For years, organizations have been searching for an objective benchmark to measure the security of potential business partners and to distinguish the security-quality of their own services. While not perfect, ISO 17799 emerged as the standard of choice because it overcame many of the critical deficiencies of SAS 70. Specifically, it provided a comprehensive set of security-related topics and an objective means of measuring compliance.
Building on that success and following the same approach it used with the ISO 900X Quality Assurance standards and ISO 1400X Environmental Management standards, the International Organization for Standardization (ISO) has reserved the 27000 numbering range for a series Information Security Standards. The initial standards are:
- ISO 27000 contains technical definitions used throughout the 2700X series.
- ISO 27001 is a specification for an Information Security Management System (ISMS). ISO 27001:2005 is a re-labeling of BS 7799 part 2. This is the formal standard used for certifying Information Security Management Systems. Its focus is evaluation process rather than content
- ISO 27002 is a re-labeling of ISO 17799, which was originally BS 7799 part 1. This standard contains a Code of Practice consisting of a comprehensive set of information security control objectives and a menu of best-practice security controls.
- ISO 27004 is the number reserved for a future standard covering information security management measurement and metrics.
- ISO 27005 is the number reserved for a future standard covering information security risk management.
To achieve certification, an organization's ISMS must be audited by an assessor who works for a Certification Body. A Certification Body must have been accredited by the National Accreditation Body for the relevant geography. The certification process requires clear segregation of duties in that the organization performing the certification must not have been involved in providing either con-sulting or training.
History has shown that far more organizations used ISO 17799 as a framework for conducting comprehensive security assessments aimed at improving the security and controls of their IT infrastructure rather than for the specific purpose of certification. It is impor-tant to recognize that these standards have value well beyond certification.
Unless there is a clear business reason -- such as customers or partners demanding certification to do business – most or-ganizations would be better served thinking in terms of compliance with ISO 27002 rather than certification to ISO 27001.
Because of the expense, without a clear business driver, there is little incremental value in spending those formal certification dollars. In most cases, having a reputable security firm attest that an organization is “substantially compliant” is more than sufficient.
Just as with ISO 9000, the marketplace is not homogenous. Certain vertical markets such as aerospace or certain supply chains may latch on the ISO 27001 certification as a required fact of life.
The decision to certify or comply is more than one of cost; the two standards measure different things. ISO 27001 assesses whether an organization follows a coarse-grained set of processes that are integral to maintaining the security of an enterprise. Certification assumes that if these processes are in place that effective security automatically follows.
In contrast, 27002 describes a comprehensive set of concrete and fine-grained practices with which an enterprise can be compared.
Bare in mind that both of these standards need to be interpreted within a specific business context taking into account the organiza-tion’s technology, its attractiveness as a target, and its bushiness risk.
The ISO 27001 and ISO 27002 standards are gaining attention for being practical mechanisms for both assessing and asserting good security practices.
13 comments:
Costs for ISO 27001 certification in Spain are very expensive (I think is exactly the same in other countries), so I'm with you in this way of thinking.
Don't waste your money on certification. A company must to look foor continuous improvement on Information Security.
Certification is only required for marketing purposes, just for this. The security of the assets is the real problem here, and not to select one certification body or whatever.
Even more, why hackers or crackers don't put on their targets certified organizations as objectives? A good criteria to atacking systems.
We have some blogs in Spain like SAHWor ISO 27001 where we talk about these things, and we all think the same.
The last posting demonstrates a comforting fact; practical security people can be found wherever you are. You just have to look for them.
These practical security professionals can think outside the box and recognize that an international standard can be useful in making continuous information security improvement without certification as the goal.
For many organizations, certification to ISO 27001 will be a marketing exercise while compliance with 27002 will be an exercise in moving toward industry best practices.
by Jonathan Gossels
I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog.
Taking ISO 27001 Training will be very beneficial to anyone planning to take the course. Topics that are discussed in the course includes a brief history of the standard and then discussing the advantages this international model provides to any organization desiring to develop a quality management system built upon identifying the processes within a business, developing consistent production plans for that business and implementing structured improvements to succeed in today’s competitive marketplace.
The basic objective of the ISO 27001 standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organisation for Economic Cooperation and Development) principles, governing security of information and network systems.
Excellent information with unique content and it is very useful to know about the information based on blogs.ISO certification cost in india | ISO certification cost | ISO certification cost in bangalore
Your blog keeps getting better and better!
Iso 9001:2015 Certification & Iso 9001 Certification
I wanted to thank you for this great read!! I definitely enjoying every little bit of it Smile I have you bookmarked to check out new stuff you post.
Iso 9001:2015 Certification &Iso 9001 Certification
I wanted to thank you for this great read.
Iso 9001:2015 Certification & Iso 9001 Certification
This post will be very useful to us.I like your blog and helpful to me.nice thoughts for your great work.
ISO 22000 Food Safety Certification &BRC Certification
Please keep sharing more and more information about this.This is a good information of the fashion licensing articles and really like your site.
ISO 22000 Food Safety Certification &BRC Certification
This post is really nice and informative. The explanation given is really comprehensive and informative..
ISO 27000 Certification
Post a Comment