An Introduction to ISO 27001
It specifies the requirements for an ISMS, an Information Security Management System.
BS7799 itself was a long standing standard, first published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems.
It is this against which certification is granted. Today in excess of a thousand certificates are in place, across the world.
ISO 27001 enhanced the content of BS7799-2 and harmonized it with other standards.
The objective of the standard itself is to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System”.
Regarding its adoption, this should be a strategic decision of the organization.
“The design and implementation of an organization’s ISMS is influenced by their needs and objectives, security requirements, the process employed and the size and structure of the organization”.
The standard defines its ‘PROCESS APPROACH’ as “The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management”.
It employs the PDCA, Plan-Do-Check-Act model to structure the processes, and reflects the principles set out in the OECD guidelines.
THE ISO 27001 CERTIFICATION PROCESS
The process starts when the organization makes the decision to embark upon the exercise.
At this point, it is also important to ensure management commitment and then assign responsibilities for the project itself.
An organizational top level policy can then be developed and published. This can, and will normally, be supported by subordinate policies.
The next stage will define which part (s) of the organization will be covered by the ISMS.
Typically, it will define the location, assets and technology to be included.
At this stage a risk assessment will be undertaken, to determine the organization’s risk exposure/profile, and identify the best route to address this.
The document produced will be the basis for the next stage, which will be the management of those risks.
A part of this process will be selection of appropriate controls with respect to those outlined in the standard (and also in Code of Practice ISO 27002 i.e. ISO 17799:2005), with the justification for each decision recorded in a Statement of Applicability (SOA).
The controls themselves should then be implemented as appropriate.
The certification process itself can then be embarked upon through a suitable accredited third party.