ISO/IEC 27001 Information Security Management Systems - FAQ
What is ISO/IEC 27001?
Most organizations have a number of information security controls. The security controls in operation typically
address certain aspects of IT or data security, specifically, leaving non-IT information assets (such as paperwork
and proprietary knowledge) less well protected on the whole. Business continuity planning and physical security,
for examples, may be managed quite independently of IT or information security while Human Resources practices may
make little reference to the need to define and assign information security roles and responsibilities throughout
the organization.
ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit
management control. Being a formal specification means that it mandates specific requirements. Organizations that
claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the
standard.
The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. It is the
specification for an ISMS, an Information Security Management System. BS7799 itself was a long standing standard,
first published in the nineties as a code of practice. As this matured, a second part emerged to cover management
systems. It is intended to provide the foundation for third party audit, and is 'harmonized' with other management
standards, such as ISO 9001 and ISO 14001. Today in excess of a thousand certificates are in place, across the
world.
The basic objective of the standard is to help establish, implement, operate, and maintain an effective information
management system, using a continual improvement approach.
Information security can be characterized as the preservation of:
·
Confidentiality - ensuring that access to information is appropriately
authorized
·
Integrity - safeguarding the accuracy and completeness of information
and processing methods
·
Availability - ensuring that authorized users have access to
information when they need it.
ISO 27001 contains a number of control objectives and controls. These include:
·
Security policy
·
Organizational security
·
Asset classification and control
·
Personnel security
·
Physical and environmental security
·
Communications and operations management
·
Access control
·
System development and maintenance
·
Business continuity management
·
Compliance
The adoption of your ISMS should be a strategic decision. Additionally, the design and implementation of an
organization's ISMS is influenced by the needs and objectives, security requirements, the process employed and the
size and structure of the organization.
The standard requires the use of the 'process approach' as "The application of a system of processes within an
organization, together with the identification and interactions of these processes, and their management". It
employs the PDCA, Plan-Do-Check-Act model to structure the processes..
The ISO 27001: 2005 standard is intended to be all-encompassing. It takes a very broad approach to information
security. In the context of this standard, the term information includes all forms of data, documents,
communications, conversations, messages, recordings, and photographs. It includes everything from digital data and
email to faxes and telephone conversations. It includes all forms of information.
ISO/IEC 27000 Family Of Standards
The ISMS family of standards is
intended to assist organizations of all types and sizes to implement and operate an ISMS. The ISMS family of
standards consists of the following International Standards, under the general title
Information technology — Security techniques:
ISO/IEC 27000:2009,
Information security management systems — Overview and vocabulary
ISO/IEC 27001:2005,
Information security management systems — Requirements standard
for the establishment, implementation, ontrol and improvement of the Information Security Management System (based
on British Standard BS 7799 Part 2)
ISO/IEC 27002:2005,
code of practice providing good practice advice on ISMS (previously known as ISO 17799, itself based on British
Standard BS 7799 Part 1).
ISO/IEC 27003,
Information security management system - offers guidance
for the implementation of an ISMS.
ISO/IEC 27004,
Information security management — Measurement and metrics
ISO/IEC 27005:2008,
Information security risk management - designed to assist the
satisfactory implementation of information security based on a risk management approach.
ISO/IEC 27006:2007,
Requirements for bodies providing audit and certification of information security management
systems
ISO/IEC 27007,
Guidelines for information security management systems auditing
ISO/IEC 27011,
Information security management guidelines for telecommunications organizations based on ISO/IEC
27002.
Who Does The ISO/IEC 27001 Standard Apply To?
ISO/IEC 27001 is suitable for any organization, large or small, in any sector or part of the world. The standard is
particularly suitable where the protection of information is critical, such as in the finance, health, public and
IT sectors.
ISO/IEC 27001 is also highly effective for organizations which manage information on behalf of others, such as IT
outsourcing companies: it can be used to assure customers that their information is being
protected.
The two key reasons for the growing interest in certification to ISO 27001 are the proliferation of threats to
information and the growing range of regulatory and statutory requirements that relate to information
protection.
Information security threats are global in nature, and indiscriminately target every organization and individual
who owns or uses (primarily) electronic information. These threats are automated and loose on the internet. In
addition, data is exposed to many other dangers, from acts of nature, through external attack to internal
corruption and theft.
There has also been an increasing emergence of legal and
regulatory requirements around information and data security, some aimed at ensuring that individual data is
protected and some aimed at ensuring that corporate financial, operational and risk management systems are
appropriately underpinned.
With so many security risks in today’s world, it has become increasingly important to
continuously improve information security protection efforts. Information security breaches and regulatory
noncompliance issues expose organizations to significant increases in tangible and intangible costs, including
large fines and charges, loss of customer confidence, damage to corporate reputation, regulatory scrutiny, loss of
market share, criminal and civil lawsuits, and can expose consumers to potential identity theft and credit card
fraud. Return on investment can now mean reduced risk of imprisonment, reduced risk of investigation, return on
insurance, and reduction of incidents.
How Does An Organization Benefit From Implementing ISO/IEC 27001?
The benefits of standardization and of implementation of ISO 27001 series are wide and varied. Although specific
benefits may vary between organizations, the most common benefits are that it:
·
Provides a valuable framework for resolving security
issues
·
Enhances client confidence & perception of your
organization
·
Enhances business partners confidence & perception of your
organization
·
Provides confidence that you have managed risk in your own security
implementation
·
Enhances security awareness within an
organization
·
Assists in the development of best
practice
·
Can often be a deciding differentiators between competing
organizations
·
Can lead to cost savings. Even a single information security breach
can involve significant costs
·
Establishes that relevant laws and regulations are being
me
·
Ensures that a commitment to Information Security exists at all levels
throughout an organization
Other
benefits may include:
·
Interoperability - This is a general benefit of standardization. The
idea is that systems from diverse parties are more likely to fit together if they follow a common
guideline.
·
Assurance - Management can be assured of the quality of a system,
business unit, or other entity, if a recognized framework or approach is followed.
·
Due Diligence - Compliance with, or certification against, and
international standard is often used by management to demonstrate due diligence.
·
Bench Marking - Organizations often use a standard as a measure of
their status within their peer community. It can be used as a bench mark for current position and
progress.
·
Awareness - Implementation of a standard such as ISO 27001 can often
result in greater security awareness within an organization.
·
Alignment - Because implementation of ISO 27001 (and the other ISO
27000 standards) tends to involve both business management and technical staff, greater IT and Business alignment
often results.
Can The ISO 27001 Standard Be Integrated With Other Management Systems?
There is an increasing trend for organizations to combine all its management systems into one integrated system.
ISO 27001 has been produced to harmonize with other standards and specifications such as ISO 9001 (Quality), ISO
14001 (Environmental) and OHSAS 18001 (Health & Safety).
By reducing duplication and providing a centralized, document control system, integrated systems not only help
organizations internally, but may also offer cost benefits for the third-party certification
audit.
What Is the Process To Get Certified To ISO/IEC 27001?
The certification process is very similar to that of ISO 9001 or ISO 14001.
Key steps in certification process include:
-
Definition of certification scope
-
Pre-audit (optional): gap analysis and diagnosis of your current position against standard
-
Certification audit performed in 2 stages:
-
Stage 1 – readiness review performed to verify that the organization is ready for
certification.
-
Stage 2 – evaluation of implementation, including the effectiveness, of the management system of the
organization.
-
A certificate valid for 3 years is issued upon satisfactory results of stage 2 audit.
-
Surveillance audits to verify that the management system continues to fulfill the requirements of the standard
and monitor the continual improvement
of the ISMS.
-
Re-certification after 3 years to confirm the continued conformance and effectiveness of the management system
as a whole.
If the assessor identifies any major non-conformance, the organization cannot be certified until corrective action
is taken and verified.
What Are The Requirements Of ISO/IEC 27001?
ISO/IEC 27001:2005 has the following sections:
0 Introduction
- the standard uses a process approach.
1 Scope
- it specifies generic ISMS requirements suitable for organizations of any type, size or nature.
2 Normative
references
- only ISO/IEC 27002:2005 is considered absolutely essential to the use of ’27001.
3 Terms and
definitions
- a brief, formalized glossary, soon to be superseded by ISO/IEC 27000.
4 Information security management
system
- the ‘guts’ of the standard, based on the Plan-Do-Check-Act cycle where Plan = define requirements, assess risks,
decide which controls are applicable; Do = implement and operate the ISMS; Check = monitor and review the ISMS; Act
= maintain and continuously improve the ISMS. Also specifies certain specific documents that are required and
must be controlled, and states that records must be generated and controlled to prove the operation of the ISMS
(e.g. certification audit purposes).
5 Management
responsibility
- management must demonstrate their commitment to the ISMS, principally by allocating adequate resources to
implement and operate it.
6 Internal ISMS
audits
- the organization must conduct periodic internal audits to ensure the ISMS incorporates adequate controls which
operate effectively.
7 Management review of the
ISMS
- management must review the suitability,
adequacy and effectiveness of the ISMS at least once a year, assessing opportunities for improvement and the need
for changes.
8 ISMS
improvements
- the organization must continually improve the ISMS by assessing and where necessary making changes to ensure its
suitability and effectiveness, addressing nonconformance (noncompliance) and where possible preventing recurrent
issues.
Annex A
- Control objectives and controls - little more in fact than a list of titles of the control sections in ISO/IEC
27002, down to the second level of numbering (e.g. 9.1, 9.2).
Annex B
- OECD principles and this International Standard - a table briefly showing which parts of this standard satisfy 7
key principles laid out in the OECD Guidelines for the Security of Information Systems and
Networks.
Annex C
- Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard - the standard shares the
same basic structure of other management systems standards, meaning that an organization which implements any one
should be familiar with concepts such as PDCA, records and audits.
If you are
interested in taking formal training in ISO/IEC 27001 and related
standards, call me at 905-593-8867 or email me at
artjlewis@rogers to get details of the scheduled dates, locations and cost for the best recognized
training course providers. Another option would be to
contact some of the training providers advertised on this
page.
Other Useful Training
Resources: "Understanding ISO
9001" provides a detailed explanation of each ISO 9001 clause
(requirements).
ISO 9001 FAQ provides
answers to commonly asked questions about the ISO 9000 family of quality management
standards.
|