asked on

ISO 2700x Corp Certification

Hi All,

I am just starting to research and was wondering if a corporation would certify to ISO 27001 or 27002?

Where are all of the controls listed that you certify against? Are they listed by industry say for example would banking be tied to a list of 15 out of 29 controls (just an example, I know there are many more).

Any help appreciated..

Regards,

btan

You probably should be checking out for "ISO 27001:2005 ISMS Implementation Checklist". It is previously known as "BS ISO/ IEC 17799:2005". As a whole, the key areas covered by the ISO 27001:2005 ISMS – Requirements include:
a)      4 ISMS Requirements
b)      5 Mgmt Responsibilities
c)      6 Internal ISMS Audits
d)      7 Mgmt Review of ISMS
e)      8      ISMS Improvement
f)      Annex A: Control Objectives and Controls
•      A5 Security Policy
•      A6 Organisation of Information Security
•      A7 Asset Mgmt
•      A8 Human Resource Security
•      A9 Physical & Environmental Security
•      A10 Communications & Operations Mgmt
•      A11 Access Control
•      A12 Information System Acquisition, Development & Maintenance
•      A13 Information Security Incident Mgmt
•      A14 Business Continuity Mgmt
•      A15 Compliance

Below has description of the various and 27001 and 27002 can be the main focus
http://www.iso27001security.com/html/iso27000.html

this toolkit comes in handy too e.g. ISMS implementation and certification process flowchart, ISMS implementation plan, Case study on ISMS implementation, Controls cross-check and more @ http://www.iso27001security.com/html/iso27k_toolkit.html

I also attached a summary checklist for info.

Note that information security is not the same as computer security. All information assets need to be secured appropriately, including hardcopy documents, CCTV/videoconference data, telephone systems etc. as well as computer data, systems and networks. Getting the RiskAssessment right is crucial to the success of implementation. The structure of the risk assessment is clearly outlined in ISO27001 and should be followed very closely.
E.g. http://iso-17799.safemode.org/index.php?page=RiskAssessment
27001-2005-ISMS-chk.doc

btan

some quick article or understanding
- The Journey to ISO 27001 (Part 1)
http://www.windowsecurity.com/articles-tutorials/misc_network_security/journey-iso-27001-part1.html
- The Journey to ISO 27001 (Part 2)
http://www.windowsecurity.com/articles-tutorials/misc_network_security/journey-iso-27001-part2.html

J_Drake

ASKER

Hi Breadtan,

Thanks for your responses.. I have been going over the info / links that you have provided.

I still need a little more assistance with one of original questions.. This is where I am really struggling.

How do I know what controls pertain to me?

Is there a list of controls that are common to an industry (banking, manufacturing, telecom)?

When an external auditor comes in how do they assess compliance?

I appreciate all your help.

Regards,

ASKER CERTIFIED SOLUTION

btan

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

btan

I suggest you catch this two xls which can help to focus which control involvements of the functional role in general as baseline

ISO27k gap analysis and SoA spreadsheets
http://www.iso27001security.com/ISO27k_ISMS_gap_analysis_and_SoA_v1_02.xlsx

e.g. Administration, CISO, Finance, HR, IT, S/W, Top Management, Training

Control Cross Check
http://www.iso27001security.com/ISO27k_Controls_cross_check.xlsx

J_Drake

ASKER

Thanks for all your help..

Regards,
JD