Standards & Audits | About PDCA | PDCA Services | Glossary | Miscellaneous |

ISO 27000 History:
The seeds of the standards were sown originally by the UK Government´s DTI (Department of Trade and Industry).  Their Commercial Computer Security Centre (known as the CCSC) was charged with several major tasks in this area.  One of these was to create a security evaluation criteria for IT security products, whilst another was the creation of a code of good security practice for information security.  The first of these led to the creation of what became known as ITSEC.  The second led to the publication of a document known as DISC PD003, which followed further development by the Manchester based NCC (National Computing Centre) and a consortium of user organizations.  PD0003 was organized into 10 sections, each outlining numerous objective and controls.  Despite being published in the early 1990´s its format and content still very much resemble the current ISO 17799/27002 standard.  The PD0003 document continued development under the custodianship of BSI.  It eventually became a formal standard, known as BS7799, in 1995.

The International Standards Organization (ISO) has recently revised what has become the de facto document for creating and maintaining a secure enterprise, today known as the ISO/IEC 27000 standard.

The ISO 27000 series of standards have been specifically reserved by ISO for information security matters.  This of course, aligns with a number of other topics, including ISO 9000 and ISO 14000.

As with the above topics, the 27000 series will be populated with a range of individual standards and documents.  A number of these are already well known, and indeed, have been published.  Others are scheduled for publication, with final numbering and publication details yet to be determined.

This International Standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS).

About ISO 27000:
ISO 27000 is the generic name assigned for standards related to information security issues and topics.  The first of these was ISO 27001, which is the specification for an ISMS.  In the first half of 2007, ISO 27002 was published.  This was not a replacement for ISO 17799:2005, but simply a rename.  Also in the first half of 2007, ISO 27006 was published.  This stated the ´Requirements for Bodies Providing Audit and Certification of an Information Security Management System´

However, others are expected to follow over the next few years.  The current expectations for other 27000 standards are as follows:
- ISO 27003 will offer ISMS implementation guidelines
- ISO 27004 will cover information security metrics and measurements
- ISO 27005 is expected to cover ISMS risk management
This standard is a general framework to describe and develop quality management and quality assurance for educational organizations.  Since the standard only provides a framework to develop quality based on the organizations requirements and needs.

Implementing ISO 27000:
A high level view of the major steps in the process.  The details will vary from situation to situation.  The main activities are as follows:
- Get management support: this typically involves raising management´s awareness of the costs and benefits of having a ISO/IEC 27001 compliant ISMS.  A great way to start is to raise management´s awareness of some of the key current information security risks and potential good practice controls (drawn from ISO/IEC 27002) that are not yet in place, perhaps through a "gap analysis" (outline risk assessment) followed by a business case and/or strategy for the security improvement (ISMS implementation) program.
- Define ISMS scope: what businesses, business units, departments and/or systems are going to be covered by your Information Security Management System
- Inventory (information assets): the inventory of information systems, networks, databases, data items, documents etc. will be used in various ways
- Conduct an information security risk assessment: ideally using a recognized formal method but a custom process may be acceptable if applied methodically.
- Prepare a Statement of Applicability: according to ISO/IEC 27000, the SOA is a documented statement describing the control objectives and controls that are relevant and applicable to the organization´s ISMS.  Which of the control objectives from ISO/IEC 27002 are applicable to the organization ISMS, and which are irrelevant, not appropriate or otherwise not required.  Document these management decisions in your SOA; and in parallel, prepare Risk Treatment Plan, ISO/IEC 27000 describes the information security RTP as a plan that identifies the appropriate management actions, resources, responsibilities, timeliness and priorities for managing information security risks.
- Develop ISMS implementation program: given the scale, it is generally appropriate to think in terms of an overall program of individual projects to implement various parts of ISO/IEC 27002.
- Run the ISMS implementation program: through the individual project plans, the implementation team sets to work to implement the controls identified in the RTP.  Conventional program and project management practices are required here, meaning proper governance, planning, budgeting, progress reporting, project risk management and so forth.  If the program is large, seek professional program management assistance.
- Operate the ISMS: as each project in the program fills in part of the ISMS, it hands over a suite of operational security management systems and processes, accompanied by a comprehensive set of policies, standards, procedures, guidelines etc.  Operating the ISMS has to be an ongoing routine activity for the organization.  The Information Security Management function needs to be established, funded and directed, and many other changes are likely to be required throughout the organization as information security becomes part of the routine.

- Collect ISMS operational artifacts: the ISMS comprises the organization framework of security policies, standards, procedures, guidelines etc., and it routinely generates and uses security logs, log review reports, firewall configuration files, risk assessment reports etc. ... all of which need to be retained and managed.  These artifacts are crucial evidence that the ISMS is operating correctly.
- Review compliance: Section 15 of ISO/IEC 27002 covers compliance with both internal requirements (corporate policies etc.) and external obligations (such as laws and industry regulations).  The ISMS itself needs to incorporate compliance testing activities which will generate reports and corrective actions.  Internal compliance assessments, and perhaps external/independent assessments (audits, penetration tests etc.) are therefore routine activities in a mature ISMS.  The ISMS operational artifacts produced in step 9 are a major source of evidence for such compliance activities, they give the auditors something to test.
-Undertake corrective actions: to improve the ISMS and address risks.  The "Plan-Do-Check-Act" Deming cycle is central to the "management system" part of ISMS and should result in continuous alignment/re-alignment between business requirements, risks and capabilities for information security.  As with quality management systems, the idea is to give management a means of controlling information security management processes systematically such that they can be continually monitored and improved, not least because perfect security is an unattainable goal in any real world situation.
- Conduct a pre-certification assessment: when the ISMS has stabilized, a certification body or other trusted, competent and independent advisor is invited by management to check whether the ISMS is functioning correctly.  This is largely a compliance assessment but should ideally incorporate some independent review of the scope, the SOA and RTP to make sure that nothing important has been missed out of the ISMS, especially as the business situation and information security risks have probably changed in the months or years that it will have taken to implement the ISMS.  It is a golden opportunity for the organization to identify and tie up any remaining loose ends before the actual certification audit.
- Certification audit: when management is sure that ISMS is stable and effective, management selects and invites an accredited certification body to assess and hopefully certify that the ISMS complies fully with ISO/IEC 27001.  The auditors will check evidence such as the SOA, RTP, operational artifacts etc. and will attempt to confirm that the ISMS (a) is suitable and sufficient to meet the organization´s information security requirements in theory i.e. it is correctly specified; and (b) actually meets the requirements in practice i.e. it is operating as specified.
- Publish: the ISO/IEC 27001 certificate is a valuable asset.  The organization should be proud of what it has achieved, knowing of course that information security is never really done.  With certified ISMS operating normally, organizations must take a good look at the information security arrangements in place at the supply chain: are suppliers, partners and customers also certified? Do they need encouragement?...

Application and Benefits of ISO 27000:
The strength of this document is derived from the meticulous attention to detail provided by the many contributing authors and organizations as well as the applicability of the standard to the realities of doing business today.  The standard seeks to offer best practice guidance regarding all manner of security issues and can assist any organization that chooses to adopt it to develop a truly security minded corporate culture.
The benefits of standardization and of implementation of one or more of the ISO 27000 series are wide and diverse.  Although they tend to differ from organization to organization, many are common:
- Interoperability: This is a general benefit of standardization.  The idea is that systems from diverse parties are more likely to fit together if they follow a common guideline.
- Assurance: Management can be assured of the quality of a system, business unit, or other entity, if a recognized framework or approach is followed.
- Due Diligence: Compliance with, or certification against, and international standard is often used by management to demonstrate due diligence.
- Bench Marking: Organizations often use a standard as a measure of their status within their peer community. It can be used as a bench mark for current position and progress.
- Awareness: Implementation of a standard such as ISO 27001 can often result in greater security awareness within an organization.
- Alignment: Because implementation of ISO 27001 (and the other ISO 27000 standards) tends to involve both business management and technical staff, greater IT and Business alignment often results.

  web design and development
Consultancy firm that specializes in helping the Food   Packaging industries

Food Safety Auditor Professional Coaching