FAQ - ISO 27001
What is information security? | What is the scope of the standard? | What is the difference between BS 7799 and ISO 27001? | What is ISO 27002? | What is certification? | What is compliance? | Do I have to gain Certification for the whole organisation? | Can Seven Nine undertake ISO 27001 audits? | Can Seven Nine undertake ISO 27001 certification audits? | Where can I find more information about ISO 27001?
What is information security?
Information is an asset which has value to an organisation and needs to be suitably protected. Information assets can be electronically stored, printed or written, transmitted by post or electronically.
Information security is the preservation of
• Confidentiality – Ensuring that information is accessible only to those authorised to have access.
• Integrity – Safeguarding the accuracy and completeness of information and processing methods
• Availability – Ensuring that authorised users have access to information and associated assets when required.
This confidentiality, integrity and availability of information may be essential to maintain your organisation's commercial position, legal compliance and profitability.
Many organisations are now being asked by their business partners to provide clear statements about their information security management position. Working to an existing standard such as ISO 27001 is the best means to achieve a comprehensive and thorough system that will satisfy regulators and business partners. Seven Nine can help you meet these challenges.
Back to top
What is the scope of the standard?
Eleven areas are covered within ISO 27001.
- Information Security Policy – Is there management direction and a written policy to provide support and direction for information security activities?
- Organisational Security – Is there an infrastructure to manage security within the organisation? - includes management forum and processes, third party access and outsourced arrangements
- Asset Management – Are organisational assets protected? - Includes inventory and classification
- Human Resources Security – Are the risks of human error or fraud reduced? - Includes personnel screening and T&C's, security training and incident reporting
- Physical and Environmental Security – Is unauthorised access to business premises controlled? - Includes physical security, secure areas, equipment security, maintenance and disposal.
- Communications and Operations Management - Are information processing facilities operated in a correct and secure manner – Includes operating procedures and change control, system planning, protection against malicious software, backup, media handling, information exchange, and email security.
- Access Control – Is access to business information and processes controlled on the basis of business and security requirements? - Includes user and password management, mobile users, access to applications and network services.
- Information Systems – Is security is built into information systems? - Includes development and support processes, cryptography and data validation.
- Incident management – Are events and weaknesses reported, and are events consistently managed?
- Business Continuity – Are critical business processes protected from the effects of major failures or disasters?
- Compliance – Does the firm take measures to avoid breaches of law, statutory , regulatory or contractual obligations?
What is the difference between BS 7799 and ISO 27001?
ISO 27001 is essentially the adoption of BS 7799 Part 2 as an ISO standard. Changes have only been minor.
Back to top
What is ISO 27002?
ISO 27002 is a development of ISO 17799, and is a set of guidelines for Information Security best practice. Firms can seek to comply with this standard, but cannot be certified against it. ISO 27001 was created in order to provide a framework that organisations can be audited and certified against.
Back to top
What is certification?
Certification is achieved through a process of external audit. A number of bodies are approved for ISO 27001 audit work. As with any external certification, regular surveillance and re-certification audits are required to maintain the certification.
Back to top
What is compliance?
Any firm can produce a statement of compliance with ISO 27001. The implementation of a compliant system will require much of the same work as achieving certification. Your organisation has to consider the relative commercial merits of Compliance against Certification. You must remember that this only represents your view, and that your partners may set greater store by the recognition provided by third party audit.
Back to top
Do I have to gain certification for the whole organisation?
No, you can choose to limit the scope of your implementation. Be aware that most Information Security components are closely connected throughout your whole firm, so too tight a scope might be difficult to justify. You may choose to limit the scope to specific organisational units or geographical locations.
Back to top
Can Seven Nine undertake ISO 27001 audits?
Yes, Seven Nine consultants are trained ISMS auditors, and can undertake internal audit work on your behalf.
Back to top
Can Seven Nine undertake ISO 27001 certification audits?
No, Seven Nine is not a certification body, but can provide services to organisations looking to obtain registration. Our consultants will help guide your organisation through the development and implementation of an ISMS, and work with your selected third party auditors through to certification and beyond.
Back to top
Where can I find more information about ISO 27001?
Good starting points are the ISMS International User Group www.17799.com and BSI www.bsi-global.com. If you want to order a copy of the standards, you can get one from BSI for around £200.
Back to top