About ISO/IEC 27001
ISMS standard ISO/IEC 27001 was published by ISO on 15th October 2005 and has been a tremendous success story ever since; the number of users and certificates is constantly growing. It was developed by the standardization committee ISO/IEC JTC1 SC27.
ISO/IEC 27001:2005 specifies the requirements for an Information Security Management System (ISMS) and organizations successfully implementing the requirements of ISO/IEC 27001 can be certified against this standard. An ISMS uses a risk based approach to develop information security in an organization supporting its business requirements, and uses measurements to ensure effectiveness of the implemented controls. help AG offers a number of services around the implementation of this standard.
ISO/IEC 27001 is supported by a set of other standards and has been harmonized with the other management system standards ISO 9001:2000 und ISO 14001:2004 to facilitate combined implementations . ISO/IEC 27001 has also been the basis of the ADSIC Security Standards and help AG has developed a methodology to facilitate a joint implementation of both standards.
ISO/IEC 27001 Services
An important part of help AG’s Strategic Security Services concentrates on the implementation of the ISMS standards, several of the trainings offered also relate to ISO/IEC 27001 and help AG has vast experience in providing these services.
help AG can assist your organization in:
• Preparing for ISMS certification
• Carrying out Risk Assessment and Risk Treatment
• Gap Analysis
• Internal ISMS Audit
• Implementation of Combined Management Systems
• Joint ISO/IEC 27001 and ADSIC Implementation
Preparing for ISO/IEC 27001 Certification
More and more organizations are interested in achieving certification against ISO/IEC 27001. There are many benefits and motivations for an organization to become certified, including implementing a management system to have reliable information security and better internal control, fulfilling requirements of business partners, or to give a message to customers and business partners that the organization’s operations are secure.
help AG supports organizations in achieving the ISMS certificate, by leading them through the important ISMS processes (scope definition, carrying out risk assessment and risk treatment, defining the statement of applicability, conducting internal audits, carrying out management reviews and all the other ISMS processes required).
Risk Assessment and Risk Treatment
The core element of an ISMS is risk assessment – it is used to determine the amount of information security needed by the organization, based on the business requirements, and risk treatment determines how information security objectives are achieved. ISO/IEC 27001 sets clear requirements for risk assessments, including asset identification, asset valuation and identification of threats and vulnerabilities and the assessment of their likelihood.
Essential questions in this context are how to get to all the relevant information, the appropriate level of detail and how to ensure that no important risks are overlooked. help AG has developed a method for conducting ISMS risk assessments that ensures quality output, which has been successfully tried and tested in many ISMS implementations. help AG has also developed the tool RA2 art of risk to support the risk assessment and treatment activities, which helps manage the amount of information processes and eases the regular updating process.
The details on how to conduct a risk assessment might vary, depending on the requirements to be fulfilled (e.g. if a combined ADSIC and ISMS implementation is to be achieved). The requirements in ISO/IEC 27001 are flexible enough to allow other requirements to be addressed at the same time.
Carrying out Gap Analysis
ISMS Gap Analysis (also known as Readiness Assessment or Compliance Check) checks the organization's arrangements against the requirements in ISO/IEC 27001 and the controls contained in ISO/IEC 27002. Organizations can use gap analysis to check their information security status, or how far they are from achieving ISMS certification. The results of this gap analysis identify all ISMS processes and controls that are not or not completely and correctly implemented, and identify ways of improvement. Gap Analysis is often used as a first step in ISMS certification.
Conducting Internal ISMS audits
Regular conduct of internal ISMS audits is a requirement of ISO/IEC 27001, so any organization wishing to implement or already operating an ISMS needs to ensure that internal ISMS audits take place as planned. In this context, it is important to understand that the internal ISMS auditors need to be independent of the area being audited, i.e. all those people involved in the implementation and/or operation of the ISMS cannot conduct such audits. In addition, internal ISMS auditors should be sufficiently competent to carry out ISMS audits.
One solution an organization can use is to employ an external party to conduct internal ISMS audits – even though that sounds contradictory, this is a perfectly viable solution.
The internal ISMS audits can also be combined with other, more technical activities, such as vulnerability assessments, penetration tests, application assessments and network security architecture reviews to carry out a comprehensive IT audit, covering all aspects of information security.
Implementation of Combined Management Systems
ISO/IEC 27001 can be combined with other management systems, frequently applied combinations are:
• ISO/IEC27001 and ISO/IEC 20000-1: This is a useful combination especially for IT departments or IT service providers, as especially ISO/IEC 20000-1 is highly IT oriented. Both standards have some overlap and address similar topics, just with a different aim, therefore a combination can reduce resources and time required.
• ISO/IEC 27001 and BS 25999-2: Another useful combination of management systems is for information security and business continuity. One of the benefits of a combined implementation is that both standards need a risk assessment to be performed, and as information security incidents can lead to business continuity incidents and vice versa, it is important to have a connection between the management systems.
• ISO/IEC 27001 and ISO 9001 / 14001 / 18001: Other management system standards can also be easily combined with ISO/IEC 27001; which of these standards are chosen as combination is dependent on the business objectives of the organization applying it. All these combinations are possible and also help save time and resources as all management system standards have elements in common. This fact has led ISO to the consideration of common structure and identical text for all management systems.
Joint ISO/IEC 27001 and ADSIC Implementation
The Abu Dhabi Security Information Centre (ADSIC) has developed a set of security standards that are based on ISO/IEC 27001. Therefore, the combined implementation of ISO/IEC 27001 and ADSIC seems a natural choice for all those organizations having to comply with the ADSIC scheme and, at the same time, wishing to have a management system that is internationally recognised.
As several of the requirements of the ADSIC Security Standards and of ISO/IEC 27001 are similar and have considerable overlap, help AG has developed a methodology which combines the requirements of both standards, where possible, to reduce heavy workload and minimize time and resources in these processes. This combined methodology has been discussed with ADSIC and successfully applied in a number of combined ISMS and ADSIC projects.
27001 Series of Standards
In addition to the development of ISO/IEC 27001, SC 27 is working on several other standards that are supporting the implementation of ISO/IEC 27001 and which might be an interesting read for all those wishing to implement an ISMS.
The following is an overview of all standards currently in development in SC 27 and their status of development:
• ISO/IEC 27000: 2009, Information security management systems - Overview and vocabulary (1st edition, currently under revision) – this standard is freely available, contact Dr. Angelika Plate for details
• ISO/IEC 27001: 2005, Information security management systems - Requirements (1st edition, currently under revision) – Dr. Angelika Plate is the project manager of this revision
• ISO/IEC 27002: 2005, Code of practice for information security controls (1st edition, currently under rev revision)
• ISO/IEC 27003: 2010, Information security management system implementation guidance (1st edition)
• ISO/IEC 27004: 2009, Information security management measurements (1st edition)
• ISO/IEC 27005: 2008, Information security risk management (2nd edition)
• ISO/IEC 27006: 2007, Requirements for bodies providing audit and certification of certification of information security management systems (1st edition, currently under revision) – Dr. Angelika Plate is the project manager of this revision
• ISO/IEC 27007: 2010, Guidelines for information security management systems auditing (under development) – Dr. Angelika Plate is the project manager of this development
• ISO/IEC 27008: 2010, Guidance for auditors on ISMS controls (under development)
• ISO/IEC 27010: 2010, Information security management for inter-sector and inter-organizational communications (under development)
• ITU-T X.1051 I ISO/IEC 27011: 2008, Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 (1st edition)
• ISO/IEC 27013: 2010, Guidance on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001 (under development)
• ISO/IEC 27014: 2010, Governance of Information security (under development)
• ISO/IEC 27015, 2010, Information security management guidelines for financial services (under development)
• ISO/IEC 27016: 2010, Information security management -- Organizational economics (under development)