FAQ

WHAT IS
ISO/IEC 27001

www.pecb.com
WHAT IS INFORMATION SECURITY?

1 What is information security?

Information security is the protection of information to ensure:

• Confidentiality: ensuring that the information is accessible only to those authorized to access it.
• Integrity: ensuring that the information is accurate and complete and that the information is not modified
without authorization.
• Availability: ensuring that the information is accessible to authorized users when required.

Information security is achieved by applying a suitable set of controls (policies, processes, procedures,
organizational structures, and software and hardware functions).

2 What is an ISMS?

An Information Security Management System (ISMS) is a management system based on a systematic

business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information
security. It is an organizational approach to information security. ISO/IEC 27001 is a standard for information
security that focuses on an organization’s ISMS.

3 Why should I certify my ISMS?

Certification of a management system brings several advantages. It gives an independent assessment of

your organization’s conformity to an international standard that contains best practices from experts for
ISMS. A certified ISMS does not guarantee compliance with legislative and local policies, but provides a
systematic platform to build on.

4 What are the main concepts of ISO/IEC 27001?

All activities must follow a method. The method is arbitrary but must be well defined and documented. The
standard requires a company to specify its own security goals.

• An auditor will verify whether these requirements are fulfilled.

• All security measures shall be the result of a risk analysis.
• The standard offers a set of security controls. It is up to the organization to choose which controls to
implement based on the specific needs of their business.
• A process must ensure the continuous verification of all elements of the security system through audits and
reviews.
• A process must ensure the continuous improvement of all elements of the security system.
 WHAT IS INFORMATION SECURITY?

How does ISO/IEC 27001 relate to other management system standards

5 (ISO 9001 and 14001)?

ISO/IEC 27001 is aligned with both the ISO 9001 (quality management systems) and ISO 14001 (environmental
management systems) standards. The three standards share system elements and principles, including
adopting the PLAN, DO, CHECK ACT cyclic process. This approach makes it possible to integrate the systems
to the extent it makes sense.

Why should I invest in implementing an ISMS and certifying it using ISO/

6 IEC 27001?

If information assets are important to your business, you should consider implementing an ISMS in order to
protect those assets within a sustainable framework.

If you implement an ISMS, you should consider going through the process to be certified against the ISO/
IEC 27001 standard. ISO/IEC 27001 continues to build a reputation for helping to model business practices
that enhance an organization’s ability to protect its information assets. A growing number of organizations
around the world have already gone through the certification process.

7 What is risk assessment?

Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of
information and information systems and processing facilities, and the likelihood of their occurrence.

8 What is risk management?

Risk management is the process of identifying, controlling, and minimizing or eliminating security risks.

Why are risk assessment and risk management relevant to information

9 security?

In the real world, the cost of protecting information must be balanced against the potential cost of security
breaches. A company must fully understand the security risks it faces in order to determine the appropriate
management action and to implement controls selected to protect against these risks.
WHAT IS INFORMATION SECURITY?

10 How is risk assessment related to ISO/IEC 27001?

Selecting the right set of controls requires the use of a risk assessment-based approach. This approach is a
mandatory part of the PLAN (identify, analyze and evaluate the risks), DO (select, implement, and use controls
to manage the risks to acceptable levels), CHECK, and ACT cyclic process defined for the establishment,
implementation, and maintenance of an ISMS.

11 Does ISO/IEC 27001 define the methodology for risk assessment?

The standard specifies only that the organization should use a systematic approach to risk assessment
(method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable
level).

12 After implementation, must the organization re-assess risks?

An organization that manages change effectively has a better chance of survival. The PDCA process model
provides a means of assessing the risks an organization is challenged with as a result of changes in the
business environment.

13 What is ISMS certification?

ISO/IEC 27001 is the standard that specifies an ISMS. A third party can audit an ISMS and if satisfied that it
is true can certify that an organization is compliant with this standards.

14 How long is a certificate valid?

Usually certificates have a limited validity only. The maximum term of validity is three years.

15 Will I be supervised by the certification body?

Yes. The certification body will conduct regular continuing assessments of your ISMS. You are also obliged to
announce major changes of your ISMS. The certification body will then decide on the necessity of additional
checks.

COPYRIGHTS: HTTP://WWW.ATSEC.COM/01/ISMS-ISO-IEC-27001-BS-7799-FAQ.HTML