Search in ISMS Guides


Tuesday, July 31, 2007

ISO 17799 and ISO 27001 FAQ

1) Which ISO17799 controls are most important?
That largely depends upon the individual organization. However, ISO17799 does give some guidance, in the form of 'legislative essentials' and 'common best practice' under the IS "starting point" section. These are:
- intellectual property rights (12.1.2)
- safeguarding of organizational records (12.1.3)
- data protection and privacy of personal information (12.1.4)
- information security policy document (3.1.1)
- allocation of information security responsibilities (4.1.3)
- information security education and training (6.2.1)
- reporting security incidents (6.3.1)
- business continuity management (11.1)

2) What is a Certification body?
An accredited certification body is a third party organization that assesses/certifies the IS management system against the standard (BS7799-2 / ISO 27001).

3) Who are the Accredited Certification bodies for the standard?
There are a growing number of organizations accredited to grant certification against ISO27001. The following are amongst them: BSI, Certification Europe, DNV, JACO IS, KEMA, KPMG, SFS-Sertifiointi Oy, SGS, STQC, SAI Global Limited, UIMCert GmbH

4) How do I become a certified auditor?
The International Register for Certified Auditors operates a certification scheme for ISMS auditors.

5) How does this standard fit with ISO 9000?
BS7799 is actually being "harmonized" with other management standards, including ISO 9000 and ISO 14000. Watch this space!

6) Who originally wrote the security standard?
Originally a BSI/DISC committee, which included representatives from a wide section of industry/commerce. It was reviewed subsequently by an ISO (International Standards Organization)committee and ultimately emerged through the ISO publication process.

7) What is the ISO 17799 Toolkit?
This is the main support resource for the standard, including the standard itself, ISO 17799 policy, etc. See top right panel for a more complete description.

8) What is ISO/IEC Guide 62?
This is largely for those bodies operating certification schemes and contains general requirements applicable to them.

9) What is ISO 27001?
BS7799-2, the original specification for an information security management system, was 'fast tracked' by ISO to become ISO 27001 in 2005. It is also suggested that ISO17799 may be renamed to ISO 27002 at some point in the future, thus creating an ISO 27000 series of standards.

From :

No comments: