Information Security Compliance: ISO 27000

ISO 27000 is a set of security standards that organizations can implement to provide an industry-recognized minimum level of security.  ISO 27000 came out of the BS (British Standard) 7799, originally published in 1995 in three parts.  The first part of BS 7799, dealing with the best practices of information security, was incorporated in ISO 17799 and made part of the ISO 27000 series in 2000.  Part two, titled “Information Security Management Systems – Specification with Guidance for Use” became ISO 27001 and dealt with the implementation of an information security management system.  The third part was not incorporated into the ISO 27000 series.  Similar to ISO’s 9000 series, which focuses on quality, ISO 27000 is an optional accreditation that can be used to show that an organization meets a specified level of information security maturity.

Overview of the ISO 27000 sections

The six parts to the 27000 series each deal with a different area of an Information Security Management System (ISMS).  This document will briefly outline each section and then concentrate on ISO 27001, the section that details the requirements for ISMS.  An overview of what the series deals with can be found in the table below.

ISO 27000 Series

ISO27001 ISMS Requirements
ISO27002 ISMS controls
ISO27003 ISMS implementation guidelines
ISO27004 ISMS Measurements
ISO27005 Risk Management
ISO27006 Guidelines for ISO 27000 accreditation bodies

As can be seen in the table above, ISO 27001 details the actual requirements for businesses to comply with the ISO 27000 standard.  ISO 27002 builds on ISO 27001 by providing a description of the various controls that can be utilized to meet the requirements of ISO 27001.  ISO 27003 provides details on the implementation of the standard including project approval, scope, analysis, risk assessment, and ISMS design.  ISO 27004 outlines how an organization can monitor and measure security about the ISO 27000 standards with metrics.  ISO 27005 defines the high-level risk management approach recommended by ISO and ISO 27006 outlines the requirements for organizations that will measure ISO 27000 compliance for certification.

Series contents

The ISO 27000 series provides recommendations for “establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System” (http://www.27000.org).  The standard can be broken down into the following sections:

  • Risk assessment – a quantitative or qualitative approach to determining the risks to organizational assets. The degree of risk is based on the impact to the asset and the likelihood of occurrence.
  • Security policy – formal statements that define the organization’s security expectations.
  • Asset management – inventory and classification of information assets.
  • Human resources security – security aspects for employees joining, moving within or for those leaving an organization.
  • Physical and environmental security – physical/tangible systems used to protect systems and data such as alarm systems, guards, office layout, locked doors, keypads, cameras, etc..
  • Communications and operations management – management of technical security controls in systems and networks.
  • Access control – restriction of access rights to networks, systems, applications, functions and data; maintaining the confidentiality of access credentials and the integrity of access control systems.
  • Information systems acquisition, development, and maintenance – building security into applications when they are designed or purchased.
  • Information security incident management – planning and responding appropriately to information security breaches.
  • Business continuity management – protecting, maintaining and recovering business-critical processes and systems when they become unavailable.

Certification process

Within the ISO 27001 document, there are specifications to which a company’s ISMS can be submitted for potential certification.  The certification process begins after an accredited organization finds that the corporation has met the requirements as outlined in ISO 27001.  Once this body determines that the company has complied with the requirements of ISO 27001, the certification is granted.  Certification must be renewed every three years and is subject to audits.

Benefit to business

Compliance with the ISO standards provides companies with a credential which demonstrates that the business is in conformity with the requirements of this well-recognized standard.  It also gives employees and clients more assurance that their data is safe with the enterprise.  In some cases, companies may require ISO certification to do business.  The ISO 27000 standard contains many useful recommendations and businesses are encouraged to familiarize themselves with the recommendations, even if they do not plan on becoming certified.  The acquisition of the standard does cost money to obtain; however, qualified compliance practitioners can assist with the preparation for the compliance effort.

Summary

ISO 27000 is comprised of six parts outlining the requirements for certification, guidelines for achieving the requirements, and guidelines for accrediting organizations. The standard provides many useful recommendations for companies seeking certification as well as those merely interested in improving their security.  Similar to the ISO 9000 quality standard, ISO 27000 is optional, but it may soon be a business requirement.

Share Button

5 thoughts on “Information Security Compliance: ISO 27000

  1. I find many of the arguments for ISO 27000 unconvincing but you gave me something other than hype. “Compliance with the ISO standards provides companies with a credential which demonstrates that the company is in compliance with the requirements of this well-recognized standard.” – Vanderburg

    View Comment
    • You are correct. ISO 27002 has 15 clauses as follows:
      Scope
      Terms and Definitions
      Structure of the Standard
      Risk Assessment and Treatment
      Security Policy
      Organization of Information Security
      Asset Management
      Human Resources Security
      Physical and Environmental Security
      Communications and Operations Management
      Access Control
      Information Systems Acquisition, Development and Maintenance
      Information Security Incident Management
      Business Continuity Management
      Compliance

      The last 11 of these contain 39 security categories that map to the Annex A of ISO 27001. Each of these 39 categories lists a control objective (what needs to be accomplished) and a selection of controls that can meet the control objective (133 in all).

      View Comment
  2. Are people seeing the demand for this certification? Most companies want you to agree to their security & data privacy terms, and are not asking for ISO 27000, in my experience.

    View Comment

Leave a Reply