Pin Me

The ISO 27001 AND 27002 Information Security Standards

written by: Steve Mallard•edited by: Ronda Bowen•updated: 7/4/2011

This article looks at information security standards for enterprise-level businesses and data protection and privacy as well as the certification process.

  • slide 1 of 3

    ISO 2700x Security Standards for Your Company

    • ISO 2700x series is the control and certification for information security in the enterprise.
      Companies need to seek this certification to obtain quality and compliance in their Information Technology / Information Systems departments.
    • ISO 17799 has been renamed to ISO 27001.
      This renaming was initiated and processed by ISO.These information security standards now fall under a common naming structure known as the 'ISO 27000 series'.
    • ISO 27002 gives some guidance and provides a section that provides these items:
  • slide 2 of 3

    The Certification Process

    There are a several organizations accredited to grant certification against ISO 27001.

    ISO 27001 works with ISO 9000 and ISO 14000.

    Originally a BSI/DISC committee, which included representatives from a wide section of industry and commerce. It was reviewed subsequently by an ISO (International Standards Organization) committee and ultimately emerged through the ISO publication process.

    BS7799-2, the original specifications for information security management system changed to ISO 27001 during the fourth quarter of 2005.

    The Certification Process

    1. A company decides to implement ISO 27001
    2. Company assigns management committee
    3. Company committee creates a Information Security Policy and Delivers Policy Documentation
    4. Committee defines ISMS Delivers ISMS Scope Documentation
    5. Identify main threats, risk, vulnerabilities and impacts Perform Risk Assessment for scope of ISMS Produces RA Documentation
    6. Company Approach to Risk Management Committee decides how to handle RM Agree and Document Accountability and Responsibilities
    7. Controls and Guidance from 17799 (+ other controls) Select Objectives and Controls Prepare SoA
    8. Implement Controls
    9. Ask for Certification (Correct as needed until certified)

    These type of standards should be undertaken by all companies to insure information security standards are in place and on-going.