Search in ISMS Guides


Thursday, July 26, 2007

ISO 27001: Frequently asked questions

What is information security?
Information security is the protection of information to ensure:

  • Confidentiality: ensuring that the information is accessible only to those authorized to access it.
  • Integrity: ensuring that the information is accurate and complete and that the information is not modified without authorization.
  • Availability: ensuring that the information is accessible to authorized users when required.

Information security is achieved by applying a suitable set of controls (policies, processes, procedures, organizational structures, and software and hardware functions).

What is an ISMS?
An Information Security Management System (ISMS) is a management system based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security. ISO/IEC 27001 (BS 7799) is a standard for information security that focuses on an organization’s ISMS. Other standards for information security are much more specific and have a different focus:

  • IT systems (FISMA and ISO 13335-2)
  • Product (Common Criteria, ISO 15408, FIPS 140-2)

Why should I certify my ISMS?
Certification of a management system brings several advantages. It gives an independent assessment of your organization’s conformity to an international standard that contains best practices from experts for ISMS. A certified ISMS does not guarantee compliance with legislative and local policies, but provides a systematic platform to build on.

Drivers for certification include:

  • Meeting U.S. legislative requirements directly:
    • Sarbanes-Oxley Act of 2002, Section 404
    • SAS/70 requirements
    • HIPAA requirements (Security rule)
    • Gramm Leach Bliley Act of 2002
    • California’s privacy laws including SB 1436
  • Meeting legislative and regulatory requirements indirectly:
    • Privacy legislation
    • Managing the need to meet international legislative requirements
  • As part of a supplier management program:
    • Some major corporations prefer suppliers that can prove they meet best-practice standards.
    • In some industries, certification is demanded by customers. This is often seen in finance related industries, data centers, and online service providers.
  • As a measure and independent evidence that industry best practices are being followed.
  • To reduce insurance premiums:
    • In some cases insurance premiums can be reduced if you can prove that you meet the best practice standards
  • As part of a corporate governance program
    • Corporations must take care to meet the best practices and often need to show stakeholders such as sponsors, shareholders, and financers that they take good care of information security.
  • May offer competitive advantage; ISO/IEC 27001 (BS 7799) certification might be a differentiating factor between you and your competition.

What is the history and future of the standards?
The ISMS standard was first published as British Standard (BS) 7799 in two parts:

  • The code of practice: BS 7799-1, which later became ISO/IEC 17799 and is planned to be renumbered as ISO/IEC 27002.
  • The management system that can be used as a standard for certifying an organization, which was originally published as BS 7799-2 and has been released as an international standard, ISO/IEC 27001.

Throughout this FAQ we emphasize the new names for the standards.

What are the main concepts of ISO/IEC 27001 (BS7799)?

  • All activities must follow a method. The method is arbitrary but must be well defined and documented.
  • The standard requires a company to specify its own security goals. An auditor will verify whether these requirements are fulfilled.
  • All security measures shall be the result of a risk analysis.
  • The standard offers a set of security controls. It is up to the organization to choose which controls to implement based on the specific needs of their business.
  • A process must ensure the continuous verification of all elements of the security system through audits and reviews.
  • A process must ensure the continuous improvement of all elements of the security system.

What is ISO/IEC 27001 (BS 7799), and how does an ISMS relate to it?
British Standard 7799 (BS 7799) is an internationally-recognized standard describing the protection of information assets:

  • ISO/IEC 17799 (also known as BS 7799 Part 1), a code of practice for information security management. It will be renumbered to ISO/IEC 27002.
  • BS 7799 Part 2, the specification for an ISMS that can be used as the basis for certification. It has been adopted as an international standard, ISO/IEC 27001.

Why does ISO/IEC 17799 (BS 7799 Part 1) matter?
ISO/IEC 17799 is a code of practice for information security managers. It matters because it documents the best-practice security objectives and the associated controls (safeguards) that help support those objectives. This part of the standard will be renumbered ISO/IEC 27002 in 2007.

Why does ISO/IEC 27001 (BS 7799 Part 2) matter?
ISO/IEC 27001 (BS 7799 Part 2) is the specification for an ISMS. It explains how to apply ISO/IEC 17799. It matters because it provides the standard against which certification is performed including a list of mandatory documents. An organization that seeks ISO/IEC 27001 certification is examined against the management system standard.

How does ISO/IEC 27001 (BS 7799) relate to other management system standards (ISO 9001 and 14001)?
ISO/IEC 27001 (BS 7799-2) is aligned with both the ISO 9001 (quality management systems) and ISO 14001 (environmental management systems) standards. The three standards share system elements and principles, including adopting the PLAN, DO, CHECK, ACT cyclic process. This approach makes it possible to integrate the systems to the extent it makes sense.

Why should I invest in implementing an ISMS and certifying it using ISO/IEC 27001 (BS 7799-2)?
If information assets are important to your business, you should consider implementing an ISMS in order to protect those assets within a sustainable framework.

If you implement an ISMS, you should consider going through the process to be certified against the ISO/IEC 27001 standard. ISO/IEC 27001 and BS 7799 continues to build a reputation for helping to model business practices that enhance an organization’s ability to protect its information assets. A growing number of organizations around the world have already gone through the certification process.

How can I get a copy of the standards?
The standards are copyright protected text and must be purchased.

For ISO standards including ISO/IEC 27001, contact ANSI

Or you can purchase from ISO directly:

Risk Assessment and Risk Management
A responsible organization will assess the risk to its identified information assets, make decisions about which risks are intolerable and therefore need to be controlled, and manage the residual risks through carefully-considered policies and procedures.

What is risk assessment?
Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of information and information systems and processing facilities, and the likelihood of their occurrence.

What is risk management?
Risk management is the process of identifying, controlling, and minimizing or eliminating security risks.

Why are risk assessment and risk management relevant to information security?
In the real world, the cost of protecting information must be balanced against the potential cost of security breaches. A company must fully understand the security risks it faces in order to determine the appropriate management action and to implement controls selected to protect against these risks.

How is risk assessment related to ISO/IEC 27001 (BS 7799)?
Selecting the right set of controls requires the use of a risk assessment-based approach. This approach is a mandatory part of the PLAN (identify, analyze and evaluate the risks), DO (select, implement, and use controls to manage the risks to acceptable levels), CHECK, and ACT cyclic process defined in BS 7799-2 for the establishment, implementation, and maintenance of an ISMS.

Does ISO/IEC 27001 (BS 7799) define the methodology for risk assessment?
The standard specifies only that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). A specific methodology is not prescribed; here are some published examples.
ISO/IEC 13335 (Management of information and communications technology security
NIST SP 800-30 (Risk Management Guide for Information Technology Systems)

After implementation, must the organization re-assess risks?
An organization that manages change effectively has a better chance of survival. The PDCA process model provides a means of assessing the risks an organization is challenged with as a result of changes in the business environment.


What is ISMS certification?
ISO/IEC 27001 is the standard that specifies an ISMS . A third party can audit an ISMS and if satisfied that it is true can certify that an organization is compliant with this standards.

What is a certification body (CB)?
A certification body (also called a registration body, assessment and registration body, or registrar) is an independent third party that assesses and certifies that the ISMS of an organization meets the requirements of the standard.

Who accredits certification bodies?
Accreditation organizations have the responsibility of assessing the competence of certification bodies to perform ISMS assessments. These accreditation organizations are often, but not always national in scope. Examples of accreditation bodies are ANAB, UKAS, DAR.

It is vital that your certification body is accredited by a reputable accreditation organization otherwise your certificate might be worthless.

What is the Certification Process?
1. Assess if your ISMS is ready for certification.

  • Is your ISMS conformant with the standard?
  • Do you need to do work to get it ready?

2. Identify an accredited CB

  • Find a CB (Many are listed on
  • Agree and sign a contract wit the CB (Generally this is a 3 year commitment)
  • Agree the Schedule.

3. Go through the audit process:

  • Stage 1 audit (also known as a desktop audit). Here the CB examines the mandatory ISMS documentation.
  • Take action on the results of the stage 1 audit.
  • Stage 2 audit (on-site audit). Here your CB sends an audit team to examine your implementation of the ISMS.
  • Address audit findings and agree on a surveillance audit schedule.

4. When your ISMS is found to be conformant, the CB recommends to its validating committee that the ISMS is compliant with the standard, and if the validation committee agree then they issue the certificate. (Depending on the organization this can take a few weeks to several months)

5. Go through the surveillance audit as scheduled with the CB

6. Keep your CB informed of any significant changes affecting your ISMS

7. Re-certification after three years.

How long is a certificate valid?
Usually certificates have a limited validity only. The maximum term of validity is three years.

Will I be supervised by the certification body?
Yes. The certification body will conduct regular continuing assessments of your ISMS. You are also obliged to announce major changes of your ISMS. The certification body will then decide on the necessity of additional checks.

Can a certificate be withdrawn?
Yes. In the case of a minor non-conformity, the auditor will require you to write a corrective action plan and will verify its implementation. If identified non-conformities are not quickly eliminated, the certificate will be revoked.

Can I return a certificate?
Yes, but before you do so, contact your CB.

How do I choose a CB?
You could consider including the following factors as you make your choice from among available CBs:

  • Who are they accredited by?
  • Do they have expertise in your business area?
  • What resources do they have?
  • What is their schedule?
  • What is their reputation and do they have references?
  • What is the cost of certification?

What expertise does atsec have in ISMS?

  • atsec employees have over 500 years of experience in information security
  • atsec have consulted and implemented ISMS for many customers including Vodafone, Swisscom Mobile, and Axalto
  • atsec’s expertise is in demand – our consultants speak at international conferences and author books and articles about information security management.
  • atsec employees were and are members of standardization organizations including ISO:
    • Oliver Weissmann – Co-editor of ISO/IEC 17799, Active leadership role in WG1
    • Fiona Pattinson – INCITS CS1 Committee (US ISO SC27 TAG), US chapter of International ISMS Users Group co-chair
  • atsec mandate ISO/IEC 27001 (BS 7799) lead auditor training for ALL technical employees.
From : atsec information security


Anonymous said...


I like this post very much. It help me to solve some my work under my director’s requirements.

Apart from that, below article also is the same meaning

ISO 9001 principles

Tks again and nice keep posting

ISO 27001 Certification said...

ISO 27001 Training is an international standard giving requirements related to Information Security Management System in order to enable an organization to assess its risk and implement appropriate controls to preserve confidentiality, integrity and availability of information assets. The fundamental aim is to protect the information of your organization getting into the wrong hands or losing it forever.

Unknown said...

useful information .thanks for sharing.
ISO Certification Body in India

Unknown said...

thanks for sharing about Information Security Management System.ISMS Certification In India

Unknown said...

nice blog !! i was looking for blogs related of iso certification india . then i found this blog, this is really nice and interested to read.

Zab said...

Thanks for sharing. I like your thoughts and with that I want to share an article regarding the benefits of being an ISO certified company.

Unknown said...

The information on this blog is very useful and very interesting. If someone needs to know about the just clickISO certification cost in india | ISO certification cost | ISO certification cost in bangalore

Loginfotech said...

Best iso certification consultancy in singapore,that provides iso certification,iso 9001:2015,9001 qms training,qms consulting,iso 14001:2015,14001 training,45001:2016,45001 training,27001 training,iso 9001:2015 certification,14001:2015 certification,ohsas18001:2007 certification,iso 45001:2016 certification,iso 27001:2013 certification,iso 29990:2010 certification,iso 45001:2016 certification,lsp iso 29990:2010,iso 9001 internal auditor course,resident engineer,resident technical officers,man power providers,consultancy,providers,bizsafe,technical staff,re,rto,part-time rto,precast trained supervision staff in singapore,managing projects. Rstar

Unknown said...

Thank you sharing the knowledge about ISO 27001 certification, this is beneficial for get information about quality system.

Unknown said...

thank u for posting this informative content
iso 27001 certification in kolkata
Informatio Security Management Services in kolkata

Unknown said...

It's Very Informative Blog... Thanks for Posting...

$ud!p R0y said...

Information and the contain are good and easy language is used to understand.

URS India Certification said...

Thanks for sharing such best information with us. I hope you will share some more information about ISMS (information Security Management System ). Please keep sharing.

ISO 22000 FSMS Certification

John Street said...

Very Nice and informative blog.! thanks for sharing the information about ISO 27001 certification. Get your information security ISO 27000 certification with our experienced team from IQC Global.

mtom said...

Your current posts usually possess a decent amount of really up to date info. Where do you come up with this? Just stating you are very imaginative. Thanks again QMS Audits

Unknown said...

This is a very helpful topic on ISO certification because i will provide your blog for my project which is iso auditor certification 

Unknown said...

How to can we improve the risk management in Food organization through iso certification body.

Green TQM said...

This article was very useful. Keep on sharing your ideas related to it.
iatf certification in chennai
iatf 16949 certification bodies in chennai

Ansa Certifications said...

Great stuff. Waiting for your next post. Thanks for sharing!

See more @ list of ISO 9712 certification in Chennai

sanjeevkumar said...

Nice Post and Thanks for sharing your knowledge with us ISO 27001 – ISMS

Unknown said...

Excellent Blog. I really want to admire the quality of this post. I like the way of your presentation of ideas, views and valuable content. No doubt you are doing great work. I'll be waiting for your next post. Thanks .Keep it up! ISO Certification Service in Delhi

Muskaan Khanaa said...

Amazing article about iso certification

Ansa Certifications said...

Excellent blog. AMazing article about ISO Certifications and ISMS.
ISO 9712 certification in Chennai

Petronext International said...

Thank you for post this blog which is very helpful information.
ISO training in Abu Dhabi
Investment in dubai

Ansa Certifications said...

Thanks for sharing valuable comments. It's very useful to me. Thank you.
ISO 9712 consultants in Tamil Nadu
ISO 9712 consultants in India

Unknown said...

Sometime few educational blogs become very helpful while getting relevant and new information related to your targeted area. As I found this blog and appreciate the information delivered to my database.iso consultant

Mars Consultants said...

I agree with you. Thank you for sharing the update. It is interesting to have it discussed widely, so that we can gain more objective opinions.
iso consultants in Chennai
best iso consultant in Chennai

Ansa Certifications said...

Process thinking is another important component of security management system, which involves a series of steps that take inputs from suppliers and transform them into outputs that are delivered to customers. Thank you
ISO 9712 certification
ISO 9712 certification in India

ISO Certification Body - SIS Certifications said...
This comment has been removed by the author.
ISO Certification Body - SIS Certifications said...

Thanks for sharing the information. To know more about ISO 27001 Certification

Charles Wilson said...

Great piece of article on ISO 27001. Thanks for sharing your views on ISO 27001. But as an online ISO document seller i prefer, this organization ISO 27001 certification has great understanding over certification consultancy process.

oSs Certification said...

This is a very important blog for everyone. I read and I really like it. So thank you guys.

ISO 22000 Certification
ISO 45001 Certification

isoconsultation said...

Hi there, just became aware of your blog through Google, and found that it’s really informative
ISO Certification in Saudi Arabia
ISO 9001 Certification in Saudi Arabia

Ahemed said...

Wonderful blog & good post.Its really helpful for me, awaiting for more new post. Keep Blogging!

iso 27001 lead auditor online training

ISOQATAR said...

Thank you for your valuable information about ISO 27001 Certification course.

iso uae said...

Nice Post and Thanks for sharing your knowledge with us ISO 27001 Certification

James Williams said...

Wonderful blog & good post.Its really helpful for me, awaiting for more new post. Keep Blogging!

ISO 27001 Certification

URS Certification said...

Thanks for sharing the information. To know more about ISO 27001 Certification By URS India.
URS India is the leading ISO Certification services provider(ISO 9001, ISO 45001, ISO 14001, ISO 13485, ISO 22000, ISO 27001,ISO 50001, HACCP, GMP, IATF16949 and other) who offers ISO Certification standards to improve your business operational efficiency.

leezydavid said...

Nice post! It is really very helpful for us. If anyone want to know the details about ISO 27001 Certification Cost

BAHRAIN said...

This is really an awesome article. Thank you for sharing this.It is worth reading for everyone. ISO 27001 Certification

iso uae said...

Nice post! It is really very helpful for us. ISO 27001 Certification

leezydavid said...

I believe there are many more pleasurable opportunities ahead for individuals that looked at your site

ISO 27001 accreditation

BAHRAIN said...

Thanks for your blog.Internal auditor training

iso uae said...

Thanks for your sharing. ISO 27001 training

iso uae said...

This is a very important blog for everyone. I read and I really like it. So thank you guys.ISO 27001 Certification

lithincruzz said...

I believe there are many more pleasurable opportunities ahead for individuals that looked at your site

ISO 27001 Certification Cost

iso kuwait said...

Thanks for your post.ISO 27001 Certification in Oman

Sana Shren said...

Wonderful blog & good post.Its really helpful for me, awaiting for more new post. Keep Blogging!

ISO 27001

isooman said...

This is a very important blog for everyone. I read and I really like it.ISO 22301 Certification in Saudiarabia

Arya Rishi said...

Nice blog...Very useful information is providing by ur is a way to find.

ISMS Certificate


Excellent Blog. I really want to admire the quality of this post. I like the way of your presentation of ideas, views and valuable content. No doubt you are doing great work. ISO 27001 Certification in Oman

harrishvijay said...

This is a very important blog for everyone. I read and I really like it. So thank you guys.ISO 27001

harrishvijay said...

It;s nice information for me.. Good luck . ISO 27001 Training in UAE

harrishvijay said...

Nice post, I bookmark your blog because I found very good information on your blog, Thanks for sharing- more information. ISO 27001 Certification in Oman

IAS Bangladesh said...

Thank you so much for sharing this great blog. Very inspiring and helpful too.

ISO 27001 Certification

lithindavid said...

Nice post! It is really very helpful for us. If anyone want to know the details about ISO 27001 Certification

iasjordan003 said...

I believe there are many more pleasurable opportunities ahead for individuals that looked at your site

ISO 27001 Certification

jesvindavid said...

Hi there! great post. Thanks for sharing some very interesting and informative content it is a big help to me as well, keep it up!!!
ISO 27001 Certification

Arya Rishi said...

Nice post. I learn something totally new and challenging on sites . It's always helpful to read content..

ISO 22301 Certification

John Smith said...

I believe there are many more pleasurable opportunities ahead for individuals that looked at your site

ISO 27001 Certification Brazil

Jessy Shan said...

Nice Blog , This is what I exactly Looking for , Keep sharing more blog .

ISO 22301 Certification