Information Security Standards - ISO/IEC27000 Series
(Page 2 of 4 )
The Geneva-based International Organization for Standardization was formed in 1947 to promote worldwide standards and practices for industry and commerce. The first of the 27000 series of standards, a certification standard for an information security management system (ISMS), was published in 2005. However, its immediate predecessor -- ISO/IEC 17799 - dates back to 2000, a time when the growth of the Internet was fueling a rapidly increasing awareness of the importance of security in the IT industry.
This awareness was falling afoul of the lack of an agreed approach. Deliberately broad in scope in order to retain relevance to organizations at many different scales of operation, the ISO27k series, as it is often known, sets out a process by which security management may be addressed in a methodical and effective manner. There are currently three published standards in the series: 27001, 27002 and 27006. A dozen more are at various draft stages.
ISO/IEC27001
The 27001 standard sets out the steps required for an organization's ISMS to achieve certification. Over 4,400 organizations internationally are currently compliant with the standard. Compliance is achieved in three main stages.
Documentation Review. At this stage the certifying body reviews the organization's key security documentation, such as the security policy.
Detailed Audit. This involves verifying that the processes and controls outlined in the documentation are in place and operationally effective
Follow-up Audit. This is to ensure continuing compliance on an ongoing basis.
Between each stage, modifications and adjustments to the ISMS may be required based on the previous stage's findings.
The standard specifies seven key elements in the creation of a certified ISMS. These are to establish, implement, operate, monitor, review, maintain and improve the system. As a management standard it doesn't mandate the use of specific controls so much as specify the management processes that are required in order to identify controls that are appropriate to the organization or its various parts.
ISO/IEC 27002
The purpose of the 27002 standard is more advisory in nature than 27001. It seeks to set out a structured set of literally hundreds of information security controls, the selective and appropriate use of which will help to achieve conformity with 27001. However, it is neither an exclusive nor a compulsory list: organizations are at liberty to implement controls not specifically listed, so long as they are effective and conform to the requirements outlined in 27001.
Equally, although rarely, no controls at all may be required in order to achieve certification. However, the ISO is at pains to point that if an organization declines to implement certain of the controls that are widely recognized as being fundamental to good security practice, it must be prepared to demonstrate that such decisions are rationally based and justified, rather than the result of negligence.
ISO/IEC27006
The 27006 standard outlines the certification and registration processes that must be followed by certifying bodies. Its chief purpose is as support for the accreditation of certifying bodies.
Further information:
http://www.27000.org/
http://iso27001security.com/html/iso27000.html
Next: NIST SP800 Series >>
More Server Administration Articles
More By Bruce Coker
