SPECIALISTS IN INFORMATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)
ISO/IEC 27001 and 27002
ISO/IEC 27001:2013 instructs you how to build, operate, maintain and improve an ISMS. It is based on the new standard structure for all management systems standards, which is gradually being adopted in other areas such as quality and environmental management. It requires you to select security controls based upon risk assessment, and to consider all the controls defined in ISO/IEC 27002, the Code of Practice. The list is not exhaustive and you are free to identify additional control objectives and controls as you please.
ISO/IEC 27002:2013 defines 114 security controls structured under 14 major headings to enable readers to identify the particular safeguards that are appropriate to their particular business or specific area of responsibility. These security controls contain further detailed advice resulting in somewhere in the region of 5000 elements of best practice.
Certification schemes have been established in many parts of the world.
ISO/IEC 27006 provides guidance to National Accreditation Bodies for the accreditation of Certification Bodies wishing to assess ISMSs, e.g. against ISO/IEC 27001:2013. The various National Accreditation Bodies around the world operate a “mutual recognition” process that allows certificates awarded in one country to be accepted by the Accreditation Body of another.
In order to be awarded a certificate, your ISMS will be audited by an ISMS assessor. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as BSI Assessment Services Limited and Det Norske Veritas).
The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.
The assessor will return periodically to check that your ISMS is working as intended.
In order to buy a copy of the standards, please contact BSI Customer Services by telephone at (+44) 20 8996 7555 or electronically from https://eshop.bsi-global.com/.
Want to know more?
Buy the BSI book An introduction to ISO/IEC 27001:2013 by David Brewer, one of Gamma's co-founders.
|© Gamma Secure Systems Limited, 1998-2013|