ISO 27001 consultants - Information Security Management Systems

ISO 27001 consultants in Vietnam

Introduction

ISO 27001 is the formal international security standard against which organizations may seek independent certification of their information security management system. It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS), using a continual improvement approach. It is intended to be used in conjunction with ISO 27002:2005, a security Code of Practice, which offers guidance on interpretation and implementation of the list of specific security controls within ISO 27001. It provides the foundation for third-party audits and is meant to ‘harmonize’ with other management standards, such as ISO 9001 (quality management) and ISO 14001 (environmental management). It implements principles from the Organization for Economic Cooperation and Development (OECD) and governs security of information and network systems.

The ISO 27001 standard is formally known as “Information technology — Security techniques — Information security management systems — Requirements”.

Overview

ISO 27001/ISO 27002 is a direct descendant of the British Standard Institute (BSI) Information Security Management standards BS 7799- 1 and BS 7799-2. The BSI has long been proactive in the evolving arena of Information Security. The currently published ISO 27001 series of standards consist of:

• ISO/IEC 27000:2009 - provides an overview/introduction to the ISO27k standards as a whole plus the specialist vocabulary used in ISO27k.
• ISO/IEC 27001:2005 is the Information Security Management System (ISMS) requirements standard, a specification for an ISMS against which thousands of organizations have been certified compliant.
• ISO/IEC 27002:2005 is the code of practice for information security management describing a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.
• ISO/IEC 27003:2010 provides guidance on implementing ISO/IEC 27001.
• ISO/IEC 27004:2009 is an information security management measurement standard.
• ISO/IEC 27005:2008 is an information security risk management standard.
• ISO/IEC 27006:2007 is a guide to the certification or registration process for accredited ISMS certification or registration bodies.
• ISO/IEC 27011:2008 is the information security management guideline for telecommunications organizations.
• ISO/IEC 27031:2011 is an ICT-focused standard on business continuity.
• ISO 27799:2008 provides health sector specific ISMS implementation guidance based on ISO/IEC 27002.

In response to industry demands, a working group devoted to Information Security was first established in the early 1990’s, resulting in a “Code of Practice for Information Security Management” in 1993. This work evolved into the first version of the BS 7799 standard released in 1995.

In the late 1990’s, in response to industry demands, the BSI formed a program to accredit auditing firms, or “Certification Bodies,” as competent to audit to BS 7799. This scheme is known as c:cure. Simultaneously, a steering committee was formed, culminating with the update and release of BS 7799 in 1998 and then again in 1999. The BS 7799 standard then consisted of Part 1: Code of Practice, and Part 2: Specification of Information Security Management Systems.

While some organizations utilized the BS 7799 standard, demand grew for an internationally recognized information security standard under the aegis of an internationally recognized body, such as the ISO. This demand led to the “fast tracking” of BS 7799 Part 1 by the BSI, culminating in its first release by ISO as ISO/IEC 17799:2000 in December 2000. As of September 2001, only BS 7799 Part 1 had been accepted for ISO standardization because it was applicable internationally and across all types of organizations. Movement to submit BS 7799 Part 2 for ISO standardization had been withdrawn, but then in 2005 BS 7799-2 was revised and accepted by ISO and dubbed ISO/IEC 27001 and ISO/IEC 17799:2000 was revised to match with the ISO 27001 and became ISO/IEC 17799:2005. In 2007, ISO 17799:2005 was renamed ISO 27002 but no other changes were made.

Is ISO/IEC 27001 relevant to your organization?

According to the ISO committee in charge of the 27000 series and related standards, ISO 27001 is intended to be suitable for several different types of use, including the following:

• Use within organizations to formulate security requirements and objectives;
• Use within organizations as a way to ensure that security risks are cost effectively managed;
• Use within organizations to ensure compliance with laws and regulations;
• Use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
• Definition of new information security management processes;
• Identification and clarification of existing information security management processes;
• Use by the management of organizations to determine the status of information security management activities;
• Use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization;
• Use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;
• Implementation of business-enabling information security;
• Use by organizations to provide relevant information about information security

Global adoption

There are a wide range of industries that have adopted ISO/IEC 27001. These include IT, Software, Consultants, Manufacturing, Construction, Financial, Staffing, Shipping, Pharmaceuticals, Academia, Telcom, Lottery, Security, Consulting, Insurance, Healthcare and Energy and Navigation.

ISO/IEC 27001 certificates reported by ISO27001certificates.com reports over 7,200 certified companies as of May 2011. This does not count the number of certificates, only the number of companies (some companies can have several sites listed under one “Corporate Certificate”). Data shows that certifications have been increasing at a rate of about 1,000 per year. The website compiles all information on ISO/IEC 27001 certificates issued by many certification bodies worldwide, but reporting is optional and some certification bodies don’t report their numbers, so the total is considered an underestimate.

Benefits

There are several reasons why an organization might seek this certification. Some of the key benefits include:

• Increased credibility and trust
• Improved partner, customer and stakeholder confidence
• Organizational and trading partner assurance
• Demonstration to competent authorities that the organization observes all applicable laws and regulations
• Competitive advantage and market differentiation
• Reduced regulation costs

 Auditing

To meet certification requirements, an organization's ISMS must be audited by a certification body that is accredited by an International Accreditation Body for that scheme (e.g. UKAS in the United Kingdom). This helps ensure that the certifiers meet national and international standards for their services and ensure consistency. In respect to ISO 27001, this is typically a document called ISO 27006 (‘Information Technology Security Techniques- Requirements for Bodies Providing Audit and Certification of Information Security Management Systems”) and is derived from the overarching standard ISO 17021.

There are a growing number of organizations accredited to grant certification against ISO 27001. While the approach to the certification processes may differ, there are common steps required within an application, these include:

• Stage I document review
• Stage II compliance audit
• Ongoing surveillance audits