ISO 2700x Corp Certification

Hi All,

I am just starting to research and was wondering if a corporation would certify to ISO 27001 or 27002?

Where are all of the controls listed that you certify against? Are they listed by industry say for example would banking be tied to a list of 15 out of 29 controls (just an example, I know there are many more).

Any help appreciated..

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
You probably should be checking out for "ISO 27001:2005 ISMS Implementation Checklist". It is previously known as "BS ISO/ IEC 17799:2005".  As a whole, the key areas covered by the ISO 27001:2005 ISMS – Requirements include:
a)      4 ISMS Requirements
b)      5 Mgmt Responsibilities
c)      6 Internal ISMS Audits
d)      7 Mgmt Review of ISMS
e)      8      ISMS Improvement
f)      Annex A: Control Objectives and Controls
•      A5 Security Policy
•      A6 Organisation of Information Security
•      A7 Asset Mgmt
•      A8 Human Resource Security
•      A9 Physical & Environmental Security
•      A10 Communications & Operations Mgmt
•      A11 Access Control
•      A12 Information System Acquisition, Development & Maintenance
•      A13 Information Security Incident Mgmt
•      A14 Business Continuity Mgmt
•      A15 Compliance

Below has description of the various and 27001 and 27002 can be the main focus

this toolkit comes in handy too e.g. ISMS implementation and certification process flowchart, ISMS implementation plan, Case study on ISMS implementation, Controls cross-check and more @

I also attached a summary checklist for info.

Note that information security is not the same as computer security. All information assets need to be secured appropriately, including hardcopy documents, CCTV/videoconference data, telephone systems etc. as well as computer data, systems and networks. Getting the RiskAssessment right is crucial to the success of implementation. The structure of the risk assessment is clearly outlined in ISO27001 and should be followed very closely.
btanExec ConsultantCommented:
J_DrakeAuthor Commented:
Hi Breadtan,

Thanks for your responses.. I have been going over the info / links that you have provided.

I still need a little more assistance with one of original questions.. This is where I am really struggling.

How do I know what controls pertain to me?

Is there a list of controls that are common to an industry (banking, manufacturing, telecom)?

When an external auditor comes in how do they assess compliance?

I appreciate all your help.

Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

btanExec ConsultantCommented:
Organizations are certified against ISO/IEC 27001, not ISO/IEC 27002.  Most of it explained in the FAQ -  for specific industry, I rather you focus on the information to be secured pertaining and relevant policy to overlay into the ISO but largely ISO should be more comprehensive already. Risk assessment is needed to determine which control is good as part of the ISMS implementation too

Key extract that helps:

While compliance with the main body text of 27001 (the bits concerning the management system) is considered mandatory for certification, the control objectives in annex A (the bits concerning information security, summarized from ISO/IEC 27002) are optional: organizations choose whichever of those security control objectives they deem relevant and necessary to address their information security risks, then select the security controls (or indeed other risk treatments e.g. avoiding or transferring some risks) that they feel are applicable.  

An effective ISO/IEC 27001 ISMS using a comprehensive suite of controls drawn from ISO/IEC 27002 (and/or indeed other security standards such as SP800-53 FISMA) should satisfy and in fact  exceed PCI-DSS and other externally-imposed security compliance obligations, while simultaneously generating additional business benefits through satisfying internally-derived security requirements

ISO/IEC 27001 lays out a formal specification for an ISMS, with the emphasis very much on ‘management system’ rather than ‘information security’.  The management system element of an ISMS is more easily specified in a generic yet formal way than the information security controls, and therefore ISO/IEC 27001 is the standard against which organizations are formally certified.

I tend to speak of ISO/IEC 27002 as a menu of information security controls from which you need to pick your meal.  You make your order (select the specific controls) using a risk analysis process which is briefly mentioned in section 4 of the standard, and is covered in more detail in yet another ISO/IEC standard, ISO/IEC 27005.

See this

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
I suggest you catch this two xls which can help to focus which control involvements of the functional role in general as baseline

ISO27k gap analysis and SoA spreadsheets

e.g. Administration, CISO, Finance, HR, IT, S/W, Top Management, Training

Control Cross Check
J_DrakeAuthor Commented:
Thanks for all your help..

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.