ISO 27001 certification is not compulsory, but is increasingly required by international trading partners. ISO 27001 is part of the ISO 27000 series of standards dealing with the security surrounding company information assets.
Following the guidelines for information security, companies are able to secure their assets, such as financial information, employee information, third party data and intellectual property. ISO 27001 certification is popular because the standard deals specifically with Information Security Management Systems – also known as ISMS. The standard provides a framework for the management of information security risks, including the identification, analysis and implementation of the necessary steps to manage related risks. The ISMS has a purpose, the establishment of procedures and managing of such to ensure that the organisation can adapt fast enough to counter new types of security threats.
The standard is relevant to any type of organisation within all sectors of the economy, irrespective of the organisation’s size. Originally published in 2005 the standard replaced the BS 7799-2 standard, which was a standard outlining codes of practice to protect against information security threats. ISO 27001 harmonised the old BS 7799-2 with other related standards. ISO 27001 certification also replaced the BS 7799 certification.
The main purpose of the ISO 27001 standard is to list the requirements for the implementation, maintenance and improvement of ISMS. The “planning, then doing, checks and acting” model featured strongly in the ISO 27001:2005 version, but with the 2013 edition, more focus is placed on the measurement and evaluation of the ISMS performance within the organisation.
It should be noted that ISO/IEC 27001 doesn’t dictate the security control measures that should be in place. Companies that adopt the standard can still select specific information security controls and supplement such with extended control measures. It is, however, essential to select relevant controls, which can only be done if the security risks have been correctly assessed.
The correct title of the standard is ISO/IEC 27001:2013 and entails several sections. Section 0 is the introduction to the standard and the process approach, while Section 1 covers the scope of the specific ISMS requirements and Section 2 normative references, with Section 3 describing the formalised glossary. Section 4 provides details regarding insight into the organisation’s context and defines the ISMS scope. The other sections are:
- Section 5 Leadership
- Section 6 Planning
- Section 7 Support
- Section 8 Operation
- Section 9 Performance Evaluation
- Section 10 Improvement
ISO 27001 Certification Requirements
The organisation should, for the purpose of ISO 27001 certification, submit specific documented information, including their ISMS scope, information security policy and security risk assessment process, in addition to the risk treatment process, and security objectives. They should also provide documented evidence regarding the competency level of the employees working with and controlling information security. The organisation should submit any relevant supporting documents, including their operational planning and control, results of the risk assessments and their decisions on how to treat the risks. They should provide documented proof of the measurement and monitoring of their information security and their ISMS internal audit programme. In the latter regard, they also need to submit the results of the audit. The applicant organisation should provide documented evidence of their executive management reviews of their implemented ISMS and documented proof of any non-conformity and the actions taken to correct such.
Contact us at WWISE for assistance in preparing for ISO 27001 certification, including training, documentation, auditing and maintenance plans.