(ISO/IEC 17799), detail 133 security measures, which are
organized into 11 sections and 39 control objectives. These
sections specify the best practices for:
• Business continuity planning
• System access control
• System acquisition, development and maintenance
• Physical and environmental security
• Compliance
• Information security incident management
• Personnel security
• Security organization
• Communication and operations management
• Asset classification and control
• Security policies
The ISMS may be certified as compliant with ISO/IEC
27001 by a number of accredited registrars worldwide. The
ISO/IEC 27001 certification, like other ISO management
system certifications, usually involves a three-stage
audit process:
• Stage 1—Informal review of the ISMS that includes checking
the existence and completeness of key documents such as the:
– Organization’s security policy
– Risk treatment plan (RTP)
– Statement of applicability (SOA)
• Stage 2—Independent tests of the ISMS against the
requirements specified in ISO/IEC 27001. Certification
audits are usually conducted by ISO/IEC 27001 lead auditors.
• Learn more and collaborate on the
ISO 27000 Series.
www.isaca.org/knowledgecenter
• Stage 3—Follow-up reviews or periodic audits to confirm
that the organization remains in compliance with the
standard. Certification maintenance requires periodic
reassessment audits to confirm that the ISMS continues to
operate as specified and intended.
Independent assessment necessarily brings some rigor
and formality to the implementation process, and it must be
approved by management. ISO/IEC 27001 certification should
help assure most business partners of the organization’s status
regarding information security without the business partners
having to conduct their own security reviews.
Planning
As in all compliance and certification initiatives, consideration
of the organization’s size, the nature of its business, the
maturity of the process in implementing ISO 27001 and
commitment of senior management are essential. The most
important departments and activities that will be vital to the
success of the project include:
• Internal audit—During the initial planning phase, the
input from internal audit will be useful in developing an
implementation strategy, and early involvement of internal
auditors will be useful during the later stages of certification
that require review by management.
• IT—The IT department will have to dedicate resources
and time to the activities associated with the ISO 27001
initiatives. An inventory of existing IT compliance
initiatives, procedures and policies, and the maturity of
existing IT processes and controls will be useful to gain an
understanding of how the existing processes align with
ISO 27001 requirements.
Although implementation of policies and procedures is
largely perceived as an IT activity, other departments play an
important role in the implementation. For example, facilities
management is largely responsible for physical security and
access controls.
