Welcome - Marc Sel
Information Security Management and ISO/IEC 27001
For a long time, information security had mostly technical standards. However, it lacked a minimal consensus in the area of management
and responsibilities. For this purpose, the BSI (British Standards Institute) introduced in 1995 the BS7799 standard, shortly followed by the BS7799
standard which provided implementation guidelines. Those standards were well accepted and evolved into the ISO (International Standards Organisation)'s
ISO/IEC 2700X family.
Fundamental to the ISMS (Information Security Management System) standard is the typical management organisation model ‘Plan-Do-Check-Act’.
ISO 27001 is commonly used as a term to refer to a family of interrelated standards:
- 27000 ISMS fundamentals and vocabulary
- 27001 ISMS requirements (absorbing parts of ISO 13335)
- 27002 Code of practice (based on the BSI 7799)
- 27003 ISMS implementation guidelines
- 27004 Information security management measurements
- 27005 ISMS risk management (absorbing parts of ISO 13335)
- 27006 Requirements for certifiers
ISO 27001 certification
In many countries, certification bodies have been established under the umbrella of accreditation bodies. For example, I am accredited Lead Auditor for
PwC’s Certification Body ‘PwCC B.V.’ which is on a peer level with the BSI, TÜV and KEMA1. PwCC B.V. is in turn accredited by the Dutch Accreditation Body (‘Raad voor Accreditatie’).
The International Register of ISMS accredited certificates lists those certificates that have been awarded to organisations that have gone through an accredited certification process in line with the ISMS standards.
This register has been produced in cooperation with the international network of certification bodies and is managed and maintained by the ISMS International User Group (IUG). It is updated on a regular basis in co-operation with the certification bodies.
The entries in this register have been supplied by those certification bodies that have carried out the ISMS certification.
In Belgium, the accreditation body is Belac, which operates under the umbrella of FPS (Federal Public Service) Economy.
The ISO 27001 certification process
ISO 27001 has been developed with the possibility for certification in mind. What needs to be demonstrated in a certification audit is essentially that:
The certification audit is typically conducted in two phases, pre-audit and audit.
- a relevant ISMS has been designed, implemented and is now operating
- a SOA (Statement of Applicability) defines the exact scope of relevance of the ISMS
- the ISMS core processes (Plan-Do-Check-Act) are appropriately designed, have been implemented, are operational, and responsibilities are allocated
- the ISMS has taken into consideration Risk Analysis to select appropriate safeguards
- audit trails are available to demonstrate that the safeguards are actually operational
The increasing interest in ISO 27001 certification
In November 2008, almost 5.000 ISMS certificates have been issued (4.987 to be precise).
The top five countries with the highest number of certificates today are Japan, India, the UK, Taiwan and China. They are followed by Germany and the USA.
The best approach is to centralise core IT services in larger data centres. For example, the data centres of PwC Yemen, UK, Hong Kong, China, and USA have been secured by ourselves and accredited by the BSI against ISO 27001:2005.
This gives us a strong background when helping customers prepare for such certification or improve their security posture.
Obviously, depending on the organisational style and behaviour, centralisation may not always be the most effective approach for IT.
Considering the current trend of organisations to focus on their core business by considering outsourcing of several functions,
coupled with the increasing need to embed trust in business relationship, all conditions are fulfilled to lead to a growing interest for this
certification. Indeed, unlike current perception of other standards (e.g. SAS 70), the ISO 27001:2005 relies upon clear requirements and
implementation guidelines that provides sufficient transparency to bring the required level comfort that an accredited company meets adequate level
of security to build trust with its stakeholders. The implementation of an ISO 27001 ISMS is clearly becoming an optimal approach to help organisations tackle the current regulatory requirements with regards to Information Technology controls.
Finally, rather than individually answering each request for compliance, it is advised to look at the requirements holistically, and build a framework that allows demonstrating compliance against a broad set of regulations, re-using the same set of well-defined controls. The implementation of such a control framework makes demonstrating compliance significantly less expensive.