• About CSIA
  • Mission Statement
  • Committees
  • CSIA Team
  • CSIA Offices
• Board Members
• Events
  • CSIA Events
  • Industry / Gov't Events
  • Member Events
• Member Directory
• Newsletters
  • Current Issue
  • Archive
  • Sign Up
• Testimonials
• Join CSIA

ISO 27001: Get the Facts

Who is ISO?

Established in 1947, ISO stands for the International Organization for Standardization and is the world's leading developer of international standards. It is comprised of a network of national standards institutes across 157 countries and runs on the basis of one member per country. A central Secretariat in Geneva, Switzerland manages the system.

ISO is considered a non-governmental organization (NGO), but its ability to set standards that often become laws makes it more powerful than most NGOs. ISO standards are implemented worldwide and specify the requirements for state-of-the-art products, services, processes, materials and systems. While ISO has developed many standards against which products are assessed and tested for conformity, it does not carry out its own conformity assessments. Instead, ISO partners with the International Electrotechnical Commission (IEC) and develops ISO/IEC guides and standards to be used by organizations which carry out conformity assessment activities.

During its first two decades, ISO focused on harmonizing national standards and the results of its technical work were published as "ISO Recommendations." It wasn't until the early 1970s that ISO began publishing international standards. Over 16,000 international standards have been published since the organizations' inception.

What does international standardization mean? When was this concept developed?

Industry-wide standardization exists when most products or services in a particular business or industry conform to established international standards. Those standards are attained through consensus agreements between thousands of national delegates and economic stakeholders (suppliers, users, government regulators and other interest groups, such as consumers) who meet to discuss, debate and argue standards for the terminology, development, manufacturing, testing and analysis of products and services in a particular business or industry. The standards provide suppliers and customers with a common framework for including certain criteria and specifications in their products and services.

The concept of international standardization began in the electrotechnical field with the establishment of the IEC in the early 1900s. The International Federation of the National Standardizing Associations (ISA) was formed in 1926, focusing its standardization efforts in the area of mechanical engineering. In 1942, the ISA shut down its operations and four years later, delegates from 25 countries met in London to create ISO.

What is ISO 27001?

ISO 27001 is the formal international security standard against which organizations may seek independent certification of their information security management system. It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS), using a continual improvement approach. It is intended to be used in conjunction with ISO 17799:2005, a security Code of Practice, which offers guidance on interpretation and implementation of the list of specific security controls within ISO 27001. It provides the foundation for third-party audits and is meant to 'harmonize' with other management standards, such as ISO 9001 (quality management) and ISO 14001 (environmental management). It implements principles from the Organization for Economic Cooperation and Development (OECD) and governs security of information and network systems.

The ISO 27001 standard is also known as "Information Security Management - Specification with Guidance for Use."

For more information and to purchase the ISO 27001 published standard, please visit: http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=42103

For background details on the ISO 17799 standard, please visit: http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html

How are ISO 27001 and ISO 17799 different from the original, BS7799-2?

ISO 27001is the replacement for BS7799-2 which was first published in 1999 by the British Standards Institute (BSI). In December 2000, BS7799 code of practice, published in 1995, became ISO 17799, which was updated in 2005. ISO 27001 is the specification that an organization is audited against and provides a single framework for an organization to build an ISMS that assures the necessary management systems comply with known security and privacy regulations.

ISO 27001 has the same requirements as ISO 17799, but also provides the "shalls," which are the mandatory requirements that must be met to ensure that an organization can provide the holistic approach needed to minimize the redundant investment in separate project teams reacting to address a single regulation. Transition arrangements have been introduced by the various certification bodies for conversion from BS7799 certification to ISO 27001 certification. Globally, over 3,000 organizations are ISO 27001 certified.

ISO 27001 specifies the mandatory requirements for establishing, implementing, and documenting ISMS and specifies requirements for security controls to be implemented according to the needs of individual organizations. It consists of 11 control sections, 39 control objectives, and 133 controls and is aligned with ISO 17799. It includes a plan-do-check-act (PDCA) model, which enables continual improvement. ISO 27001 is based on a nine-part process, outlined as follows:

• Define the scope of the ISMS;
• Define a security policy; " Undertake a risk assessment/analysis; 
• Manage the risk; " Select control objectives and the actual controls to be implemented/applied; and 
• Prepare a Statement of Applicability. 
• Implement and operate the ISMS 
• Continue to monitor and review the ISMS 
•  Maintain and improve the ISMS

How is ISO 27001 used?

According to the ISO committee in charge of the 27000 series and related standards, ISO 27001 is intended to be suitable for several different types of use, including the following:

• Use within organizations to formulate security requirements and objectives; 
• Use within organizations as a way to ensure that security risks are cost effectively managed; 
•  Use within organizations to ensure compliance with laws and regulations; 
•  Use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met; 
•  Definition of new information security management processes; 
• Identification and clarification of existing information security management processes; 
•  Use by the management of organizations to determine the status of information security management activities; 
•  Use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization; 
•  Use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons; 
•  Implementation of business-enabling information security; and 
•  Use by organizations to provide relevant information about information security to customers.

How does ISO certification benefit organizations?

There are several reasons why an organization might seek this certification. Some of the key benefits include: increased credibility and trust, improved partner, customer and stakeholder confidence, organizational and trading partner assurance, demonstration to competent authorities that the organization observes all applicable laws and regulations, competitive advantage and market differentiation and reduced regulation costs.

How can an organization achieve certification?

To meet certification requirements, an organization's ISMS must be audited by a certification body that is accredited by an International Accreditation Body for that scheme (e.g.: UKAS in the UK). This helps ensure that the certifiers meet national and international standards for their services and ensure consistency. In respect to ISO 27001, this is typically a document called EA-7/03 ('Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems'). There are a growing number of organizations accredited to grant certification against ISO27001, including: BSI, Certification Europe, DNV, JACO IS, KEMA, KPMG, SFS-Sertifiointi Oy, SGS, STQC, SAI Global Limited and UIMCert GmbH. While the approach to the certification processes may differ, there are usually six steps that involve an application, document review, compliance audit and ongoing audits.

Official copies of the ISO standards can be purchased from ISO or from various national standards bodies such as the American National Standards Institute (ANSI) or the BSI. Other third-party commercial organizations including IT Governance and SAI Global offer localized and national versions of the standard, charging anywhere from $110 to $200 USD.

Are there any standardization bodies in Europe that are similar to or collaborate with ISO?

There are three main certification bodies in Europe:

• The European Committee for Standardisation (CEN) - Based in Brussels, its members are the national standards bodies of the 25 European Union (EU) member states, and certain other countries. CEN's work is categorized into two business domains, security and defence and the Information Society Standardisation System (ISSS). The group works with the European Telecommunications Standards Institute (ETSI) and is in contact with the European Network and Information Security Agency (ENISA) and ISO.
• The European Committee for Electrotechnical Standardisation (CENELEC) - This organization is made up of the National Electrotechnical Committees of the 25 EU member states plus three others. CENELEC and its 15,000 technical experts prepare voluntary electrotechnical standards with the aim of helping to develop a single European market for electrical and electronic goods and services by removing barriers to trade, creating new markets and cutting compliance costs.
• The European Telecommunications Standards Institute (ETSI) - This is an independent, non-profit organization that sets the standards to enable technologies and applications in many diverse aspects of information and communication technologies, telecommunications and broadcasting. Its mission is to produce telecommunications standards for use throughout Europe. ETSI has over 600 members from about 50 countries (EU and non-EU), including manufacturers, network operators, administrations, service providers, research bodies and users. Any European organization with an interest in promoting European telecommunications standards has the right to represent that interest within ETSI.

What is CSIA's position on ISO 27001?

Globally, nearly 3,000 organizations are ISO 27001 certified. According to the International ISMS Register Search, 42 certificates have been issued in the United States as of January 2, 2007. Citigroup, Federal Reserve Bank, United Nations and World Bank are among those that have been certified in the USA to-date.

CSIA encourages organizations worldwide to strongly consider implementing ISO 27001 standards, which are designed to ensure the confidentiality, integrity and availability of sensitive data. CSIA believes this standard is a much needed step toward the improvement of data security and the overall cyber security landscape around the world.