ISO 27001:2005 ConsultantsISO 27001:2005 Certification Certified compliance with ISO/IEC 27001 by an accredited and respected certification body is entirely optional but is increasingly being demanded from suppliers and business partners by organizations that are (quite rightly!) concerned about the security of their information, and about information security throughout the supply chain or network. According to the ISO survey for 2012, there were nearly 20,000 ISO/IEC 27001 certificates worldwide, a number that had increased by more than 10% since the year before: Certification brings a number of benefits above and beyond mere compliance, in much the same way that an ISO 9000-series certificate says more than just We are a quality organization. Independent assessment necessarily brings some rigor and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires senior management approval (which is an advantage in security awareness terms, at least!). The certificate has marketing potential and demonstrates that the organization takes information security management seriously. However, as noted above, the assurance value of the certificate is highly dependent on the ISMS scope and SoA - in other words, dont put too much faith in an organizations ISO/IEC 27001 compliance certificate if you are highly dependent on its information security. In just the same way that certified PCI-DSS compliance does not mean We guarantee to secure credit card data and other personal information, certified ISO/IEC 27001 compliance is a positive sign but not a cast-iron guarantee about an organizations information security. It says We have a compliant ISMS in place, not We are secure. Thats an important distinction. Introduction ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks. The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information security risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts - an important aspect in such a dynamic field, and a key advantage of ISO27ks flexible risk-driven approach as compared to, say, PCI-DSS. The standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defense, healthcare, education and government). This is clearly a very wide brief. ISO/IEC 27001 does not formally mandate specific information security controls since the controls that are required vary markedly across the wide range of organizations adopting the standard. The information security controls from ISO/IEC 27002 are noted in annex A to ISO/IEC 27001, rather like a menu. Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information security situations, drawing on those listed in the menu and potentially supplementing them with other a la carte options (sometimes known as extended control sets). As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organizations information security risks, which is one vital part of the ISMS. Furthermore, management may elect to avoid, transfer or accept information security risks rather than mitigate them through controls - a risk management decision. ISO 27001:2005 Consultants by State
|