Module Conference 2014
November 19-21, Rockville, MD
ISO/IEC 27001: Frequently asked questions
Information Security, ISMS, and ISO/IEC 27001
- What is information security?
- What is an ISMS?
- Why should I certify?
- Why does ISO/IEC 27002 matter?
- Why does ISO/IEC 27001 matter?
- How does ISO/IEC 27001 relate to other management system standards (ISO 9001 and 14001)?
- Why should I invest in implementing an ISMS and certifying it using ISO/IEC 27001?
Risk Assessment and Risk Management
- What is risk assessment?
- What is risk management?
- Why are risk assessment and risk management relevant to information security?
- How is risk assessment related to ISO/IEC 27001?
- Does ISO/IEC 27001 define the methodology for risk assessment?
- After implementation, must the organization re-assess risks?
- What is ISMS certification?
- What is a certification body?
- Who accredits certification bodies?
- What is the certification process?
What is information security?
Information security is the protection of information to ensure:
- Confidentiality: the information is accessible only to those authorized to access it
- Integrity: the information is accurate and complete and is not modified without authorization
- Availability: the information is accessible to authorized users when required
Information security is achieved by applying a suitable set of controls (policies, processes, procedures, organizational structures, and software and hardware functions).
What is an ISMS?
An Information Security Management System (ISMS) is a management system based on a systematic, business risk approach to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security. ISO/IEC 27001 (BS 7799) is a standard for information security that focuses on an organization’s ISMS. Other standards for information security that are much more specific and have a different focus include:
- IT systems focus - FISMA and ISO 13335-2
- Product focus - Common Criteria, ISO 15408, and FIPS 140-2
Why should I certify?
Certification of a management system brings several advantages and provides you with an independent assessment of your organization's conformity to the best practices agreed upon by a community of experts for ISMS.
Some typical drivers for certification include:
Meeting U.S. legislative requirements directly:
- Sarbanes Oxley Section 404
- SAS/70 requirements
- HIPAA requirements (security rule)
- California’s privacy laws including SB 1436
Meeting legislative and regulatory requirements indirectly:
- Privacy legislation
- Managing the need to meet International legislative requirements
As part of a supplier management program:
- Some major corporations prefer that suppliers can prove that they meet the best-practice standards.
- In some industries, certification is demanded by customers. This is often seen in finance-related industries, data centers, and on-line service providers.
To reduce insurance premiums:
- In some cases, insurance premiums can be reduced if you can prove that you meet the best practice standards.
As part of a corporate governance program:
- Corporations must meet best practices and often need to show stakeholders (such as sponsors, shareholders, and financiers) that they take place a priority on information security.
Why does ISO/IEC 27002 (ISO/IEC 17799) matter?
ISO/IEC 27002 (ISO/IEC 17799) provides guidance for planning and implementing a program to protect information assets. It also provides a list of controls (safeguards).
Why does ISO/IEC 27001 matter?
ISO/IEC 27001 provides the standard against which certification is performed. An organization that seeks ISMS certification is examined against ISO/IEC 27001.
How does ISO/IEC 27001 relate to other management system standards (ISO 9001 and 14001)?
ISO/IEC 27001 is aligned with both the ISO 9001 (quality management systems) and ISO 14001 (environmental management systems) standards. The three standards share system elements and principles, including adopting the PLAN, DO, CHECK, ACT cyclic process. This approach makes it possible to integrate the systems to the extent that it makes sense.
Why should I invest in implementing an ISMS and certifying it using ISO/IEC 27001?
If information assets are important to your business, you should consider implementing an ISMS to protect those assets within a sustainable framework.
If you implement an ISMS, you should consider joining the growing number of organizations around the world that have already gone through the process to be certified against the ISO/IEC 27001 standard. A successful ISMS certification provides assurance that an independent team of evaluators has audited your information security management system and certified your adherence to the international standard. This can be a differentiating factor for your business. ISO/IEC 27001 continues to build a reputation for helping to model business practices that enhance an organization’s ability to protect its information assets.
Risk Assessment and Risk Management
A responsible organization must assess the risk to its identified information assets, make decisions about which risks are intolerable (and therefore need to be controlled), and manage the residual risks through carefully-considered policies and procedures.
What is risk assessment?
Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of information and information systems and processing facilities, and the likelihood of their occurrence.
What is risk management?
Risk management is the process of identifying, controlling, and minimizing or eliminating security risks.
Why are risk assessment and risk management relevant to information security?
In the real world, the cost of protecting information must be balanced against the potential cost of security breaches. A company must fully understand the security risks it faces to determine the appropriate management action and implement selected controls to protect against these risks.
How is risk assessment related to ISO/IEC 27001?
Selecting the right set of controls requires the use of a risk assessment-based approach. This approach is a mandatory part of the PLAN (identify, analyze and evaluate the risks), DO (select, implement, and use controls to manage the risks to acceptable levels), CHECK, and ACT cyclic process defined in ISO/IEC 27001 for the establishment, implementation, and maintenance of an ISMS.
Does ISO/IEC 27001 define the methodology for risk assessment?
The standard specifies only that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policies, and objectives for reducing the risks to an acceptable level). A specific methodology is not prescribed.
Several methodologies are published and available for use. These include:
- ISO/IEC 27005:2011 Information technology - Security techniques - Information security risk management
- NIST SP 800-30 (Risk Management Guide for Information Technology Systems)
After implementation, must the organization re-assess risks?
An organization that manages change effectively has a better chance of survival. The Plan, Do, Check, Act (PDCA) process model provides a means of assessing the risks an organization is challenged with as a result of changes in the business environment.
What is ISMS certification?
ISO/IEC 27001 certification is the process by which an organization’s ISMS is examined against the ISO/IEC 27001 specification by an accredited certification body.
What is a certification body?
A certification body (also called a registration body, assessment and registration body, or registrar) is a third party that assesses and certifies whether the ISMS of an organization meets the requirements of the standard.
Who accredits certification bodies?
Accreditation organizations accredit the competence of certification bodies to perform services in the areas of product and management system approval. These accreditation organizations are often, but not always, national in scope.
What is the certification process?
The certification process includes:
- Part 1 audit (also known as a desktop audit) where the CB auditor examines the pertinent documentation.
- Taking action on the results of the part 1 audit.
- Part 2 audit (on site audit) where the CB sends an audit team to examine your implementation of the reviewed, documented ISMS.
- Correction of audit findings. Agreement on a surveillance schedule.
- Issuance of certificate. (Depending on the CB, this can take anywhere from a few weeks to several months.)
Following initial certification, the ISMS is subject to surveillance as specified by the CB, and then requires re-certification after three years.