Avatar of J_Drake
J_Drake asked on

ISO 2700x Corp Certification

Hi All,

I am just starting to research and was wondering if a corporation would certify to ISO 27001 or 27002?


Where are all of the controls listed that you certify against? Are they listed by industry say for example would banking be tied to a list of 15 out of 29 controls (just an example, I know there are many more).

Any help appreciated..

Regards,
Security

Avatar of undefined
Last Comment
J_Drake

8/22/2022 - Mon
btan

You probably should be checking out for "ISO 27001:2005 ISMS Implementation Checklist". It is previously known as "BS ISO/ IEC 17799:2005".  As a whole, the key areas covered by the ISO 27001:2005 ISMS – Requirements include:
a)      4 ISMS Requirements
b)      5 Mgmt Responsibilities
c)      6 Internal ISMS Audits
d)      7 Mgmt Review of ISMS
e)      8      ISMS Improvement
f)      Annex A: Control Objectives and Controls
•      A5 Security Policy
•      A6 Organisation of Information Security
•      A7 Asset Mgmt
•      A8 Human Resource Security
•      A9 Physical & Environmental Security
•      A10 Communications & Operations Mgmt
•      A11 Access Control
•      A12 Information System Acquisition, Development & Maintenance
•      A13 Information Security Incident Mgmt
•      A14 Business Continuity Mgmt
•      A15 Compliance

Below has description of the various and 27001 and 27002 can be the main focus
http://www.iso27001security.com/html/iso27000.html

this toolkit comes in handy too e.g. ISMS implementation and certification process flowchart, ISMS implementation plan, Case study on ISMS implementation, Controls cross-check and more @ http://www.iso27001security.com/html/iso27k_toolkit.html

I also attached a summary checklist for info.

Note that information security is not the same as computer security. All information assets need to be secured appropriately, including hardcopy documents, CCTV/videoconference data, telephone systems etc. as well as computer data, systems and networks. Getting the RiskAssessment right is crucial to the success of implementation. The structure of the risk assessment is clearly outlined in ISO27001 and should be followed very closely.
E.g. http://iso-17799.safemode.org/index.php?page=RiskAssessment
27001-2005-ISMS-chk.doc
btan

ASKER
J_Drake

Hi Breadtan,

Thanks for your responses.. I have been going over the info / links that you have provided.

I still need a little more assistance with one of original questions.. This is where I am really struggling.

How do I know what controls pertain to me?

Is there a list of controls that are common to an industry (banking, manufacturing, telecom)?

When an external auditor comes in how do they assess compliance?

I appreciate all your help.

Regards,
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
btan

I suggest you catch this two xls which can help to focus which control involvements of the functional role in general as baseline

ISO27k gap analysis and SoA spreadsheets
http://www.iso27001security.com/ISO27k_ISMS_gap_analysis_and_SoA_v1_02.xlsx

e.g. Administration, CISO, Finance, HR, IT, S/W, Top Management, Training

Control Cross Check
http://www.iso27001security.com/ISO27k_Controls_cross_check.xlsx
ASKER
J_Drake

Thanks for all your help..

Regards,
JD