Now, in another report from April 2008, there were 4500 certificates. With the distribution: Japan (2550); UK (370);India (430); Taiwan (175); China(110); Germany (90); and then a group of countries (Hungary, Italy, USA, & Korea) at 60.

The distribution remained pretty much the same, with Japan holding more than half of world-wide certifications. Japanese are mad about productivity, so by adopting a standard they accept a set of rules that work.

China made a boost from 110 to almost 500. India made it to almost 530. This two countries are huge producers of security equipments and software developers and the western clients needed assurance about procedures. Reported to the size and populations of this countries the number of certifications is still small so we should expect growth. Taiwan with 430 falls in this category also.

UK is champion of the rest-of-the-world team. It is a financial center and power of Europe, they initiated the standard via BS7799 and they love rules and regulations.

On the other side, US just made it to 100 (Czech Republic has 101). It seems like this standard is not well accepted in the new world. In the US, a major requirement is the Sarbanes-Oxley act, which aligns better with COBIT and ITIL, and thus the poor adoption of ISO 27001.

]]> https://pentest.ro/2011/08/16/the-iso-iec-27000-set-of-standards-overview/ Tue, 16 Aug 2011 14:27:30 +0000 http://www.pentest.ro/?p=190 Continue reading The ISO/IEC 27000 Set of Standards Overview]]> The ISO/IEC 270xx is a set o standards regarding Information Security Management Systems (ISMS). The developer of this standards is the International Organization for Standardization http://www.iso.org/.

ISO/IEC 27001 and ISO/IEC27002 are derived from ISO/IEC 17799:2005 who is derived from BS7799 (British Standard).

Many standards regarding ISMS are under development and the published ones are subject to periodical reviews.

The ISO/IEC 2700x family is composed of three main categories:

1. ISMS family of standards (ISO/IEC 27000 – ISO/IEC 27010) – covering specification, metrics, implementation guides, audit guides, risk management
2. Sector specific requirements (ISO/IEC 27011 – ISO/IEC27030) – Telecos; Healthcare; Automotive; Lotteries
3. Operational guidance (ISO/IEC 27031 – ISO/IEC 27059)

The standards are:

• ISO/IEC 27000 — Information security management systems — Overview and vocabulary
• ISO/IEC 27001 — Information security management systems — Requirements
• ISO/IEC 27002 — Code of practice for information security management
• ISO/IEC 27003 — Information security management system implementation guidance
• ISO/IEC 27004 — Information security management — Measurement
• ISO/IEC 27005 — Information security risk management
• ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems
• ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
• ISO/IEC 27031 — Guidelines for information and communications technology readiness for business continuity
• ISO/IEC 27033-1 — Network security overview and concepts
• ISO 27799 — Information security management in health using ISO/IEC 27002

Other standards under development in this category :

• ISO/IEC 27007 — Guidelines for information security management systems auditing (focused on the management system)
• ISO/IEC 27008 — Guidance for auditors on ISMS controls (focused on the information security controls)
• ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001
• ISO/IEC 27014 — Information security governance framework
• ISO/IEC 27015 — Information security management guidelines for the finance and insurance sectors
• ISO/IEC 27032 — Guideline for cybersecurity (essentially, ‘being a good neighbor’ on the Internet)
• ISO/IEC 27033 — IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already)
• ISO/IEC 27034 — Guideline for application security
• ISO/IEC 27035 — Security incident management
• ISO/IEC 27036 — Guidelines for security of outsourcing
• ISO/IEC 27037 — Guidelines for identification, collection and/or acquisition and preservation of digital evidence