WHAT DOES BEING ISO 27001 CERTIFIED MEAN?
ISO 27001 certification means that the organisation's ISO 27001 Information Security Management System has been certified in compliance with the standard by auditors known as Certification Bodies.
Information security management systems
ISO/IEC 27001 formally specifies an Information Security Management System, a governance arrangement comprising a structured suite of activities with which to manage information risks (called ‘information security risks’ in the standard). The ISMS is an overarching framework through which management identifies, evaluates and treats (addresses) the organisation’s information risks.
The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts - an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS. The standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profits) of all sizes (from micro-businesses to huge multinationals) in all industries (e.g. retail, banking, defense, healthcare, education and government). This is clearly a very wide brief.
What Exactly ISO 27001 Do?
ISO/IEC 27001 does not formally mandate specific information security controls since the controls that are required vary markedly across the wide range of organizations adopting the standard. The information security controls from ISO/IEC 27002 are summarised in annex A to ISO/IEC 27001, rather like a menu.
Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information risks, drawing on those listed in the menu and potentially supplementing them with other a la carte options (sometimes known as extended control sets).
As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information risks, which is one vital part of the ISMS. Furthermore, management may elect to avoid, share or accept information risks rather than mitigate them through controls - a risk treatment decision within the risk management process.
How You Can Avail ISO 27001
Whereas the standard is intended to drive the implementation of an enterprise-wide ISMS, ensuring that all parts of the organization benefit by addressing their information risks in an appropriate and systematically-managed manner, organizations can scope their ISMS as broadly or as narrowly as they wish - indeed scoping is a crucial decision for senior management (clause 4.3).
A documented ISMS scope is one of the mandatory requirements for certification. Although the Statement of Applicability is not explicitly defined, it is a mandatory requirement of section 6.1.3. SoA refers to the output from the information risk assessments and, in particular, the decisions around treating those risks. The SoA may, for instance, take the form of a matrix identifying various types of information risks on one axis and risk treatment options on the other, showing how the risks are to be treated in the body, and perhaps who is accountable for them.
It usually references the relevant controls from ISO/IEC 27002 but the organization may use a completely different framework such as NIST SP800-53, the ISF standard, BMIS and/or COBIT or a custom approach. The information security control objectives and controls from ISO/IEC 27002 are provided as a checklist at Annex A in order to avoid ‘overlooking necessary controls’: they are not required.
Our implementation methodology
our end to end consulting includes following stages.
LET'S NUMBER TO SPEAK
SUBSCRIBE TO MY NEWSLETTER
Get access to my latest recipes by joining the weekly newsletter
TESTIMONIAL
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
