ISO27001 standard was revised and a new version was published in 2013. ISO27001 is also becoming more common Information Security standard among service providers. This presentation focuses on the recent changes in 2013 version and also the process for implementing and getting certified for ISO27001.
Following are the key objectives of this presentation:
Provide an introduction to ISO27001 and changes in 2013 version
Discuss the implementation approach for an Information Security Management System (ISMS) framework
Familiarize the audience with some common challenges in implementation
Just created a slideshare presentation giving a basic introduction to ISO27001 and its Scope, Implementation & Application. You can see more slideshows on http://www.slideshare.net/ImranahmedIT or visit my website: http://imran-ahmed.co.uk
Here are some small steps to achieve ISO 27001 implementation.
I believe ISO 27001/2 is a key to establish security in the organizations and help the companies to keep the whole ISMS program running aligned with continues improvement.
As ISO 27001 has been identified by ICO and recognized by GCHQ/NCSC in the past as the key standard to support GDPR.
The security of information systems and business-critical information needs constant managing to ensure your operational continuity and data protection. ISO 27001 Information Security Management Systems certification allows you to stand out from the competition through strong information security measurement.
Just created a slideshare presentation giving a basic introduction to ISO27001 and its Scope, Implementation & Application. You can see more slideshows on http://www.slideshare.net/ImranahmedIT or visit my website: http://imran-ahmed.co.uk
Here are some small steps to achieve ISO 27001 implementation.
I believe ISO 27001/2 is a key to establish security in the organizations and help the companies to keep the whole ISMS program running aligned with continues improvement.
As ISO 27001 has been identified by ICO and recognized by GCHQ/NCSC in the past as the key standard to support GDPR.
The security of information systems and business-critical information needs constant managing to ensure your operational continuity and data protection. ISO 27001 Information Security Management Systems certification allows you to stand out from the competition through strong information security measurement.
2022 Webinar - ISO 27001 Certification.pdfControlCase
ControlCase Introduction
What is ISO 27001?
What is ISO 27002?
What is ISO 27701, ISO 27017, & ISO 27018?
What is an ISMS?
What is ISO 27001 Certification?
Who Needs ISO 27001?
What is Covered in ISO 27001?
How Many Controls in ISO 27001?
What is the ISO 27001 Certification Process?
How Often Do You Need ISO 27001 Certification?
What are the Challenges to ISO 27001 Compliance?
Why ControlCase?
Han van Thoor participated in the Certification Europe Information Security Breakfast Seminar in November 2011. Han van Thoor Managing Director of Jumper Consulting Ltd. The presentation discussed the current challenges within the security, in conjunction with the following topics:
Managing management and peers
Risk Assessment
Statement of Applicability
Post certification
Benefits
Further details on ISO 27001 Information Security Management System certification on our website http://www.certificationeurope.com/iso-27001-information-security.html
, hosted by Alan Calder CEO and founder of Vigilant Software and acknowledged information security risk assessment and management thought leader, explains and discusses what is information security? What is an information security management system (ISMS)? What is ISO 27001? Why should I and my organisation care about ISO 27001?
In this article I will provide an Overview of A new Information Security Management System
Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier .
ISO/IEC 27001:2013 Provides requirements for Establishing, Implementing, Maintaining
and Continually Improving an Information Security Management System.
ISO/IEC 27001:2013 gives Organization a Perfect Information Security management framework for implementing
and maintaining security.
In this Article, I tried to shed some light on new standard and its Mandatory Requirements, Optional Requirements ,
Structure , Benefits , Certification Process and Estimated time for Implementation and Certification.
ISO 27001, the international standard for information security management
‘’ "ISO 27001" (or ISO/IEC 27001:2013, "Information Security Management Systems") is a standard that provides a good practical framework for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS. The key purpose of the ISMS is to bring information risk and security under management control.’’
ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity and availability of information as well as legal compliance.
ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating and maintaining your ISMS.
This implementation guide will help you run through the benefits, PDCA Cycle and Annex SL structure in detail for implementing ISO 27001.
Find out more or get a quote for certification here – https://www.nqa.com/en-gb/certification/standards/iso-27001
[To download this complete presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
ISO/IEC 27001:2022 is the latest internationally-recognised standard for Information Security Management Systems (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It provides a robust framework to protect information that can be adapted to all types and sizes of organization. Organizations that have significant exposure to information-security related risks are increasingly choosing to implement an ISMS that complies with ISO/IEC 27001.
This ISMS awareness PPT presentation material is designed for organizations who are embarking on ISO/IEC 27001:2022 implementation and need to create awareness of information security among its employees.
LEARNING OBJECTIVES
1. Acquire knowledge on the fundamentals of information security
2. Describe the ISO/IEC 27001:2022 structure
3. Understand the ISO/ IEC 27001:2022 implementation and certification process
4. Gather useful tips on handling an audit session
2022 Webinar - ISO 27001 Certification.pdfControlCase
ControlCase Introduction
What is ISO 27001?
What is ISO 27002?
What is ISO 27701, ISO 27017, & ISO 27018?
What is an ISMS?
What is ISO 27001 Certification?
Who Needs ISO 27001?
What is Covered in ISO 27001?
How Many Controls in ISO 27001?
What is the ISO 27001 Certification Process?
How Often Do You Need ISO 27001 Certification?
What are the Challenges to ISO 27001 Compliance?
Why ControlCase?
Han van Thoor participated in the Certification Europe Information Security Breakfast Seminar in November 2011. Han van Thoor Managing Director of Jumper Consulting Ltd. The presentation discussed the current challenges within the security, in conjunction with the following topics:
Managing management and peers
Risk Assessment
Statement of Applicability
Post certification
Benefits
Further details on ISO 27001 Information Security Management System certification on our website http://www.certificationeurope.com/iso-27001-information-security.html
, hosted by Alan Calder CEO and founder of Vigilant Software and acknowledged information security risk assessment and management thought leader, explains and discusses what is information security? What is an information security management system (ISMS)? What is ISO 27001? Why should I and my organisation care about ISO 27001?
In this article I will provide an Overview of A new Information Security Management System
Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier .
ISO/IEC 27001:2013 Provides requirements for Establishing, Implementing, Maintaining
and Continually Improving an Information Security Management System.
ISO/IEC 27001:2013 gives Organization a Perfect Information Security management framework for implementing
and maintaining security.
In this Article, I tried to shed some light on new standard and its Mandatory Requirements, Optional Requirements ,
Structure , Benefits , Certification Process and Estimated time for Implementation and Certification.
ISO 27001, the international standard for information security management
‘’ "ISO 27001" (or ISO/IEC 27001:2013, "Information Security Management Systems") is a standard that provides a good practical framework for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS. The key purpose of the ISMS is to bring information risk and security under management control.’’
ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity and availability of information as well as legal compliance.
ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating and maintaining your ISMS.
This implementation guide will help you run through the benefits, PDCA Cycle and Annex SL structure in detail for implementing ISO 27001.
Find out more or get a quote for certification here – https://www.nqa.com/en-gb/certification/standards/iso-27001
[To download this complete presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
ISO/IEC 27001:2022 is the latest internationally-recognised standard for Information Security Management Systems (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It provides a robust framework to protect information that can be adapted to all types and sizes of organization. Organizations that have significant exposure to information-security related risks are increasingly choosing to implement an ISMS that complies with ISO/IEC 27001.
This ISMS awareness PPT presentation material is designed for organizations who are embarking on ISO/IEC 27001:2022 implementation and need to create awareness of information security among its employees.
LEARNING OBJECTIVES
1. Acquire knowledge on the fundamentals of information security
2. Describe the ISO/IEC 27001:2022 structure
3. Understand the ISO/ IEC 27001:2022 implementation and certification process
4. Gather useful tips on handling an audit session
Module 6: Standards for Information Security Management
Information Security Management Systems (ISMS) - ISO 27001 - Framing Security Policy of
Organization- Committees- Security Forum, Core Committee, Custodian and Users, Business
Continuity Process Team & Procedure- Information Security Auditing Process. IT Security Incidents
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
Iso iec 27001 foundation training course by interpromMart Rovers
What is involved with the ISO/IEC 27001 Foundation certification training course? Learn about the course curriculum, target audience, duration, formats, exam, fees and much more.
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
ISO 27001 is an international standard that collects requirements for the creation and development of an information security management system.
By and large, it is a collection of "best practices" that allows you to select security controls in such a way as to ensure the protection of information and provide customers with appropriate guarantees.
CISSP Preview - For the next generation of Security LeadersNUS-ISS
Presented by Mr Hoo Chuan-Wei, Technical Advisor-APAC, (ISC)2, at the CISSP Preview Session, which was jointly organised with (ISC)2 Singapore Chapter on 27 Jun 2017.
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
This webinar illustrates:
- An overview of the GDPR
- How an ISO 27001-aligned ISMS can support GDPR compliance
- The top risks that result in data breaches
- The benefits of implementing an ISMS
- The technical and organisational requirements to achieve GDPR compliance
- How to improve your overall information security in line with the GDPR’s requirements
A recording of the webinar can be found here: https://www.youtube.com/watch?v=s7XQwBQ6JMg
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
4. Overview
Most widely recognized security standard in the world
Process based to set up Information Security Management
System (ISMS) Framework
Addresses Information security across Industries
Comprehensive in its coverage of security controls
http://www.iso.org/iso/home/standards/certification/iso-survey.htm?certificate=ISO/IEC%2027001countrycode=US#countrypick
5. 5
Benefits
Culture and Controls
• ISO27001 is a culture one has to build in the organization which would help to:
– Increase security awareness within the organization
– Identify critical assets via the Business Risk Assessment
– Provide a framework for continuous improvement
– Bring confidence internally as well as to external business partners
– Enhance the knowledge and importance of security-related issues at the management level
• Combined framework to meet multiple client requirements/compliance
requirements
Compliance
Competitive
Advantage
Reduce
Cost
Process
Improvement
6. *ISO27000 Series
• 27000, Information Security Management System – Fundamentals
and vocabulary (13335-1)
• 27001, Information Security Management System – Requirements
• 27002, Code of Practice for Information Security Management
• 27003, Information Security Management System – Implementation
guidelines
• 27004, Information Security Management Measurements (metrics)
• 27005, Information Security Risk Management (13335-2)
Vocabulary
standard
Requirement
standards
Guideline
standards
27001
27005 27002
27004
* Few are mentioned here.
ISO27001 (certified) vs ISO27002 (compliant)
7. ISO 27001 2005 vs 2013
2013
1 Scope
2 Reference to ISO 17799:2005
3 Terms Definitions
4 ISMS
5 Management Responsibility
6 Internal ISMS Audits
7 Management Review of ISMS
8 ISMS Improvement
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement
2005
The revised version has a high level structure similar to other
management system standards to make integration easier when
implementing more than one management standards . Revision
addresses need to align information security management and its
strategy to the business strategy and make it adaptable for SME
* http://www.dionach.nl/blog/iso-27001-2013-transition-0
8. Major Changes
• Context of the organization
• Interested parties
• Interface/boundaries
• Align Organization strategies with security objective
• Risk assessment and treatment
• Asset Register is not mandatory
• Risk owner approval
• SOA control implementation status
• Objectives, monitoring and measurement
• Risk treatment and ISMS effectiveness
• Communication
• Documented Information
• Corrective preventive actions
http://www.bsigroup.com/en-GB/iso-27001-information-security/ISOIEC-27001-Revision/
9. 2005
• Security Policy
• Organization of Information Security
• Assets Management
• Human Resource Security
• Physical and Environmental Security
• Communications and Operations Management
• Access Control
• Information system acquisition, development
and maintenance
• Information Security Incident Management
• Business Continuity Planning
• Compliance
2013
• Information security policies
• Organization of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and
maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business
continuity management
• Compliance
11 Clauses
(Domains)
39 Control
Objectives
133 Control
Activities
14 Clauses
(Domains)
35 categories
( control
objectives)114 Control
Activities
Annexure A (controls)
10. Annexure A (control structure)
A.7 Human resource security
A.7.1 Prior to employment
A.7.2 During Employment
14 Clauses
(Domains)
A.7.1.1 Screening
A.7.1.2 Terms and Conditions of Employment
A.7.2.1 Management responsibilities
A.7.2.2 Information Security awareness, education and
training
A 7.2.3 Disciplinary process
35 categories
( control
objectives)114 Control
Activities
11. New Controls
• 6.1.4 is Information security in project management
• 14.2.1 Secure development policy – rules for
development of software and information systems
• 14.2.5 Secure system engineering principles –
principles for system engineering
• 14.2.6 Secure development environment –
establishing and protecting development
environment
• 14.2.8 System security testing – tests of security
functionality
• 16.1.4 Assessment of and decision on information
security events – this is part of incident
management
• 17.2.1 Availability of information processing facilities
– achieving redundancy
Controls deleted
• 6.2.2 Addressing security when dealing with customers
• 10.4.2 Controls against mobile code
• 10.7.3 Information handling procedures
• 10.7.4 Security of system documentation
• 10.8.5 Business information systems
• 10.9.3 Publicly available information
• 11.4.2 User authentication for external connections
• 11.4.3 Equipment identification in networks
• 11.4.4 Remote diagnostic and configuration port protection
• 11.4.6 Network connection control
• 11.4.7 Network routing control
• 12.2.1 Input data validation
• 12.2.2 Control of internal processing
• 12.2.3 Message integrity
• 12.2.4 Output data validation
• 11.5.5 Session time out
• 11.5.6 Limitation of connection time
• 11.6.2 Sensitive system isolation
• 12.5.4 Information leakage
• 14.1.2 Business continuity and risk assessment
• 14.1.3 Developing and implementing business continuity plans
• 14.1.4 Business continuity planning framework
• 15.1.5 Prevention of misuse of information processing facilities
• 15.3.2 Protection of information systems audit tools
Control Changes
13. ISMS Process PDCA Model
Define Security
Policies
and Procedures
Implement and
manage
Security
controls/process
Implement identified
improvements,
corrective/preventive
actions
Review/ audit
security
management
and controls
People Process Technology
14. Implementation Approach
Project Set up Plan
Phase I Baseline Information Security Assessment
• Identify the scope and coverage of Information Security
• Assess the current environment
• Prepare baseline information security assessment report
Phase II – Design of Information Security Policy Procedures
• Establish Security Organization Governance
• Identify information assets and their corresponding information security requirements
• Assess information security risks and treat information security risks
• Select relevant controls to manage unacceptable risk
• Formulate Information security policy procedures
• Prepare Statement of Applicability
Phase III – Implementation of Information Security Policy
Phase IV- Pre Certification Audit
14
• Implementation of Controls
• Security Awareness training
• Review by Internal Audit and Management review
• Corrective Action and continuous improvement
15. Asset Profiling Risk Assessment
• Information Asset, is any information, in any format, used to operate and manage
business . It includes electronic information, Paper based assets, hardware assets
(servers, desktops, other IT equipments) software assets, Equipments and People .
Sl.no Asset Location Owner Custodian User Asset Number
Risk Factor = Asset Value * Exposure Factor* Probability of occurrence
15
16. Information Security Policy Management Documents
Statement of Applicability
Information Security Policy Document
16
Risk Assessment
Report
Contractual
Obligations
Business
Requirements
Legal or
Regulatory
Requirements
Information Security Procedures Document
Information Security Guidelines and Standards
Information Security Awareness Solutions
17. Implementation Cost Timeline
Implementation cost
• Acquiring knowledge (Training/Consultant)
• Implementation of process tools new technology
• Employees time (Training/ Risk Assessment)
• Certification body
Implementation key events Cost Factors
17
Number of Sites
Number of employees
Type of Industry
Existing process maturity
Number of Servers (IT Landscape)
• Security Organization
• Asset Profiling
• Risk Assessment
• Policies Procedures
Development
• Implementation
• Awareness Training
• Internal Audit
• Management Review
18. Common Implementation Challenges
• Business alignment (Management support)
• Allocation of security responsibilities-(IT department is the one who is driving
18
security)
• Process and People focus (not just technology)
• Communication and delivery of policies procedure (approachability and
availability of policy documents)
• Adequate deployment
• IT challenges
20. Stage 1 Audit (Desktop/Document Review)
• Desktop Review (Stage 1 Audit) enables the certifying body to gain an
understanding of the ISMS in the context of the organization’s security policy
and objectives and approach to risk management. It provides a focus for
planning out the Stage 2 audit and is an opportunity to check the preparedness
of the organization for implementation.
20
• It includes a documents review:
– Scope document
– Security Policy and Procedures
– Risk Assessment Report
– Risk Treatment Plan
– Statement of applicability
Security Manual
Procedures
Work
Instructions
, forms, etc.
Records
Policy, scope
risk assessment,
statement of applicability
Describes processes – who,
what, when, where
Describes how tasks and specific
activities are done
L2
Provides objective evidence of
compliance to ISMS requirements
L3
L4
L1
Certification Process
21. Mandatory Documents
List of certification body can be found at
Accrediting Body websites like
http://www.anab.org for USA, For Europe-http://
www.ukas.com and http://www.iaf.nu
for all accreditation body
http://www.bsigroup.com/en-GB/iso-27001-information-security/ISOIEC-27001-Revision/
22. Certification Process… (Contd…)
Stage 2 Audit (Implementation)
• Based on Stage 1 Audit Findings the Certification Body produces Stage 2 Audit Plan
• It takes place at the site of the organization
22
• The Stage 2 audit covers:
– Confirmation that the organization is acting in accordance with its own policies,
objectives and procedures
– Confirmation that the ISMS conforms with all the requirements of the ISO
27001:2013 standard and is achieving the organization's policy objectives
Stage 3 - Surveillance and Recertification
• The certificate that is awarded will last for three years after which the ISMS
needs to be re-certified.
• During this period there will be a surveillance audit (e.g. every 6-9 months)
• After 3 Years one needs to go for recertification.
23.
24. THANK YOU
Resources
http://iso27001security.com/
http://www.iso27001standard.com/en
Email: 2contactshankar@gmail.com