ISO 27001: Frequently asked questions

Information Security, ISMS, and ISO/IEC 27001

• What is information security?
• What is an ISMS?
• Why should I certify?
• What is the history of the standards?
• What is the future of the standards?
• Why does ISO/IEC 27002 (ISO/IEC 17799) matter?
• Why does ISO/IEC 27001 matter?
• How does ISO/IEC 27001 relate to other management system standards (ISO 9001 and 14001)?
• Why should I invest in implementing an ISMS and certifying it using ISO/IEC 27001?

Risk Assessment and Risk Management

• What is risk assessment?
• What is risk management?
• Why are risk assessment and risk management relevant to information security?
• How is risk assessment related to ISO/IEC 27001?
• Does ISO/IEC 27001 define the methodology for risk assessment?
• After implementation, must the organization re-assess risks?

Certification

• What is ISMS certification?
• What is a certification body?
• Who accredits certification bodies?
• What is the certification process?

Information Security, ISMS, ISO/IEC 27001, ISO/IEC 27002 (ISO/IEC 17799)

What is information security?
Information security is the protection of information to ensure:

• Confidentiality: ensuring that the information is accessible only to those authorized to access it.
• Integrity: ensuring that the information is accurate and complete and that the information is not modified without authorization.
• Availability: ensuring that the information is accessible to authorized users when required.

Information security is achieved by applying a suitable set of controls (policies, processes, procedures, organizational structures, and software and hardware functions).

[up] 

What is an ISMS?
An Information Security Management System (ISMS) is a management system based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security. ISO/IEC 27001 (BS 7799) is a standard for information security that focuses on an organization’s ISMS. Other standards for information security are much more specific and have a different focus:

• IT systems (FISMA and ISO 13335-2)
• Product (Common Criteria, ISO 15408, FIPS 140-2)

[up] 

Why should I certify?
Certification of a management system brings several advantages. It gives an independent assessment of your organizations conformity to the best practices agreed by a community of experts for ISMS.

Drivers for certification include

• Meeting U.S. legislative requirements directly
  • Sarbanes Oxley Section 404
  • SAS/70 requirements
  • HIPAA requirements (Security rule)
  • California’s privacy laws including SB 1436
• Meeting legislative and regulatory requirements indirectly
  • Privacy  legislation
  • Managing the need to meet International legislative requirements
• As part of a supplier management program
  • Some major corporations will prefer that suppliers can prove that they meet the best-practice standards
  • In some industries certification is demanded by customers. This is often seen in finance related industries, data centers, and on-line service providers.
• To reduce insurance premiums
  • In some cases insurance premiums can be reduced if you can prove that you meet the best practice standards
• As part of a corporate governance program
  • Corporations must take care to meet the best practices and often need to show stakeholders such as sponsors, shareholders, financiers that they take good care with information security.

[up] 

What is the history of the standards?
The ISMS standard was first published as a British Standard, BS 7799 in two parts:

• BS 7799-1, the code of practice
• BS 7799-2, the specification for an ISMS used as the basis for certifying the organization

Both parts of BS 7799 later were released as international standards:

• BS 7799-1 became international standard ISO/IEC 17799, and was subsequently renumbered to become ISO/IEC 27002.
• BS 7799-2 became international standard ISO/IEC 27001.

[up] 

What is the future of the standards?
The current standards will continue to evolve, and additional standards in the ISO/IEC 27000 family are currently in development.

[up] 

Why does ISO/IEC 27002 (ISO/IEC 17799) matter?
ISO/IEC 27002 (ISO/IEC 17799) matters because it provides guidance for planning and implementing a program to protect information assets. It also provides a list of controls (safeguards).

[up] 

Why does ISO/IEC 27001 matter?
ISO/IEC 27001 matters because it provides the standard against which certification is performed. An organization that seeks ISMS certification is examined against ISO/IEC 27001.

[up] 

How does ISO/IEC 27001 relate to other management system standards (ISO 9001 and 14001)?
ISO/IEC 27001 is aligned with both the ISO 9001 (quality management systems) and ISO 14001 (environmental management systems) standards. The three standards share system elements and principles, including adopting the PLAN, DO, CHECK, ACT cyclic process. This approach makes it possible to integrate the systems to the extent it makes sense.

[up] 

Why should I invest in implementing an ISMS and certifying it using ISO/IEC 27001?
If information assets are important to your business, you should consider implementing an ISMS in order to protect those assets within a sustainable framework.

If you implement an ISMS, you should consider joining the growing number of organizations around the world that have already gone through the process to be certified against the ISO/IEC 27001 standard. A successful ISMS certification provides an assurance that an independent team of evaluators has audited your information security management system and certified your adherence to the international standard. This can be a differentiating factor for your business. ISO/IEC 27001 continues to build a reputation for helping to model business practices that enhance an organization’s ability to protect its information assets.

[up] 

Risk Assessment and Risk Management
A responsible organization must assess the risk to its identified information assets, make decisions about which risks are intolerable and therefore need to be controlled, and manage the residual risks through carefully-considered policies and procedures.

[up] 

What is risk assessment?
Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of information and information systems and processing facilities, and the likelihood of their occurrence.

Click on the graph to enlarge it.

[up] 

What is risk management?
Risk management is the process of identifying, controlling, and minimizing or eliminating security risks.

[up] 

Why are risk assessment and risk management relevant to information security?
In the real world, the cost of protecting information must be balanced against the potential cost of security breaches. A company must fully understand the security risks it faces in order to determine the appropriate management action and to implement controls selected to protect against these risks.

[up] 

How is risk assessment related to ISO/IEC 27001?
Selecting the right set of controls requires the use of a risk assessment-based approach.  This approach is a mandatory part of the PLAN (identify, analyze and evaluate the risks), DO (select, implement, and use controls to manage the risks to acceptable levels), CHECK, and ACT cyclic process defined in ISO/IEC 27001 for the establishment, implementation, and maintenance of an ISMS.

[up] 

Does ISO/IEC 27001 define the methodology for risk assessment?
The standard specifies only that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). A specific methodology is not prescribed.

Several methodologies are published and available for use. These include

• ISO/IEC 13335 (Management of information and communications technology security
• NIST SP 800-30 (Risk Management Guide for Information Technology Systems) http://csrc.nist.gov/publications/nistpubs/

[up] 

After implementation, must the organization re-assess risks?
An organization that manages change effectively has a better chance of survival. The PDCA process model provides a means of assessing the risks an organization is challenged with as a result of changes in the business environment.

Certification

[up] 

What is certification?
ISO/IEC 27001 certification is the process by which an organization’s ISMS is examined against the ISO/IEC 27001 specification by an accredited certification body.

[up] 

What is a certification body?
A certification body (also called a registration body, assessment and registration body, or registrar) is a third party that assesses and certifies that the ISMS of an organization meets the requirements of the standard.

[up] 

Who accredits certification bodies?
Accreditation organizations accredit the competence of certification bodies to perform services in the areas of product and management system approval. These accreditation organizations are often, but not always national in scope.

[up] 

What is the certification process?
The certification process includes:

1. Part 1 audit (also known as a desktop audit). Here the CB auditor examines the pertinent documentation.
2. Taking action on the results of the part 1 audit.
3. Part 2 audit (on site audit). Here the CB sends an audit team to examine your implementation of the reviewed, documented ISMS.
4. Correction of audit findings. Agreeing to a surveillance schedule.
5. Issuance of certificate. (Depending on the CB this can take a few weeks to several months.)

Following initial certification, the ISMS is subject to surveillance as specified by the CB, and then requires re-certification after three years.