J_Drake
asked on
ISO 2700x Corp Certification
Hi All,
I am just starting to research and was wondering if a corporation would certify to ISO 27001 or 27002?
Where are all of the controls listed that you certify against? Are they listed by industry say for example would banking be tied to a list of 15 out of 29 controls (just an example, I know there are many more).
Any help appreciated..
Regards,
I am just starting to research and was wondering if a corporation would certify to ISO 27001 or 27002?
Where are all of the controls listed that you certify against? Are they listed by industry say for example would banking be tied to a list of 15 out of 29 controls (just an example, I know there are many more).
Any help appreciated..
Regards,
some quick article or understanding
- The Journey to ISO 27001 (Part 1)
http://www.windowsecurity.com/articles-tutorials/misc_network_security/journey-iso-27001-part1.html
- The Journey to ISO 27001 (Part 2)
http://www.windowsecurity.com/articles-tutorials/misc_network_security/journey-iso-27001-part2.html
- The Journey to ISO 27001 (Part 1)
http://www.windowsecurity.com/articles-tutorials/misc_network_security/journey-iso-27001-part1.html
- The Journey to ISO 27001 (Part 2)
http://www.windowsecurity.com/articles-tutorials/misc_network_security/journey-iso-27001-part2.html
ASKER
Hi Breadtan,
Thanks for your responses.. I have been going over the info / links that you have provided.
I still need a little more assistance with one of original questions.. This is where I am really struggling.
How do I know what controls pertain to me?
Is there a list of controls that are common to an industry (banking, manufacturing, telecom)?
When an external auditor comes in how do they assess compliance?
I appreciate all your help.
Regards,
Thanks for your responses.. I have been going over the info / links that you have provided.
I still need a little more assistance with one of original questions.. This is where I am really struggling.
How do I know what controls pertain to me?
Is there a list of controls that are common to an industry (banking, manufacturing, telecom)?
When an external auditor comes in how do they assess compliance?
I appreciate all your help.
Regards,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I suggest you catch this two xls which can help to focus which control involvements of the functional role in general as baseline
ISO27k gap analysis and SoA spreadsheets
http://www.iso27001security.com/ISO27k_ISMS_gap_analysis_and_SoA_v1_02.xlsx
e.g. Administration, CISO, Finance, HR, IT, S/W, Top Management, Training
Control Cross Check
http://www.iso27001security.com/ISO27k_Controls_cross_check.xlsx
ISO27k gap analysis and SoA spreadsheets
http://www.iso27001security.com/ISO27k_ISMS_gap_analysis_and_SoA_v1_02.xlsx
e.g. Administration, CISO, Finance, HR, IT, S/W, Top Management, Training
Control Cross Check
http://www.iso27001security.com/ISO27k_Controls_cross_check.xlsx
ASKER
Thanks for all your help..
Regards,
JD
Regards,
JD
a) 4 ISMS Requirements
b) 5 Mgmt Responsibilities
c) 6 Internal ISMS Audits
d) 7 Mgmt Review of ISMS
e) 8 ISMS Improvement
f) Annex A: Control Objectives and Controls
• A5 Security Policy
• A6 Organisation of Information Security
• A7 Asset Mgmt
• A8 Human Resource Security
• A9 Physical & Environmental Security
• A10 Communications & Operations Mgmt
• A11 Access Control
• A12 Information System Acquisition, Development & Maintenance
• A13 Information Security Incident Mgmt
• A14 Business Continuity Mgmt
• A15 Compliance
Below has description of the various and 27001 and 27002 can be the main focus
http://www.iso27001security.com/html/iso27000.html
this toolkit comes in handy too e.g. ISMS implementation and certification process flowchart, ISMS implementation plan, Case study on ISMS implementation, Controls cross-check and more @ http://www.iso27001security.com/html/iso27k_toolkit.html
I also attached a summary checklist for info.
Note that information security is not the same as computer security. All information assets need to be secured appropriately, including hardcopy documents, CCTV/videoconference data, telephone systems etc. as well as computer data, systems and networks. Getting the RiskAssessment right is crucial to the success of implementation. The structure of the risk assessment is clearly outlined in ISO27001 and should be followed very closely.
E.g. http://iso-17799.safemode.org/index.php?page=RiskAssessment
27001-2005-ISMS-chk.doc