Professional Documents
Culture Documents
● An iISMS iis ia isystematic iapproach ito imanaging isensitive icompany iinformation iso
ithat iit iremains isecure. iIt iincludes ipeople, iprocesses iand iIT isystems iby iapplying ia
● It ican ihelp ismall, imedium iand ilarge ibusinesses iin iany isector ikeep iinformation
iassets isecure.
ias ipoint isolutions ito ispecific isituations ior isimply ias ia imatter iof iconvention.
● Security icontrols iin ioperation itypically iaddress icertain iaspects iof iIT ior idata
isecurity ispecifically; ileaving inon-IT iinformation iassets i(such ias ipaperwork iand
● Moreover, ibusiness icontinuity iplanning iand iphysical isecurity imay ibe imanaged
iquite iindependently iof iIT ior iinformation isecurity iwhile iHuman iResources ipractices
imay imake ilittle ireference ito ithe ineed ito idefine iand iassign iinformation isecurity
ias irisk iavoidance ior irisk itransfer) ito iaddress ithose irisks ithat iare
● What icontrols iwill ibe itested ias ipart iof icertification ito iISO/IEC i27001 iis idependent
ion ithe icertification iauditor. i
● This ican iinclude iany icontrols ithat ithe iorganisation ihas ideemed ito ibe iwithin ithe
iscope iof ithe iISMS iand ithis itesting ican ibe ito iany idepth ior iextent ias iassessed iby
ithe iauditor ias ineeded ito itest ithat ithe icontrol ihas ibeen iimplemented iand iis
ioperating ieffectively.
● Management idetermines ithe iscope iof ithe iISMS ifor icertification ipurposes iand imay
ilimit iit ito, isay, ia isingle ibusiness iunit ior ilocation. i
● The iISO/IEC i27001 icertificate idoes inot inecessarily imean ithe iremainder iof ithe
iorganization, ioutside ithe iscoped iarea, ihas ian iadequate iapproach ito iinformation
isecurity imanagement.
● Other istandards iin ithe iISO/IEC i27000 ifamily iof istandards iprovide iadditional
iguidance ion icertain iaspects iof idesigning, iimplementing iand ioperating ian iISMS,
iprovide iresults iin iline iwith ithe iglobal ipolicies iand iobjectives iof ithe
iorganization.
○ All ireferences ito iPDCA iwere iremoved iin iISO/IEC i27001:2013. iIts iuse iin ithe
icontext iof iISO/IEC i27001 iis ino ilonger imandatory.
● The ifirst ipart, icontaining ithe ibest ipractices ifor iinformation isecurity imanagement,
iwas irevised iin i1998; iafter ia ilengthy idiscussion iin ithe iworldwide istandards ibodies,
iit iwas ieventually iadopted iby iISO ias iISO/IEC i17799, i"Information iTechnology i-
iCode iof ipractice ifor iinformation isecurity imanagement." iin i2000. iISO/IEC i17799
was ithen irevised iin iJune i2005 iand ifinally iincorporated iin ithe iISO i27000 iseries iof
i
● The isecond ipart iof iBS7799 iwas ifirst ipublished iby iBSI iin i1999, iknown ias iBS i7799
iPart i2, ititled i"Information iSecurity iManagement iSystems i- iSpecification iwith
iguidance ifor iuse." iBS i7799-2 ifocused ion ihow ito iimplement ian iInformation isecurity
istructure iand icontrols iidentified iin iBS i7799-2. iThis ilater ibecame iISO/IEC
i27001:2005. iBS i7799 iPart i2 iwas iadopted iby iISO ias iISO/IEC i27001 iin iNovember
i2005.
● BS i7799 iPart i3 iwas ipublished iin i2005, icovering irisk ianalysis iand imanagement. iIt
ialigns iwith iISO/IEC i27001:2005.
● Very ilittle ireference ior iuse iis imade ito iany iof ithe iBS istandards iin iconnection iwith
iISO/IEC i27001.
Certification
● An iISMS imay ibe icertified icompliant iwith iISO/IEC i27001 iby ia inumber iof iAccredited
iRegistrars iworldwide.
● Certification iagainst iany iof ithe irecognized inational ivariants iof iISO/IEC i27001 i(e.g.
iJIS iQ i27001, ithe iJapanese iversion) iby ian iaccredited icertification ibody iis
● In isome icountries, ithe ibodies ithat iverify iconformity iof imanagement isystems ito
ispecified istandards iare icalled i"certification ibodies", iwhile iin iothers ithey iare
[6] [7]
iISO/IEC i17021 iand iISO/IEC i27006 istandards:
● Stage i1 iis ia ipreliminary, iinformal ireview iof ithe iISMS, ifor iexample
ichecking ithe iexistence iand icompleteness iof ikey idocumentation isuch ias
i(SoA) iand iRisk iTreatment iPlan i(RTP). iThis istage iserves ito ifamiliarize
iThe iauditors iwill iseek ievidence ito iconfirm ithat ithe imanagement isystem
ihas ibeen iproperly idesigned iand iimplemented, iand iis iin ifact iin ioperation
iaudits iare iusually iconducted iby iISO/IEC i27001 iLead iAuditors. iPassing
this istage iresults iin ithe iISMS ibeing icertified icompliant iwith iISO/IEC
i
i27001.
● Ongoing iinvolves ifollow-up ireviews ior iaudits ito iconfirm ithat ithe
iorganization iremains iin icompliance iwith ithe istandard. iCertification
iISMS icontinues ito ioperate ias ispecified iand iintended. iThese ishould
ihappen iat ileast iannually ibut i(by iagreement iwith imanagement) iare ioften
iconducted imore ifrequently, iparticularly iwhile ithe iISMS iis istill imaturing.
● ISO/IEC i27001:2013 ihas iten ishort iclauses, iplus ia ilong iannex, iwhich icover:
○ 1. iScope iof ithe istandard
○ 2. iHow ithe idocument iis ireferenced
○ 3. iReuse iof ithe iterms iand idefinitions iin iISO/IEC i27000
○ 4. iOrganizational icontext iand istakeholders
○ 5. iInformation isecurity ileadership iand ihigh-level isupport ifor ipolicy
○ 6. iPlanning ian iinformation isecurity imanagement isystem; irisk iassessment;
irisk itreatment
● Implementing ian iISO i27001-compliant iISMS iwill iinclude ithe ifollowing ikey
ielements:
● Part of the ISO 27000 family of standards, ISO 27001 consists of 114 controls
i i i i i i i i i i i i i
(from iAnnex iA) iand i10 imanagement isystem iclauses ithat itogether isupport ithe
i
● While iISO i27001 ioffers ithe ispecification, ithe iStandard iis isupported iby iits icode iof
ipractice ifor iinformation isecurity imanagement, iISO/IEC i27002:2013.