Tag: 27001

ISO 27001 Domains, Control Objectives and Controls

ISO 27001 has for the moment 11 Domains, 39 Control Objectives and 130+ Controls. Following is a list of the Domains and Control Objectives.

1. Security policy
Information security policy
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

2. Organization of information security
Internal organization
Objective: To manage information security within the organization.
External parties
Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.

Continue reading ISO 27001 Domains, Control Objectives and Controls

ISO 27001 Certification Statistics

How many companies have certified under ISO 27001? You can find the answer here. So, under 7300 as of mid-August 2011.

Now, in another report from April 2008, there were 4500 certificates. With the distribution: Japan (2550); UK (370);India (430); Taiwan (175); China(110); Germany (90); and then a group of countries (Hungary, Italy, USA, & Korea) at 60.

The distribution remained pretty much the same, with Japan holding more than half of world-wide certifications. Japanese are mad about productivity, so by adopting a standard they accept a set of rules that work.

Continue reading ISO 27001 Certification Statistics

ISMS Certification vs Conformity

So, as stated here you can certify against ISO/IEC 27001 only. But why certify? Here are some reasons provided by certification bodies.

Certification finds no basis in legislative or regulatory requirement, so why bother? The best answer is to validate that investment in security controls meets business goals and provides business value. Business value is found in managing business risk, achieving high levels of legislative and regulatory compliance, and managing vulnerabilities and threats. The ISO security standards provide a disciplined approach to information security, business risk management, and compliance management. Certification provides an independent validation that the organization has applied that discipline effectively and proves due diligence on the part of executives and management, that they are addressing the information security needs of
the organization.

Continue reading ISMS Certification vs Conformity

The ISO/IEC 27000 Set of Standards Overview

The ISO/IEC 270xx is a set o standards regarding Information Security Management Systems (ISMS). The developer of this standards is the International Organization for Standardization http://www.iso.org/.

ISO/IEC 27001 and ISO/IEC27002 are derived from ISO/IEC 17799:2005 who is derived from BS7799 (British Standard).

Many standards regarding ISMS are under development and the published ones are subject to periodical reviews.

The ISO/IEC 2700x family is composed of three main categories:

  1. ISMS family of standards (ISO/IEC 27000 – ISO/IEC 27010) – covering specification, metrics, implementation guides, audit guides, risk management
  2. Sector specific requirements (ISO/IEC 27011 – ISO/IEC27030) – Telecos; Healthcare; Automotive; Lotteries
  3. Operational guidance (ISO/IEC 27031 – ISO/IEC 27059)
    Continue reading The ISO/IEC 27000 Set of Standards Overview