ISO 27001

What is ISO 27001?

ISO 27001 is the formal standard against which organizations may seek independent certification of their Information Security Management Systems (meaning their frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations). The standard covers all types of organizations (e.g. commercial enterprises, government agencies and non-profit organizations). It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISM within the context of the organization’s overall risk management processes. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

ISO 27001 uses a topdown, risk-based approach and is technology-neutral. The specification defines a six-part planning process:

Define a security policy.

Define the scope of the ISMS.

Conduct a risk assessment.

Manage identified risks.

Select control objectives and controls to be implemented.

Prepare a statement

of applicability.

The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.

The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

ISO 27002 contains 12 main sections:

1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance

Organisations are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.

What are the benefits of certification?

Customer satisfaction - by giving confidence that their personal information is protected and confidentiality upheld

Business continuity - through management of risk, legal compliance and vigilance of future security issues and concerns

Legal compliance - by understanding how statutory and regulatory requirements impact the organization and its customers

Improved risk management - through a systematic framework for ensuring customer records, financial information and intellectual property are protected from loss, theft and damage

Proven business credentials - through independent verification against recognized standards

Ability to win more business - particularly where procurement specifications require certification as a condition to supply

How to gain registration?

The process of registration follows three simple steps:

Application for registration is made by completing the application questionnaire

Assessment is undertaken by NQA - the organisation must be able to demonstrate that its ISMS has been fully operative for a minimum of three months and has been subject of a full cycle of internal audits

Registration is granted by NQA and maintained by the organisation. Maintenance is confirmed through a programme of annual surveillance visits and a three yearly re-certification audit.

Initial Certification Audit

Stage 1 - the purpose of this visit is to confirm the readiness of the organisation for full assessment. The assessor will:

confirm that the quality manual conforms to the requirements of ISO 27001

confirm its implementation status

confirm the scope of certification, statement of applicability and any exclusions

check legislative compliance and review risk assessment

produce a report that identifies any non-compliance or potential for non-compliance and agree a corrective action plan if required

produce an assessment plan and confirm a date for the Stage 2 assessment visit

Stage 2 - the purpose of this visit is to confirm that the quality management system fully conforms to the requirements of ISO 27001 in practice. The assessor will:

undertake sample audits of the processes and activities defined in the scope of assessment

document how the system complies with the standard

report any non-compliances or potential for non-compliance

produce a visit plan for the first surveillance visit

Please note that if any major non-conformance is identified, the organisation cannot be certified until corrective action is taken and verified

Other standards being developed in the 27000 family are:

27003 – implementation guidance.

27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS.

27005 – an information security risk management standard. (Published in 2008)

27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007)

27007 – ISMS auditing guideline.

More information is available at (www.iso27001security.com)