Information security can be characterized as the preservation of:

·      Confidentiality - ensuring that access to information is appropriately authorized  

·      Integrity - safeguarding the accuracy and completeness of information and processing methods  

·     Availability - ensuring that authorized users have access to information when they need it.  

ISO 27001 contains a number of control objectives and controls. These include:

·           Security policy  

·           Organizational security  

·           Asset classification and control  

·           Personnel security 

·           Physical and environmental security  

·           Communications and operations management  

·           Access control  

·           System development and maintenance  

·           Business continuity management  

·           Compliance  

The adoption of your ISMS should be a strategic decision. Additionally, the design and implementation of an organization's ISMS is influenced by the needs and objectives, security requirements, the process employed and the size and structure of the organization.

The standard requires the use of the 'process approach' as "The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management". It employs the PDCA, Plan-Do-Check-Act model to structure the processes..

The ISO 27001: 2005 standard is intended to be all-encompassing. It takes a very broad approach to information security. In the context of this standard, the term information includes all forms of data, documents, communications, conversations, messages, recordings, and photographs. It includes everything from digital data and email to faxes and telephone conversations. It includes all forms of information.

ISO/IEC 27000 Family Of Standards

The ISMS family of standards is intended to assist organizations of all types and sizes to implement and operate an ISMS. The ISMS family of standards consists of the following International Standards, under the general title  Information technology — Security techniques:

ISO/IEC 27000:2009,  Information security management systems — Overview and vocabulary

ISO/IEC 27001:2005,  Information security management systems — Requirements standard for the establishment, implementation, ontrol and improvement of the Information Security Management System (based on British Standard BS 7799 Part 2)  

ISO/IEC 27002:2005,  code of practice providing good practice advice on ISMS (previously known as ISO 17799, itself based on British Standard BS 7799 Part 1).

ISO/IEC 27003,  Information security management system - offers guidance for the implementation of an ISMS.

ISO/IEC 27004,  Information security management — Measurement and metrics 

ISO/IEC 27005:2008,  Information security risk management - designed to assist the satisfactory implementation of information security based on a risk management approach.   

ISO/IEC 27006:2007,  Requirements for bodies providing audit and certification of information security management systems 

ISO/IEC 27007,  Guidelines for information security management systems auditing 

ISO/IEC 27011,  Information security management guidelines for telecommunications organizations based on ISO/IEC 27002.

Who Does The ISO/IEC 27001 Standard Apply To?

ISO/IEC 27001 is suitable for any organization, large or small, in any sector or part of the world. The standard is particularly suitable where the protection of information is critical, such as in the finance, health, public and IT sectors.

ISO/IEC 27001 is also highly effective for organizations which manage information on behalf of others, such as IT outsourcing companies: it can be used to assure customers that their information is being protected.

The two key reasons for the growing interest in certification to ISO 27001 are the proliferation of threats to information and the growing range of regulatory and statutory requirements that relate to information protection.

Information security threats are global in nature, and indiscriminately target every organization and individual who owns or uses (primarily) electronic information. These threats are automated and loose on the internet. In addition, data is exposed to many other dangers, from acts of nature, through external attack to internal corruption and theft.

There has also been an increasing emergence of legal and regulatory requirements around information and data security, some aimed at ensuring that individual data is protected and some aimed at ensuring that corporate financial, operational and risk management systems are appropriately underpinned. 

With so many security risks in today’s world, it has become increasingly important to continuously improve information security protection efforts. Information security breaches and regulatory noncompliance issues expose organizations to significant increases in tangible and intangible costs, including large fines and charges, loss of customer confidence, damage to corporate reputation, regulatory scrutiny, loss of market share, criminal and civil lawsuits, and can expose consumers to potential identity theft and credit card fraud. Return on investment can now mean reduced risk of imprisonment, reduced risk of investigation, return on insurance, and reduction of incidents.

How Does An Organization Benefit From Implementing ISO/IEC 27001?

The benefits of standardization and of implementation of ISO 27001 series are wide and varied. Although specific benefits may vary between organizations, the most common benefits are that it: 

·           Provides a valuable framework for resolving security issues 

·           Enhances client confidence & perception of your organization 

·           Enhances business partners confidence & perception of your organization 

·           Provides confidence that you have managed risk in your own security implementation 

·           Enhances security awareness within an organization 

·           Assists in the development of best practice 

·           Can often be a deciding differentiators between competing organizations 

·           Can lead to cost savings. Even a single information security breach can involve significant costs 

·           Establishes that relevant laws and regulations are being me 

·           Ensures that a commitment to Information Security exists at all levels throughout an organization 

Other benefits may include: 

·           Interoperability - This is a general benefit of standardization. The idea is that systems from diverse parties are more likely to fit together if they follow a common guideline. 

·           Assurance - Management can be assured of the quality of a system, business unit, or other entity, if a recognized framework or approach is followed. 

·           Due Diligence - Compliance with, or certification against, and international standard is often used by management to demonstrate due diligence. 

·           Bench Marking - Organizations often use a standard as a measure of their status within their peer community. It can be used as a bench mark for current position and progress. 

·           Awareness - Implementation of a standard such as ISO 27001 can often result in greater security awareness within an organization. 

·           Alignment - Because implementation of ISO 27001 (and the other ISO 27000 standards) tends to involve both business management and technical staff, greater IT and Business alignment often results. 

Can The ISO 27001 Standard Be Integrated With Other Management Systems?

There is an increasing trend for organizations to combine all its management systems into one integrated system. ISO 27001 has been produced to harmonize with other standards and specifications such as ISO 9001 (Quality), ISO 14001 (Environmental) and OHSAS 18001 (Health & Safety).

By reducing duplication and providing a centralized, document control system, integrated systems not only help organizations internally, but may also offer cost benefits for the third-party certification audit.

What Is the Process To Get Certified To ISO/IEC 27001?

The certification process is very similar to that of ISO 9001 or ISO 14001.

Key steps in certification process include:

• Definition of certification scope
• Pre-audit (optional): gap analysis and diagnosis of your current position against standard
• Certification audit performed in 2 stages:
• Stage 1 – readiness review performed to verify that the organization is ready for certification.
• Stage 2 – evaluation of implementation, including the effectiveness, of the management system of the organization.
• A certificate valid for 3 years is issued upon satisfactory results of stage 2 audit.
• Surveillance audits to verify that the management system continues to fulfill the requirements of the standard and monitor the continual improvement   of the ISMS.
• Re-certification after 3 years to confirm the continued conformance and effectiveness of the management system as a whole.

If the assessor identifies any major non-conformance, the organization cannot be certified until corrective action is taken and verified.

What Are The Requirements Of ISO/IEC 27001?

ISO/IEC 27001:2005 has the following sections:

0  Introduction  - the standard uses a process approach.

1  Scope  - it specifies generic ISMS requirements suitable for organizations of any type, size or nature.

2  Normative references  - only ISO/IEC 27002:2005 is considered absolutely essential to the use of ’27001.

3  Terms and definitions  - a brief, formalized glossary, soon to be superseded by ISO/IEC 27000.

4  Information security management system  - the ‘guts’ of the standard, based on the Plan-Do-Check-Act cycle where Plan = define requirements, assess risks, decide which controls are applicable; Do = implement and operate the ISMS; Check = monitor and review the ISMS; Act = maintain and continuously improve the ISMS.  Also specifies certain specific documents that are required and must be controlled, and states that records must be generated and controlled to prove the operation of the ISMS (e.g. certification audit purposes).

5  Management responsibility  - management must demonstrate their commitment to the ISMS, principally by allocating adequate resources to implement and operate it.

6  Internal ISMS audits  - the organization must conduct periodic internal audits to ensure the ISMS incorporates adequate controls which operate effectively.

7  Management review of the ISMS  - management must review the suitability, adequacy and effectiveness of the ISMS at least once a year, assessing opportunities for improvement and the need for changes.

8  ISMS improvements  - the organization must continually improve the ISMS by assessing and where necessary making changes to ensure its suitability and effectiveness, addressing nonconformance (noncompliance) and where possible preventing recurrent issues.

Annex A  - Control objectives and controls - little more in fact than a list of titles of the control sections in ISO/IEC 27002, down to the second level of numbering (e.g. 9.1, 9.2).

Annex B  - OECD principles and this International Standard - a table briefly showing which parts of this standard satisfy 7 key principles laid out in the OECD Guidelines for the Security of Information Systems and Networks.

Annex C  - Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard - the standard shares the same basic structure of other management systems standards, meaning that an organization which implements any one should be familiar with concepts such as PDCA, records and audits.

If you are interested in taking formal training in ISO/IEC 27001 and related standards, call me at 905-593-8867 or email me at artjlewis@rogers  to get details of the scheduled dates, locations and cost for the best recognized training course providers. Another option would be to contact some of the training providers advertised on this page.

Other Useful Training Resources:
"Understanding ISO 9001" provides a detailed explanation of each ISO 9001 clause (requirements).

ISO 9001 FAQ provides answers to commonly asked questions about the ISO 9000 family of quality management standards.