• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 608
  • Last Modified:

ISO 2700x Corp Certification

Hi All,

I am just starting to research and was wondering if a corporation would certify to ISO 27001 or 27002?


Where are all of the controls listed that you certify against? Are they listed by industry say for example would banking be tied to a list of 15 out of 29 controls (just an example, I know there are many more).

Any help appreciated..

Regards,
0
J_Drake
Asked:
J_Drake
  • 4
  • 2
1 Solution
 
btanExec ConsultantCommented:
You probably should be checking out for "ISO 27001:2005 ISMS Implementation Checklist". It is previously known as "BS ISO/ IEC 17799:2005".  As a whole, the key areas covered by the ISO 27001:2005 ISMS – Requirements include:
a)      4 ISMS Requirements
b)      5 Mgmt Responsibilities
c)      6 Internal ISMS Audits
d)      7 Mgmt Review of ISMS
e)      8      ISMS Improvement
f)      Annex A: Control Objectives and Controls
•      A5 Security Policy
•      A6 Organisation of Information Security
•      A7 Asset Mgmt
•      A8 Human Resource Security
•      A9 Physical & Environmental Security
•      A10 Communications & Operations Mgmt
•      A11 Access Control
•      A12 Information System Acquisition, Development & Maintenance
•      A13 Information Security Incident Mgmt
•      A14 Business Continuity Mgmt
•      A15 Compliance

Below has description of the various and 27001 and 27002 can be the main focus
http://www.iso27001security.com/html/iso27000.html

this toolkit comes in handy too e.g. ISMS implementation and certification process flowchart, ISMS implementation plan, Case study on ISMS implementation, Controls cross-check and more @ http://www.iso27001security.com/html/iso27k_toolkit.html

I also attached a summary checklist for info.

Note that information security is not the same as computer security. All information assets need to be secured appropriately, including hardcopy documents, CCTV/videoconference data, telephone systems etc. as well as computer data, systems and networks. Getting the RiskAssessment right is crucial to the success of implementation. The structure of the risk assessment is clearly outlined in ISO27001 and should be followed very closely.
E.g. http://iso-17799.safemode.org/index.php?page=RiskAssessment
27001-2005-ISMS-chk.doc
0
 
btanExec ConsultantCommented:
0
 
J_DrakeAuthor Commented:
Hi Breadtan,

Thanks for your responses.. I have been going over the info / links that you have provided.

I still need a little more assistance with one of original questions.. This is where I am really struggling.

How do I know what controls pertain to me?

Is there a list of controls that are common to an industry (banking, manufacturing, telecom)?

When an external auditor comes in how do they assess compliance?

I appreciate all your help.

Regards,
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
btanExec ConsultantCommented:
Organizations are certified against ISO/IEC 27001, not ISO/IEC 27002.  Most of it explained in the FAQ -  for specific industry, I rather you focus on the information to be secured pertaining and relevant policy to overlay into the ISO but largely ISO should be more comprehensive already. Risk assessment is needed to determine which control is good as part of the ISMS implementation too
@ http://www.iso27001security.com/html/audit___certification.html

Key extract that helps:

While compliance with the main body text of 27001 (the bits concerning the management system) is considered mandatory for certification, the control objectives in annex A (the bits concerning information security, summarized from ISO/IEC 27002) are optional: organizations choose whichever of those security control objectives they deem relevant and necessary to address their information security risks, then select the security controls (or indeed other risk treatments e.g. avoiding or transferring some risks) that they feel are applicable.  

An effective ISO/IEC 27001 ISMS using a comprehensive suite of controls drawn from ISO/IEC 27002 (and/or indeed other security standards such as SP800-53 FISMA) should satisfy and in fact  exceed PCI-DSS and other externally-imposed security compliance obligations, while simultaneously generating additional business benefits through satisfying internally-derived security requirements

ISO/IEC 27001 lays out a formal specification for an ISMS, with the emphasis very much on ‘management system’ rather than ‘information security’.  The management system element of an ISMS is more easily specified in a generic yet formal way than the information security controls, and therefore ISO/IEC 27001 is the standard against which organizations are formally certified.

I tend to speak of ISO/IEC 27002 as a menu of information security controls from which you need to pick your meal.  You make your order (select the specific controls) using a risk analysis process which is briefly mentioned in section 4 of the standard, and is covered in more detail in yet another ISO/IEC standard, ISO/IEC 27005.

See this
http://www.iso27001security.com/ISO27k_ISMS_implementation_and_certification_process_v3.pdf
0
 
btanExec ConsultantCommented:
I suggest you catch this two xls which can help to focus which control involvements of the functional role in general as baseline

ISO27k gap analysis and SoA spreadsheets
http://www.iso27001security.com/ISO27k_ISMS_gap_analysis_and_SoA_v1_02.xlsx

e.g. Administration, CISO, Finance, HR, IT, S/W, Top Management, Training

Control Cross Check
http://www.iso27001security.com/ISO27k_Controls_cross_check.xlsx
0
 
J_DrakeAuthor Commented:
Thanks for all your help..

Regards,
JD
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now