ISO 27001 FAQs
It has been ‘harmonized’ with other management standards such as ISO 14001 and ISO 9001 and thus follows the Plan-Do-Check-Act (PDCA) model and the concept of continual improvement.
Here are 3 successful information security strategies:
- Define a strategic and comprehensive risk management focus, rather than just reacting to security incidents one by one;
- Have a defined risk assessment methodology that systematically identifies and evaluates risks before security controls are selected and implemented;
- Identify and value the organization’s most critical assets and assure an understanding of the threats to those assets along with the consequences of a security failure.
- Identify the Information Assets(people, process, technology)/ Asset Owners / Custodians that are a part of the scope
- Identify the Threats/Vulnerabilities applicable to those Assets
- Rate the Confidentiality, Integrity, Availability (C,I,A)
- Assign the Threat Probability and Impact Rating
- Assign Controls for the identified threats that are above the Acceptable Risk Rating
Once the above set of activities is completed, you can arrive at the Risk Treatment Plan and Statement of Applicability (SOA). This completes your Risk Assessment / Risk Management process.
Different certification bodies or registrars tend to differ in their approaches to the certification, with some being more ‘hands on’ than others. However, the following steps are very typical:
- Questionnaire (the Certification Body obtains details of your requirements)
- Application for Assessment (you complete the application form)
- Pre-assessment Visit or ‘Gap Analysis’.
- The Stage 1 Audit (a ‘Document Review’). Sometimes called Phase 1 audit.
- The Stage 2 Audit (sometimes called Phase 2 or ‘Compliance Audit’)
The current ISO 27001 version was published in October 2005. There are no plans to update it soon.
- Market differentiation due to prestige, image and external perception
- Qualify for lower premiums for cyber security risk insurance
- Certifiable, Proven, Defensible, Cost-Effective, Recognition of Best Practices
- Demonstrated due diligence to maintain certification through semi-annual surveillance visits
- Increases awareness regarding information security
- Helps establish proven information security controls throughout the organization
- Increases employee and customer confidence
- Ensures information assets and risks are controlled
- Improve reputation through elimination or reduction of information security incidents or events
- Creates a framework for future continual improvement
The clauses basically explain how to apply the standard itself, and how to build and operate an information security management system.
Annex A is a list of 133 controls organized into 10 sections, intended to serve as requirement for identifying the range of controls needed for most situations where information systems are used in industry and commerce. They are listed and briefly explained on Annex A; however these same controls are broadly described in the new ISO 27002.
- Scope of the ISMS
- ISMS Policy
- Risk assessment approach
- Risk assessment report
- Risk treatment plan
- Statement of Applicability (SOA)
- Selection and implementation of the controls on Annex A
- One completed Internal Audit cycle
- One Management Review cycle
Periodic audits are typically conducted every 6 months or every year – depending on the registrar and the contract signed with the organization. Periodic audits are normally lesser in days than the original certification audits.
A re-certification audit involves the auditing of all requirements of the standard and may be equal in length as the original certification audit.
The standard itself is intended to be used in conjunction with ISO 27001 (this is a specification for a management system: part of which –Annex A – is the selection of controls as appropriate). Those controls are broadly described by ISO 27002.