and ‘information security’ is defined as the “preservation
of confidentiality, integrity and availability of information; in addition,
other properties such as authenticity, accountability, non-repudiation and reliability
can also be involved”.
These definitions come from ISO/IEC 27001:2005.
Back to Top»»
What is the ‘ISO 27000 family of standards’?
A part of ISO (the International Standardization Organization) is developing
a family of ISMS standards jointly with the International Electrotechnical Committee,
the ISO/IEC 27000 series. These standards fall under the general title of “Information
technology – Security techniques”: the 27000 series specifically
addresses standards related to information security management systems (ISMS).
There are presently three principal standards in this series: one defines a
management standard, which sets out the requirements of an ISMS; another sets
out a code of practice, with extensive guidance as to how implementers should
select information security controls to be implemented within their ISMS. A
third sets out the requirements for bodies which undertake the certification
of ISMSs. These three standards are therefore symbiotic! To date, only the first
two of these principal standards have been published. They are:
ISO/IEC 27001:2005 "Information security management systems - Requirements";
ISO/IEC 27002:2007 "Code of practice for information security management".
These two standards are based upon existing and proven practices which have
been in use internationally since 1995. Today they are recognized globally as
the de facto information security standards for businesses and governments alike.
The third of these standards is in the final drafting stages and is expected
to be published before the year’s end. That standard is:
ISO/IEC 27006 “Information security management systems – Requirements
for the accreditation of bodies providing certification of information security
management systems”;
Additional standards in the ‘27000’ series are being presently drafted
by the International Standards Organization. The actual drafting work is the
responsibility of a specific sub-committee tasked with the development of Security
Techniques standards, ISO JTC1 SC27.
For more details on the organisation of ISO and the inter-relationships between the 2700x family of standards, click here.
Back to Top»»
What is ISO/IEC 27001?
ISO/IEC 27001 is the international management standard for Information Security
Management Systems and is a part of the ISO 27000 family of standards being
developed. It is a normative standard, i.e. it states requirements that must
be fulfilled for conformity to be claimed. It was published in September 2005,
and is in its first release: its full reference is ISO/IEC 27001:2005. It is
against 27001 that businesses’ ISMS may be certified.
It has a counterpart, ISO/IEC 27002:2007 (see below), which is the international
code of practice for information security management systems. These standards
originated as the two parts of British Standard BS 7799.
Back to Top»»
What is ISO/IEC 27002?
ISO/IEC 27002 is the international code of practice for Information Security
Management Systems and is a part of the ISO 27000 family of standards being
developed. Because it is a code of practice it offers implementation guidance,
suggesting practices that implementers should adopt, but not requiring it. It
was first published in 2000 and a revision was published in May of 2005: as presently published, its
full reference is ISO/IEC 27002:2007.
It has a counterpart, ISO/IEC 27001, which is the international management
standard for Information Security Management Systems. It is against this latter
standard which businesses may be certified. These standards originated as the two parts of British
Standard BS 7799.
Back to Top»»
What is ISO/IEC 27006?
ISO/IEC 27006 is intended to be the reference international standard to be used
by accreditation bodies in determining the suitability of bodies operating ISMS
certification schemes. It is a normative standard and those bodies adopting
it will have to show full conformity to claim adherence to it. The publication
of this standard and its adoption by accreditation bodies in those countries
operating ISMS certification schemes will go a long way to ensuring consistency
in accreditation and certification practices and in the mutual recognition of
certificates issued under those schemes. Publication of this standard will be
in late 2006 or early 2007.
Back to Top»»
How do these standards work together?
27001 is the foundation of the ISMS framework. In five normative sections it
sets out requirements for an ISMS in terms of required documents, activities
and a process model. It also, in a normative annex, sets out 133 controls (in
11 categories which are broken down into control groups). Organisations wishing
to have their ISMS recognized as being conformant to the standard have to show
that they fulfill the normative requirements of the standard.
ISMS implementers are given support through the code of practice which is set
out in 27002. This document gives guidance on how to implement each of the controls
specified in Annex A of 27001.
These two standards therefore are of primary interest to ISMS implementers.
However, those organizations which provide ISMS certification services must
also have in-depth understanding of the requirements of 27001, because they
need to assess the conformity of their clients’ ISMSs. In addition they
have to fulfill the requirements of 27006 in order to become accredited by an
accreditation body.
27006 is based upon a generic standard which sets out requirements
for bodies which certify management systems in general. 27006 adds requirements
which are ISMS specific. It also offers guidance in a number of annexes which
address key topics such as estimating the necessary resources to perform the
assessment and on the actual conduct of certification assessments. Although
of obvious importance to accreditation and certification bodies, implementers
should take note of the requirements of this standard in order to understand
what to expect from their chosen certification body.
By following you can watch Zygma’s animated PowerPoint presentation
on how we see these standards interacting with the players on the ISMS field.
Back to Top»»
Are other standards planned in this series?
Yes - there are further standards in this series which are in
various stages of being drafted. They can
be expected to be published anytime from 2008 onwards.
The works in progress are (these title and number assignments are liable to
change until the standards become formally published):
27003 - Implementation guidance;
27004 - Metrics and measurements;
27005 - Risk
management;
27007 - Audit guidance.
Others are planned and may cover sector-specific requirements. This page will
be updated as that happens.
Back to Top»»
About using an ISMS:
Why would my organization need to have an ISMS?
Firstly, implementing an ISMS based on ISO/IEC 27001 shows that an organization
is serious about the way it views its information security responsibilities
and embraces internationally-recognized best practices. Secondly, a certified
ISMS provides an organization with an externally-verified way of demonstrating
that it has in place the controls to adequately protect the organization’s
information assets. It is almost a near certainty (in all but the most efficiently
operated organizations) that the implementation of an ISMS will reap many improvements
in how the owning organization exercises its internal controls.
An ISMS can also make the organization's information security strategy "defensible".
Should a breach occur that results in damages to a third party, the existence
of a certified ISMS could be used as a due diligence defense in court. This
may «caveat, ‘may’ – nothing certain!» limit the
damages for which the organization may be liable.
Back to Top»»
Isn't it going to be expensive to create and operate an ISMS?
If you have never before done any ISMS implementation then training in knowing
what the ISMS standards cover, how they should be implemented and how to conduct
internal audits will most likely be required. Investment may also required in
developing policies, processes, procedures, and in operating the ISMS. However,
while there are costs associated with setting up and operating an ISMS, there
are also a number of benefits.
Simply implementing an ISMS is likely to provide
benefits through identification of existing flaws, and a better understanding
of the business’ information security needs. Overall, organizations that
are operating certified ISMSs claim that they have saved money through better
control of risk management within their organization. Manage your risk, manage
your profits.
You can reduce significantly the time and cost to establish your ISMS by using
Zygma’s Advanced Internal Management System model (AIMS) skeleton ISMS
documentation aid. We can also provide you with training in the relevant standards
and in use of the skeleton ISMS.
Back to Top»»
Why should I bother, nobody is asking me if I’ve got a certified ISMS?
Having a certified ISMS works two ways. One is the improvement it gives to an
organization’s internal controls, and that includes specifically the way
it controls risk associated with its information security assets. There is also,
it is generally found, a net cost reduction to a business’ costs. An organization
could set up its ISMS and simply run it entirely from within itself. The benefit
of an external assessment and certification is that an independent view is applied,
unlikely to suffer the blind spots we all have when we are deeply involved in
a piece of our own work.
The other way a certified ISMS benefits an organization is that once other parties
understand the merits of the ISMS approach the organization has an advantage
over its competitors, by being able to show that it has satisfied an external
assessor that it conforms to the (internationally-recognized) ISMS standards.
This allows an organization to give greater assurance to its business partners,
investors, clients, and quite likely insurers and regulators.
And, let’s face it, once an organization understands the benefits of having
an ISMS it really should have one itself before it starts to demand one of its
suppliers and business partners. The benefits affect everyone in the supply
chain.
Back to Top»»
So, who does have a certified ISMS?
Firstly, there are now over two thousand certified ISMS around the world.
Just to give you a feel for the numbers (its hard to keep up, and we’re
not promising to), here are a few ‘ball park’ figures: UK 220+;
India 130+; Taiwan 60; Germany 45; Korea 33; Italy 26; USA 35, Netherlands 20+. Oh, and Japan – 1600 (and growing almost daily!) The remaining certifications
are spread across almost fifty additional countries, in some cases just one
or two per country – these must represent truly pioneering organizations. These numbers are of course increasing steadily.
By no means do each of the countries in which organizations have certified their
ISMS operate accreditation and certification schemes, or have their own version
of the standard. A US-based accreditation scheme is only just now being put
in place.
Back to Top»»
Who in the USA gives any recognition to the ISMS standards?
Let’s consider the question in two parts – firstly, which bodies
with any standing recognize the value of the controls set out by ISO/IEC 27002? In fact 27002 (when it was still published as 17799) has been recognized as being a guiding light in information security
by a number of US bodies, amongst which are the US Congress Joint Economics
Committee, the Food and Drug Administration, the States of Georgia and Maine
and the Department of Health and Human Services.
For instance, in May 2002 the
Joint Economic Committee of the US Congress reported on "". In this report, under the heading 'VALIDATING COMPLIANCE
- THE FUTURE OF INFORMATION PROTECTION' it is stated "The defining standard
for developing an information protection program around is ISO [27002], formerly
British Standard 7799". At that time there was no international equivalent
to BS 7799-2, the management system requirements, and one might suspect that
it was considered impolitic to recommend a foreign standard as the basis of
securing the nation's information infrastructure. Now of course, the situation
is vastly improved, with the publication of ISO/IEC 27001:2005.
The answer to the other part of the question is a rhetoric question itself:
what about the 35 or so organizations in the US that have already gained certification
of their ISMSs by seeking the services of foreign assessors and which have been
certified against a foreign standard (BS 7799-2)?
We firmly believe that now ISO/IEC 27001:2005 has been formally published there
will be very significant uptake in North America, which hitherto has had to
rely on ‘off-shore’ certifications. Zygma is talking to some of
those leading the wave – in fact we’re among them, having built an ISMS which supports our own businesses, thereby helping us improve
our services to our clients, by practicing what we preach.
Back to Top»»
What do I need to do to become ISO/IEC 27001-certified?
A simplified answer is that you need to establish policies for information security,
identify your information assets, perform a risk assessment on those assets,
establish a management structure to implement the defined policies and controls
and then establish a continual improvement process to ensure that those policies
and their implementation are under constant review and enhancement. All of that
needs to be documented in a way which can be shown to fulfill the requirements
of the ISO/IEC 27001 ‘Statement of Applicability’.
Back to Top»»
Where can I obtain copies of 27001 and 27002?
The full texts of all published ISO standards are available from and national standards
bodies (see same ISO page) – suggested sources in the US are the or
, in the UK
the . Just a word of advice – get a PDF downloadable version. It
may seem obvious to point out that it is quicker and more convenient, but there
are some sources selling paper versions still.
Back to Top»»
About audits, conformance, accreditation and certification:
Can I make a self-declaration of conformity?
You could, but (there’s always a 'but') any such declaration would be
more likely to be of use within an organization. It would be unlikely that a
third party, especially one which understands the principles of the international
ISMS standards, would place as much confidence in such a declaration as it would
in a formal certification arising from an independent audit. Certainly a self-declaration
would have no place in the context of international recognition of conformity.
Back to Top»»
Can anyone audit me?
Technically, yes, but (see above - you’ve already been warned about this),
if the auditor has not had formal training and relevant experience then their
performance may not give the client organization value for money and their opinion
is likely to carry less weight (than that of someone who does have appropriate
training and experience) if the organization is trying to ‘sell’
the audit outcome to its business partners, etc.
Note - the stress is on 'may not give satisfaction' - there are auditors with
a wealth of experience and competence but who have not sought formal certification
for themselves. That can give organizations looking for an auditor some problems
in making a selection.
Back to Top»»
What is a Certification body?
A certification body is a third party organization that has been deemed competent
to perform assessments and audits against a specified standard.
For a certified ISMS, the applicable standard is ISO/IEC 27001:2005.
Back to Top»»
Who decides whether an organization is actually competent to perform these assessments
or audits?
Individual auditors are required to have undergone formal training and to have
acquired certain levels of experience in order to perform ISMS audits. The International
Register of Certified Auditors holds a register of those whose competence it
recognizes.
Certification bodies are accredited by national accreditation bodies. Up to
now many have chosen to apply the standard EA-7/03 to ensure that the organization
concerned has adequate management, resources and skills in place to perform
ISMS audits against ISO/IEC 27001 in a manner, which is competent, consistent
and objective. They are required to use only auditors who have undergone training
and acquired certain levels of experience. The forthcoming ISO/IEC 27006 (due for publication in early 2007) draws
heavily on the positive experiences of many years’ application of EA-7/03,
and improves upon it.
Normally the accreditation bodies are affiliated through participation in the
International Accreditation Forum. In the USA, has stated an intention to establish an accreditation scheme based upon 27006 but to date there is little sign of progress and no US-accredited certification bodies.
Back to Top»»
Who are the Accredited Certification Bodies for the standard?
There are a growing number. However, the following are amongst them: BSI, Certification
Europe, DNV, JACO IS, KEMA, KPMG, SFS-Sertifiointi Oy, SGS, STQC, SAI Global
Limited, UIMCert GmbH. We make no claim that this is an exhaustive list –
it certainly isn’t.
At this time there are no certification bodies (CBs) accredited by a North America
Accreditation Body. Those CBs operating in North America are
presently reliant upon accreditation elsewhere, generally in Europe.
The ANSI-ASQ National Accreditation Board (ANAB) has
established a scheme for the accreditation of ISMS Certification
Bodies, although their scheme has yet to accredit any CBs.
Back to Top»»
In which countries are there accreditation and certification schemes actually
set up?
Since 1995, when British Standard (BS) 7799 Part 2 was the de facto certification
standard, many countries worldwide have either adopted it within their own national
standards body or have simply taken up BS 7799-2 ‘ as is’. Many
have developed their own accreditation and certification schemes. Amongst these
countries are the Netherlands (the Dutch in fact beat the Brits at their own
game, and established the first BS 7799-2 accreditation and certification schemes
in the world; the UK was the second country to achieve this), Australia and
New Zealand (who jointly badged it AS/NZS 4444), Denmark (DS484), India, Japan,
Korea, Mauritius, Singapore, Spain, Sweden (SS62779).
In the USA the ANSI-ASQ National Accreditation Board (ANAB) has stated an intention
to establish an accreditation scheme based upon 27006, but to date there is little sign of progress and no US-accredited certification bodies, with many CBs already having turned to accreditation overseas.
Back to Top»»
Comparisons with other standards:
How do the ISMS standards fit with ISO 9000 & 14000?
Both ISO/IEC 27001 and 27002 are "harmonized" with other management
standards, including ISO 9000 and ISO 14000. ISMS is of course much more focused
and generally requires significantly more resources to perform, on the basis
of comparable organizational characteristics. However, because of the similarities
we are starting to see certification bodies offering combined audits at a reduced
cost. If you are certified under ISO 9000, it will cost less to maintain your
ISO 27001 certification than it would cost if you are not ISO 9000 certified,
because of certain shared practices. Indeed, some organizations cover both their
in-house ISMS and QA schemes under a single management system and single audits.
Back to Top»»
How is 27001 different/better than other information security ‘standards’?
There are a number of other ‘standards’ used for information security
auditing. None equal ISO/IEC 27001 and ISO/IEC 27002. The international ISMS
standards have the benefit of thousands of hours of refinement and practical
feedback from actual implementations across the globe. They have been recently
upgraded to bring them up to date within our electronic information society.
They are aligned with other international management and quality standards (ISO/IEC
9000, 14000, 20000). Furthermore, these ISMS standards actively encourage organizations
to enhance and add their own controls whenever their specific circumstances
demand it, but in a manner which is consistent with the form of expression and
audit practices of the overall ISMS framework.
Additionally, the ISMS standards are supported by auditor training requirements,
formal accreditation and certification schemes world-wide, which generally affords
an ISMS certificate global recognition, adding significantly to its worth.
Certain other schemes have significant drawbacks which do not come up to the
quality of the international ISMS standards. SAS-70, a common auditing standard
applied especially in the accounting and financial world but also in other sectors,
actually has no pre-determined control objectives or control activities that
service organizations must achieve. It is left to the subject of the audit to
set their own rules and targets – hardly a basis for an objective assessment,
and certainly not one that gives any comparable benchmark between organizations.
A cynical view of SAS-70 would be that at Level 1 the audit subject lies and
the auditor accepts the lie; at Level 2 the audit subject and the auditor conspire
together to lie. Perhaps a little extreme and not intended to suggest that those
participating in SAS-70 audits do actually adopt such an approach, but the point
should by now be made! It lacks controls and establishes no benchmark.
Others standards or schemes, such as Identrus, a banking trust scheme in which
many banks participate, has not made its operating rules public, which certainly
fails any generally-accepted test of openness. Undoubtedly, in certain circumstances
these other approaches can have value, but they simply fail to come up to the
level of the international ISMS standards. However, where other standards have
explicit control objectives which have value to the organization it is entirely
feasible, and indeed encouraged, to extend the standard ISMS controls to embrace
these specific requirements and have them included within the scope of the certification
– some organisations have done this, in particular through including their
ISO 9000 controls within a broadened ISMS. The same goes for regulatory requirements,
e.g. SOX, and HIPAA.
Zygma can provide clients with detail guidance on how they can implement an
ISMS and, moreover, can demonstrate how an ISMS can be extended to show conformity
with these specific two pieces of legislation, or indeed with any specific internal
control needs which clients may have (refer to some of ).
Back to Top»»
The BIG questions:
So, does Zygma have its own ISMS?
Yes, in the firm belief that one has to practice what one preaches, Zygma has been explicitly operating in accordance with the provisions of IS27001 since
2006-07. The scope of Zygma's ISMS is:
"Zygma's whole business operations pertaining to the provision of information security consultancy, worldwide."
You can be assured that as soon as we have achieved certification, there will
be at the least an update to this page!
Back to Top»»
OK, how do I get any help I might need to set up my own ISMS?
Well, there are many businesses in the game of selling ISMS guidance, tools
and other support. As the consumer of their services, first of all, develop
your own plan, decide how you want to use any external services, and make sure
you remain in charge of their participation and the development of your ISMS.
This way, you stay in charge of your business and understand better how the
ISMS is a tool to help you do that. It is a part of your internal control system
– and the ISMS management standard requires top-level management support.
Next, ensure that the business you choose to give you support really understands
what the ISMS concept is about, and has a range of services from basic introduction
to the concepts, through training, assistance with policy development, and maybe
some tools to help you. Check also their track record, whether they are themselves
certified auditors, whether they participate in the development of these standards
and whether they have an ISMS themselves. We’re not saying that these
are ‘musts’ – sometimes extensive experience is worth more
than a piece of paper declaring a certified status, but our point is, look for
strength overall, understanding of the practical application of the ISMS standards,
not just theoretical knowledge, and match it to your needs.
We’d like you to take a look at Zygma and see how we might be able to
assist you. We think we can fulfill these requirements and provide a team of
size and competence to meet your needs. Furthermore, our ISMS Skeleton
documentation aid can put you on the fast-track to building, implementing and
getting certified your ISMS.
We look forward to
– we hope that at the least this ‘QYSA’ list has made you
more aware of the merits of having your own ISMS. Good luck with your endeavours
in that direction.
Back to Top»»
Home
Site map