Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. ISO/IEC 27001Information Security ManagementSecuring your information assetsProduct GuideBSI_ISO/IEC 27001_12pp Brochure_AW.indd 2 31/10/2012 14:40
  2. 2. ISO/IEC 27001 is the international standard forinformation security management and details therequirements for a robust information securitymanagement system (ISMS).What is ISO/IEC 27001?Like to know more aboutISO/IEC 27001? Book anintroductory course now 27001_12pp Brochure_AW.indd 3 31/10/2012 14:40
  3. 3. Information security is concerned with safeguarding theconfidentiality, integrity and availability of information, whetherwritten, spoken or electronic. All organizations are collecting, storingand managing information of some kind, which makes informationsecurity imperative.ISO/IEC 27001 takes a risk-based approach to the planning andimplementation of your ISMS, resulting in an appropriate andaffordable level of organizational security. In this way, it ensuresthat the right people, processes, procedures and technologiesare in place to secure your organization’s information assets.ISO/IEC 27001 is suitable for organizations of all sizes, acrossall sectors. The standard is particularly useful in highly regulatedindustries such as banking, financial services, health, public andIT sectors. It is also highly effective for organizations whichmanage information on behalf of others as a way of demonstratingappropriate security controls are in place, and enabling customersto make an informed choice when managing their compliancewith data protection requirements and other applicable legislation.Why implement ISO/IEC 27001?ISO/IEC 27001 provides a framework to help you implement amanagement system that protects both your information assetsand your company, by reducing risks, litigation and downtime.With company data becoming ever more accessible throughoutorganizations, it is important to minimize your vulnerability tosecurity breaches. Regardless of the type of information, be itfinancial data, computer software code or customer/supplierlists, or how it is stored, robust security controls are necessary.With a clear security strategy you can assure stakeholders,especially customers, that their personal information is beingprotected. Adopting this international standard demonstratesthat your organization is using a risk-based approach toselecting and implementing information security controls.Initially, it may be perceived that implementing an ISMS can bea drain on resources, offering little in the way of financial return.In practice, it has been shown that costs will be outweighed bypreventing and reducing the impact and frequency of securityincidents. Since the upgrade from BS 7799 there has beena sharp increase in the global market for ISO/IEC 27001certification across a variety of sectors. It has become acommonly used and cited standard for compliance, and isincreasingly specified as part of contractual agreements.By implementing ISO/IEC 27001 you are providing yourorganization with a structured approach to the planning,implementation and management of an ISMS that will helpyou reduce incidents and improve stakeholder confidence.85% of BSI information securityclients built stakeholder confidencethrough the implementation of asystem certified to ISO 27001**BSI Excellerator ResearchBSI_ISO/IEC 27001_12pp Brochure_AW.indd 4 31/10/2012 14:40
  4. 4. Demonstrating the independent assurance of your ISMSand security controls, and meeting corporate governanceand business continuity requirements+Independently demonstrating that applicable laws andregulations are identified and that there are processesin place to ensure compliance+Providing a competitive edge by meeting contractualrequirements and demonstrating to your customersthat the security of their information is paramount+Independently verifying that your organizationalrisks are properly identified, assessed and managed,while formalizing information security processes,procedures and documentation+Proving your senior management’s commitmentto the security of its information+The regular assessment process helping you tocontinually monitor your performance and improve.ISO/IEC 27001 brings many benefits,especially when combined with independentcertification from BSI. These include:The benefits of ISO/IEC 27001BSI_ISO/IEC 27001_12pp Brochure_AW.indd 5 31/10/2012 14:40
  5. 5. ISO/IEC 27001 ModelBefore you can implement an Information Security ManagementSystem (ISMS), you must understand what information youcurrently have and how it is used by your business. Your currentactivities, products and services all impact on information security.Using ISO/IEC 27001 helps you to focus on and understandthe information security issues up front and provides a clearframework for ISMS development.CONTINUALIMPROVEMENTCURRENTSITUATIONISMSPOLICYMANAGEMENTREVIEWIMPLEMENTATION& OPERATIONPLANNINGCHECKING &CORRECTIVEACTIONBSI_ISO/IEC 27001_12pp Brochure_AW.indd 6 31/10/2012 14:40
  6. 6. BSI_ISO/IEC 27001_12pp Brochure_AW.indd 7 31/10/2012 14:40
  7. 7. Security policy - To provide management direction and supportfor information security in accordance with business requirementsand relevant laws and regulations.Organization of information security - To manage informationsecurity within the organization and to maintain the securityof the organization’s information and processing facilities thatare accessed, processed, communicated to, or managed byexternal parties.Asset management - To achieve and maintain appropriateprotection of organizational assets.Human resources security - To ensure that employees, contractorsand third party users understand their responsibilities, andare suitable for the roles they are considered for, are aware ofinformation security threats, and exit an organization or changeemployment in an orderly manner.Physical and environmental security - To prevent unauthorizedphysical access, damage and interference to the organization’spremises and information. To prevent loss, damage, theft orcompromise of assets and interruption to the organization’sactivities.Communications and operations management - To help ensurethat information is processed correctly, backed up securely andhandled appropriately.Access control - To assist with controlling access to information,networks and applications, preventing unauthorised access,interference, damage and theft.Information systems acquisition, development and maintenanceTo ensure that security is an integral part of the informationsystem, helping with securing applications, files and reducingvulnerabilities.Information security incident management - To ensure informationsecurity breaches and issues are communicated consistently,in a manner allowing timely corrective action to be taken.Business continuity management - To ensure you counteractinterruptions to business activities and protect critical businessprocesses from the effects of major information systems failuresor disasters.Compliance - To avoid breaches of any law, statutory, regulatoryor contractual obligation, and of any security requirements.To ensure compliance of systems with organizational securitypolicies and standards.ISO/IEC 27001 is made up of five main requirementssections and an appendix that contains security controls,each with specific aims and focus, organized into thefollowing groups:Policy and PlanningBSI_ISO/IEC 27001_12pp Brochure_AW.indd 8 31/10/2012 14:40
  8. 8. Scoping studyThis initial step sets the scope of the project. The scope shouldreflect the clear objectives of the business and the project,including any specific requirements, locations and departments.This scope will guide you later in the process, keeping you focusedon your task.Risk assessmentA risk assessment is used to identify all your information assetsand consider the associated risks, threats and vulnerabilities.This will enable you to draw up a list of information threats,which can be prioritised based on the level of risk they poseto your information assets.Gap analysisA gap analysis is a review of your progress so far and looks athow you have implemented the requirements of ISO/IEC 27001and the applicable security controls. Some controls as set outin ISO/IEC 27001 may not apply to your organization and theinformation security risks to which it is exposed. If certainactivities, such as performing electronic transactions, are notundertaken within your organization then the associated controlcan be formally excluded. A gap analysis can be carried outinternally, or with the assistance of a BSI expert, and will giveyou a good indication of any requirements that still have tobe met to ensure your ISMS is ISO/IEC 27001 compliant.Statement of applicabilityThe statement of applicability should list all the controlsand references to how and why they apply to your scope.Security improvement programmeBy this stage you will have a good understanding of yourinformation security situation. Revised policies and proceduresnow need to be developed to protect the information assetsagainst the risks you have identified, such as staffing issues,technical resources and improvements. Some may requireimmediate action, while others will simply require updatedrules or instructions – perhaps as simple as locking filingcabinets after use.Implementing an ISMS is a step by stepprocess, with each step building on theprevious to form a coherent and logicalset of processes. Only at the end of theprocess is a BSI audit undertaken.Implementation and operationBSI_ISO/IEC 27001_12pp Brochure_AW.indd 9 31/10/2012 14:40
  9. 9. Testing, review and internal auditAs you take actions intended to improve information security,each action or change in process must be tested to ensureit delivers the required improvements. This could include anexternal BSI assessment, penetration testing or peer review.Internal audits of the ISMS must also be undertaken.ImplementationOnce your policies, procedures and controls have been developed,you will need to deploy them. As every organization is different,working practices also differ. Implementing policies can be aidedby training, discussion and promotion. The positive involvementof senior management is also required to make these changes.Document finalizationThe statement of applicability (SOA) should be clear, conciseand easily understood. Because ISO/IEC 27001 requires ongoingimprovement, your documentation should be regularly reviewedand amended to reflect changes in business practices, processesand the results of your ongoing security improvement programme.Management reviewManagement shall review the organization’s ISMS regularlyto ensure its continued suitability, adequacy and effectiveness.Information security should be pivotal to the daily operationsof an organization and adjustments made as appropriate toimprove the overall performance of the system.Continual improvement and corrective actionAs with all management system standards there is a needto look back at what has been achieved. Internal audits andmanagement reviews continue to be key methods of assessing theperformance of the ISMS and tools for its continual improvement.Nonconformities of the ISMS have to be dealt with together withcorrective actions to ensure they don’t happen again. As with allmanagement system standards, continual improvement is a corerequirement of the standard.Learn how to implement ISO/IEC 27001with one of our training 27001_12pp Brochure_AW.indd 10 31/10/2012 14:40
  10. 10. Find out how much ISO/IEC 27001with BSI will cost your organization.Contact us +44 845 080 9000or visit offers independent third-party certification toISO/IEC 27001. With BSI the certification process issimple. After you apply we appoint a client managerwho will guide you and your business through thecertification process. Once you’ve achieved the certificateour support doesn’t stop there. We’ll continue to visityour organization for three years, delivering the expertiseyou need to remain compliant. So not only will you beable to demonstrate to stakeholders and customersthat you comply with information security bestpractice, you will also benefit from regular auditsand opportunities for improvement.With BSI our commitment does not stop witha certificateBSI_ISO/IEC 27001_12pp Brochure_AW.indd 11 31/10/2012 14:40
  11. 11. Route to certification1. Buy the Standard.Visit Make contact. Call us on+44 845 080 90003. Complete the BSI application form4. Plan your BSI training5. Consider an optional BSI gapanalysis (pre-certification audit)6. Your BSI assessmentteam is appointed7. Formal BSI assessment– stage 18. Formal BSI assessment– stage 29. BSI certificate awarded10. BSI certification and beyondNeed help implementingyour system?At BSI we are dedicated to helping you every step of the way.We created the Associate Consultant Programme (ACP) asan impartial service to help you find the consultancy supportyou need. We aim to make the process of certification assimple as possible and, as an independent certification body,choose not to offer or recommend specialist consultancyservices. That’s why we set up the ACP with more than100 members across the UK, all with demonstratedexperience of working with certified managementsystems. To find out more visit information security solutionsWhether you want to implement ISO/IEC 27001 to protect yourinformation assets and develop best practice, or require fullcertification to meet contractual requirements and reassurecustomers, BSI can assist you along your journey. We offera range of information security products including:• Standards and publications• Information guidance and advice• Training – courses, in-house and elearning• Gap analysis• Management system certification• Entropy SoftwareTM– management systemsoftware for improving security controlsWhy BSI?BSI is recognized by the UK Government as the National StandardsBody (NSB) for the UK. We develop, publish and market standardsand related products. Our business enables organizations toperform better and make excellence a habit. For more thana century our experts have been challenging mediocrity andcomplacency to help embed excellence into the way peopleand products work... to perform better, reduce risk and achievesustainable growth. Our clients range from globally recognizedbrands to small, local companies in 150 countries worldwide.We are a Royal Charter company that develops and deliversproducts and services in a truly inclusive way, we are committedto continual improvement and work with the highest level ofintegrity. Regardless of your location, organization size orsector, nothing says confidence like the BSI mark.To find out more aboutour assessment andcertification solutionsVisit our a BSI advisor+44 845 080 9000BSI_ISO/IEC 27001_12pp Brochure_AW.indd 12 31/10/2012 14:40
  12. 12. The trademarks in this material (for example the BSI logo or the word“KITEMARK”) are registered and unregistered trademarks owned byThe British Standards Institution in UK and certain other countriesthroughout the world.BSI GroupKitemark CourtDavy AvenueKnowlhillMilton KeynesMK5 8PPT: +44 845 080 9000E: cservices@bsigroup.combsigroup.comBSI_ISO/IEC 27001_12pp Brochure_AW.indd 1 31/10/2012 14:40