What is information security?
Information security is the protection of
information to ensure:
ensuring that the information is accessible only to those authorized to
ensuring that the information is accurate and complete and that the
information is not modified without authorization.
ensuring that the information is accessible to authorized users when
Information security is achieved by applying a
suitable set of controls (policies, processes, procedures, organizational
structures, and software and hardware functions).
What is an ISMS?
An Information Security Management System
(ISMS) is a management system based on a systematic business risk approach, to
establish, implement, operate, monitor, review, maintain, and improve
information security. It is an organizational approach to information security.
ISO/IEC 27001 (BS 7799) is a standard for information security that focuses on
an organizationís ISMS. Other standards for information security are much more
specific and have a different focus:
systems (FISMA and ISO 13335-2)
(Common Criteria, ISO 15408, FIPS 140-2)
Why should I certify my ISMS?
Certification of a management system brings
several advantages. It gives an independent assessment of your organizationís
conformity to an international standard that contains best practices from
experts for ISMS. A certified ISMS does not guarantee compliance with
legislative and local policies, but provides a systematic platform to build on.
What are the main concepts of ISO/IEC 27001
activities must follow a method. The method is arbitrary but must be well
defined and documented.
standard requires a company to specify its own security goals. An auditor
will verify whether these requirements are fulfilled.
security measures shall be the result of a risk analysis.
standard offers a set of security controls. It is up to the organization
to choose which controls to implement based on the specific needs of their
process must ensure the continuous verification of all elements of the
security system through audits and reviews.
process must ensure the continuous improvement of all elements of the
What is the Certification Process?
Assess if your ISMS is ready for certification.
your ISMS conformant with the standard?
you need to do work to get it ready?
Identify an accredited CB
and sign a contract wit the CB (Generally this is a 3 year commitment)
3. ††††††† Go
through the audit process:
1 audit (also known as a desktop audit). Here the CB examines the
mandatory ISMS documentation.
action on the results of the stage 1 audit.
2 audit (on-site audit). Here your CB sends an audit team to examine your
implementation of the ISMS.
audit findings and agree on a surveillance audit schedule.
††††††† When your ISMS is found to be
conformant, the CB recommends to its validating committee that the ISMS is
compliant with the standard, and if the validation committee agree then they
issue the certificate. (Depending on the organization this can take a few weeks
to several months)
5. ††††††† Go
through the surveillance audit as scheduled with the CB
6. ††††††† Keep
your CB informed of any significant changes affecting your ISMS
7. ††††††† Re-certification
after three years.
How long is a certificate valid?
The maximum term of validity is three years.