Skip to main content

The History and General Issues of ISOIEC 27000

5th Oct 2016

The History and General Issues of ISOIEC 27000

The ISO/IEC 27000 is a family of standards that were established in the year of 2005. It is the ISMS (Information Security Management System) standard, which is purported by the ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission). And actually, it was The UK government's Department of Trade and Industry that initially requested this form of standard. The CCSC (Commercial Computer Security Centre) was also created to perform some tasks in this area of information technology and security. These processes led to the formation of ITSEC and DISC PD003. The document PD003 was developed under the authority of BSI, and then in 1995 it became a formal standard christened as BS7799.

The ISO/IEC 27000 series provides recommendations on the management of the information security. This particular series also provides information on the controls and risks of an Information Security Management System. You have probably heard about the ISO 9000 series with its quality assurance, and the ISO 14000 series for its insistence on environmental protection; there are design similarities between these and the 27000 series. The 27000 series covers a broad range, it is about much more than just confidentiality, privacy, and other technical / IT related security qualms. There are various types and sizes of organizations can fall under its evaluation jurisdiction. Its main purpose is to allow all types of organizations to better assess the security risks of their information system. This will allow the organizations to better implement the perfect information security solution (as per their requirements). Proper guidance and suggestions are also provided where applicable.

If you look into the history of these standards you will see that BS 7799 consisted of several different parts. The first part was amended in 1998; it consists of the best measures available for Information Security Management at that time. Then there was much discussion about it among the standard ruling bodies. Eventually, it was adapted as ISO/IEC 17799. Then ISO/IEC 17799 was revised in 2005; it was eventually incorporated into the ISO 27000 series (and the ISO/IEC 27002 in the year of 2007). The 2nd part was published in 1999, it was known as BS 7799 Part 2. Its title was 'Information Security Management Systems - Specification with guidance for use'. This part consisted of the implementation processes of the ISMS (Information Security Management System). The second part of BS 7799 was adapted as the ISO/IEC 27001 in 2005. There is also a part 3, BS 7799; which was also published in 2005. This section covers the area of 'risk analysis and management' and it conforms to the standards of ISO/IEC 27001 as well.

Even just a little bit of discussion on the working processes of this standard system will be helpful if you are interested in acquiring certification for your organization. Most organizations these days have numerous information security systems and controls in place. These systems are typically built on just a few random facts and are sometimes severely disjointed and/or disorganized. In most ordinary security systems, the non-IT information assets are not very well protected; that is, when you look at the system as a whole. To truly fulfill the requirements imposed by the ISO/IEC standard, management should perform the following activities:

 

  • Examine the information security risks of the organization systematically
  • Consider the threats, impacts, and vulnerabilities while examining the security risks.
  • Design the security controls and then implement them
  • Implement different risk treatment processes like risk transfers or avoidance

A persistent management team is also required to ensure that the ongoing implementations of the new security protocols are being met. If all of the aforementioned requirements can be maintained by an organization, then it is generally assumed that it will be able to maintain the standards associated with ISO/IEC 27001. (And of course, if an organization implements the security controls as stated in the ISO/IEC 27002, then it will meet many of the requirements present in the standard ISO/IEC 27001, but not all of them). There is usually a shortage of some form of a dominating or insistent management element. The exact same thing can be stated for the standard ISO/IEC 27001. A compliance certification adhering to such a standard provides assurances that there is a certain level of management at play that is enforcing a higher level of information security.

In order to push an organization toward becoming IEC 27001 certified, they would need to go through the following stages.

In the preliminary stage an informal review will be conducted. It will include reference to the existing system and security policy in place. It will also include the RTP (Risk Treatment Plan), as well as the SOA (Statement of Applicability). At this stage, the organization and the auditors are simply becoming familiar to one another.

In the second stage, a more formal and detailed audit will be performed. The ISMS will be tested independently against all the requirements stated in the ISO/IEC 27001. The auditors will want confirmation that the existing management system is designed and implemented properly. They will seek all available evidence to verify this. For example, they may check to make sure that a security committee regularly oversees ISMS. If your company is able to pass this stage, then it will be eligible to recieve ISO/IEC 27001 certification.

Stage 3 - a formal audit will be performed to ensure that the company remains in accordance with the standards as stated in the objectives. To maintain the certification standard, periodic re-assessment will be performed to ensure that the level of security systems and controls are being used and maintained (as stated and planned). This audit should be performed annually, but may be more frequent if desired. .

Certifications like the ISO/IEC 27000 confirm the information security standards of a company; which in turn, increases their reliability to customers and/or consumers. The world is constantly changing. If you want everyone to know that your company is maintaining the emerging standards, then you should definitely work toward getting your company certified by the ISO/IEC 27000.

 

Want to know more about the ISO/IEC 27002 standard and want to prepare for a formal certification exam?Register for the ISO/IEC 27002 Foundation Class.

!