ISO/IEC 27000 - Provides overview & vocabulary to reference ISO 27000 standards.
ISO/IEC 27001 - Formal specification of Information Security Management System (ISMS)
ISO/IEC 27002 - Define Guideline for InfoSec Controls
ISO/IEC 27003 - Guidance for ISMS implementation
ISO/IEC 27004 - Reference of ISMS Metrics
ISO/IEC 27005 - Risk Management Process & Methods
ISO/IEC 27006 - The guidelines for planning ISMS certification
ISO/IEC 27007 - The guidelines for ISMS auditing
ISO/IEC 27008 - Guidelines to focus on technical auditing
ISO/IEC 27010 - Guidelines to share confidential information with in organization group or out of Org.
ISO/IEC 27011 - ISMS Guidelines focused on Telecommunication domain organizations
ISO/IEC 27031 - Guidelines in context to Business continuity & Disaster Planning
ISO/IEC 27033 - Guidelines for managing Network Systems Security
ISO/IEC 27034 - Guidelines for managing Application Security
ISO/IEC 27035 - Guidelines for Incident Management
ISO 27799 - ISMS Guidelines focused on healthcare domain organizations
ISO 27000 – Scope for Assessment & Certification
Information Technology is core to ISO 27001 & 27002 but ISMS controls should be applied for all other departments across the organizations. The scope may be defined based on Organization vision & objectives behind ISO 27000 compliance. There are additional standards available for healthcare & telecom domain complementing other standards.
Restricting the scope may reduce the cost & efforts involved but uncontrolled process & practices outside the scope strongly influence the process & controls under scope. Most organizations plan phase wise implementation extending the scope by time.
ISO 27001 Certification
ISO/IEC 27002 is a code of practice for that organizations can be assessed or audited but not formally certified. ISO/IEC 27002 contains set of 39 key control objectives for information security and lists the best practices that are commonly used to satisfy those control objectives. ISO/IEC 27001 describes the formal specification for an ISMS, with the actual focus on management of system rather than just describing information security. The management system element of an ISMS can be specified more easily and in a generic but formal way than the information security controls, and therefore ISO/IEC 27001 is the standard against which organizations can be formally certified.
Maintaining compliance with ISO 27001 specifications is considered mandatory for certification but the control objectives as listed in (ISO 27001) Annexure A are optional and they are mapped with ISO/IEC 27002 sections. Organizations may choose those security control objectives as they deem necessary to fulfill and relevant to organizational objectives.
Below are the major functions coverd:
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition, development and maintenance
- Information security incident management
- Business continuity management
- Meeting other Compliance (technical/legal/copyright etc.)
Please note above list does not include all the sections defined in specifications but these are just the major function areas in scope. You may purchase full standard document from ANSI Store for complete reference.
Below are the key steps involved in certification process:
- Define ISMS Scope & Objectives
- Build Assets Inventory
- Assessment of Security Risks
- Prepare Statement of Applicability (SOA) and Risk Treatment Plan (RTP)
- Define ISMS implementation project roadmap
- Start ISMS implementation program and maintain as ongoing process
- Collect process compliance artifacts
- Review compliance adherence and gaps
- Plan & execute corrective actions
- Conduct pre-certification assessment
- Plan Formal Certification audit from a recognized Certification Body/Auditor
ISO 27000 – Major Challenges
Every organization is unique and have it’s own set of Challenges depending on the affordability, vendor/supplier model, management support and pre-implementation of other standards. Few common Challenges are as follows:
- Deciding on control boundary especially for initial phase.
- Demand for dedicated staff for ISMS including Chief Information Security Office and other InfoSec team members with background in Information Security domain.
- Setting up Risk Assessment and Auditing process in formal manner
- Affordability of additional Hardware and Software including Digital assets as well as physical access control
- Dealing with vendors & suppliers by maintaining the compliance and replacement of vendors who cannot ensure adherence to ISMS process & controls
- Increased complexity and TAT due to new processes introduced for existing functions.
- Formal Asset tracking & control
- Dealing with non-compliance incidents without impacting the running practices & operations.
- Technical ability to train/hire staff to work with new monitoring & tracking softwares and maintain compliance across broad set of technology platforms including shared resource like cloud/web hosting and mobile usage etc.
- Improving the awareness among employees and tracking compliance especially outside organization controlled boundary e.g. sharing critical information outside trusted zone