ISO 27001

1. Introduction
2. Overview
3. Global adoption
4. Benefits
5. Auditing
6. Choosing a registrar
7. Route to registration
8. Costs
9. Contributing editor

ISO 27001 is the formal international security standard against which organizations may seek independent certification of their information security management system. It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS), using a continual improvement approach. It is intended to be used in conjunction with ISO 27002:2005, a security Code of Practice, which offers guidance on interpretation and implementation of the list of specific security controls within ISO 27001. It provides the foundation for third-party audits and is meant to ‘harmonize’ with other management standards, such as ISO 9001 (quality management) and ISO 14001 (environmental management). It implements principles from the Organization for Economic Cooperation and Development (OECD) and governs security of information and network systems.

The ISO 27001 standard is formally known as “Information technology — Security techniques — Information security management systems — Requirements”.

ISO 27001/ISO 27002 is a direct descendant of the British Standard Institute (BSI) Information Security Management standards BS 7799- 1 and BS 7799-2. The BSI has long been proactive in the evolving arena of Information Security. The currently published ISO 27001 series of standards consist of:

• ISO/IEC 27000:2009 - provides an overview/introduction to the ISO27k standards as a whole plus the specialist vocabulary used in ISO27k.
• ISO/IEC 27001:2005 is the Information Security Management System (ISMS) requirements standard, a specification for an ISMS against which thousands of organizations have been certified compliant.
• ISO/IEC 27002:2005 is the code of practice for information security management describing a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.
• ISO/IEC 27003:2010 provides guidance on implementing ISO/IEC 27001.
• ISO/IEC 27004:2009 is an information security management measurement standard.
• ISO/IEC 27005:2008 is an information security risk management standard.
• ISO/IEC 27006:2007 is a guide to the certification or registration process for accredited ISMS certification or registration bodies.
• ISO/IEC 27011:2008 is the information security management guideline for telecommunications organizations.
• ISO/IEC 27031:2011 is an ICT-focused standard on business continuity.
• ISO 27799:2008 provides health sector specific ISMS implementation guidance based on ISO/IEC 27002.

In response to industry demands, a working group devoted to Information Security was first established in the early 1990’s, resulting  in a “Code of Practice for Information Security Management” in 1993. This work evolved into the first version of the BS 7799 standard released in 1995.

In the late 1990’s, in response to industry demands, the BSI formed a program to accredit auditing firms, or “Certification Bodies,” as competent to audit to BS 7799. This scheme is known as c:cure. Simultaneously, a steering committee was formed, culminating with the update and release of BS 7799 in 1998 and then again in 1999. The BS 7799 standard then consisted of Part 1: Code of Practice, and Part 2: Specification of Information Security Management Systems.

While some organizations utilized the BS 7799 standard, demand grew for an internationally recognized information security standard under the aegis of an internationally recognized body, such as the ISO. This demand led to the “fast tracking” of BS 7799 Part 1 by the BSI, culminating in its first release by ISO as ISO/IEC 17799:2000 in December 2000. As of September 2001, only BS 7799 Part 1 had been accepted for ISO standardization because it was applicable internationally and across all types of organizations. Movement to submit BS 7799 Part 2 for ISO standardization had been withdrawn, but then in 2005 BS 7799-2 was revised and accepted by ISO and dubbed ISO/IEC 27001 and ISO/IEC 17799:2000 was revised to match with the ISO 27001 and became ISO/IEC 17799:2005. In 2007, ISO 17799:2005 was renamed ISO 27002 but no other changes were made.

Is ISO/IEC 27001 relevant to your organization?

According to the ISO committee in charge of the 27000 series and related standards, ISO 27001 is intended to be suitable for several different types of use, including the following:

• Use within organizations to formulate security requirements and objectives;
• Use within organizations as a way to ensure that security risks are cost effectively managed;
• Use within organizations to ensure compliance with laws and regulations;
• Use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
• Definition of new information security management processes;
• Identification and clarification of existing information security management processes;
• Use by the management of organizations to determine the status of information security management activities;
• Use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization;
• Use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;
• Implementation of business-enabling information security;
• Use by organizations to provide relevant information about information security

There are a wide range of industries that have adopted ISO/IEC 27001. These include IT, Software, Consultants, Manufacturing, Construction, Financial, Staffing, Shipping, Pharmaceuticals, Academia, Telcom, Lottery, Security, Consulting, Insurance, Healthcare and Energy and Navigation.

ISO/IEC 27001 certificates reported by ISO27001certificates.com reports over 7,200 certified companies as of May 2011. This does not count the number of certificates, only the number of companies (some companies can have several sites listed under one “Corporate Certificate”). Data shows that certifications have been increasing at a rate of about 1,000 per year. The website compiles all information on ISO/IEC 27001 certificates issued by many certification bodies worldwide, but reporting is optional and some certification bodies don’t report their numbers, so the total is considered an underestimate.

There are several reasons why an organization might seek this certification. Some of the key benefits include:

• Increased credibility and trust
• Improved partner, customer and stakeholder confidence
• Organizational and trading partner assurance
• Demonstration to competent authorities that the organization observes all applicable laws and regulations
• Competitive advantage and market differentiation
• Reduced regulation costs

To meet certification requirements, an organization's ISMS must be audited by a certification body that is accredited by an International Accreditation Body for that scheme (e.g. UKAS in the United Kingdom). This helps ensure that the certifiers meet national and international standards for their services and ensure consistency. In respect to ISO 27001, this is typically a document called ISO 27006 (‘Information Technology Security Techniques- Requirements for Bodies Providing Audit and Certification of Information Security Management Systems”) and is derived from the overarching standard ISO 17021.

There are a growing number of organizations accredited to grant certification against ISO 27001. While the approach to the certification processes may differ, there are common steps required within an application, these include:

• Stage I document review
• Stage II compliance audit
• Ongoing surveillance audits

There are over 1,000 certification bodies globally. It is important to select an approved certification body and to ensure they comply with the following criteria:
Ensure the company is accredited to ISO/IEC 17021:2006, and the certification body accreditation is issued by a recognised competent body.

• Receive quotations from several certification bodies.
• Do not select the cheapest quote as their auditing or service may be below standard.
• Ensure the certification body is recognised by your customers and they have the relevant sector experience for your industry sector.

1. Pre-audit Assessment
   • Check documentation with Lead Assessor
     Together, you and your Lead Assessor will review your documentation. This will ensure that all documented procedures cover the requirements of ISO 9001:2000.
   • Determine date of assessment
     Together with your Lead Assessor you will determine the best timetable for your registration and agree on a date for initial assessment. Many organizations benefit from a pre-assessment "dry run" of the formal assessment.
2. Initial Audit Stage I Documentation
   An initial Stage I documentation assessment will be conducted by your auditor. The Documentation Audit includes a document review, which needs to be completed before the Implementation Audit can begin. Your certification body is expected to review all documents relating to the design and implementation of the ISMS. You will be informed of his recommendation at the closing meeting.
3. Implementation Audit Stage I Documentation
   The Implementation Audit Stage 2 takes place at the site of the client. The audit plan is agreed and circulated to the client in advance of the commencement of Stage 2 and is finalized to fit in with the clients business commitments at the commencement of this stage. All the elements and controls of ISO 27001 are covered in depth at this stage.
4. Registration Confirmation
   Following your auditors recommendation, your registration will be confirmed by the technical reviewers.
5. Certificate Issue
   Your certificate of registration will arrive soon after your registration has been confirmed.
6. Continued Assessment
   After registration, your nominated auditor will visit your organization every 6 months or annually to ensure that your management system continues to meet the requirements of ISO/IEC 27001.
7. Reassessment
   Your registrar is required to perform a reassessment of your management system every 3 years. This is normally 2/3 of the initial assessment duration at the end of the closing meeting your auditor will confirm the outcome if you successful.

The answer depends on a number of factors. There are costs to both implement and to maintain your certification. In terms of costs to implement, if you choose a full do-it-yourself approach, the only real costs will be the time for resources dedicated to the implementation process and in time spent writing documents and training your staff. If you have little experience with ISO/IEC 27001, or have limited internal resources, you might choose to get some outside professional help through a management system consultant. There are advantages in recruiting a consultant as you are able to guarantee your registration within a given period of time.

Certification Costs

Costs of registration are dependent on the size of your organization. Most registrars charge a certain rate per day to be on-site at your facility. This day rate will vary depending on your country, the typical day rate in the United Kingdom will vary between £300 and £800 per auditor day depending on the registrar. Small companies with less than 20 staff could expect one auditor on site for 1-3 days; Large companies can expect several auditors on site for up to up to 10-15 days. Other fees include application fees, certificate fees and annual licence fees.

To maintain your certification, the registrar must return annually to audit a portion of your system. These costs will be less than the original visit, since the time spent will be shorter. Once every three years, the registrar returns to audit your entire system.

John DiMaria

John DiMaria (Co-Author of “How to Deploy BS 25999”) is the Director of Professional Services for eFortresses, a global security and compliance organization and President of the HISP Institute. John is a management system professional, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP) and Master HISP with 24 years of successful experience in Management System Development, including Information Systems, Quality Assurance, International Quality Standards, Statistical Process Control, Regulatory Affairs, Customer Service, Subcontractor Analysis and Marketing/Sales in a highly competitive environment. John  holds formal qualifications in several areas of ISMS, ITSM and BCMS has served in several leadership roles in the international community as a technical, scheme and marketing specialist responsible for overseeing development, education and expertise regarding all information security and business continuity activities including ISO 27001, ISO 20000 and BS 25999. John was also a recipient of the British Standards Institute’s Global Innovation Award.

He has served on committees that influence legislation and drive international harmonization such as the HISPI (Holistic Information Practitioner Institute), various committees that influence BCMS standards and the BITS Shared Assessment Program. He is the President of the HISPI and has been featured in many publications such as Computer World, Quality Magazine, QSU, SC Magazine, Campus Technology and GSN Magazine (dubbed “Business Continuity’s new standard bearer”) concerning various topics regarding information security and business continuity.