• Leading international standard for information security management • Till the end of year 2009, more than 12,000 organizations worldwide certified against this standard • Its purpose is to protect the confidentiality, integrity and availability of information ISO 27001 • It is not a technical standard that would describe the ISMS into technical detail • It does not focus only on information technology, but also on other important assets at the organization ISO 27001 • Focuses on all business processes and business assets • Focuses on reducing the risks for information that is valuable for the organization • Information may or may not be related to information technology, may or may not be in a digital form ISO 27001 benefits • Better organizational image because of the certificate issued by certification body • Lower costs because of the avoided risks • The operations in the organization are running more smoothly because the responsibilities and business processes are clearly defined Process of ISO 27001 implementation • Phase 1 - Planning • Phase 2 - Implementing • Phase 3 - Checking • Phase 4 - Improving Planning the ISMS • Policy and objectives • Risk assessment & risk treatment • Risk Assessment Report • Statement of Applicability Implementing the ISMS • 4 mandatory procedures • Risk Treatment Plan • Implement all controls • Conduct trainings, awareness Checking the ISMS • Execute monitoring and reviewing procedures • Measuring the effectiveness of controls • Internal audit • Management review Improving the ISMS • Corrective actions • Preventive actions Requirements for successful implementation • Management support (available people + funding) • Project team • Awareness of employees Duration of implementation • For very small organizations (less than 10 employees) - up to 4 months • For small organizations (10 to 50 employees) - up to 8 months • For middle sized organizations (50 to 500 employees) - up to 12 months • For large organizations (500 or more employees) - up to 18 months Cost of implementation • It is not possible to calculate the cost before the risk assessment is completed and applicable controls are identified • Majority of investment is usually not in technology, but in employees that are implementing the ISMS (invested time + trainings) For more useful information: www.iso27001standard.com