Search in ISMS Guides


Thursday, July 26, 2007

ISO 27001: Frequently asked questions

What is information security?
Information security is the protection of information to ensure:

  • Confidentiality: ensuring that the information is accessible only to those authorized to access it.
  • Integrity: ensuring that the information is accurate and complete and that the information is not modified without authorization.
  • Availability: ensuring that the information is accessible to authorized users when required.

Information security is achieved by applying a suitable set of controls (policies, processes, procedures, organizational structures, and software and hardware functions).

What is an ISMS?
An Information Security Management System (ISMS) is a management system based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security. ISO/IEC 27001 (BS 7799) is a standard for information security that focuses on an organization’s ISMS. Other standards for information security are much more specific and have a different focus:

  • IT systems (FISMA and ISO 13335-2)
  • Product (Common Criteria, ISO 15408, FIPS 140-2)

Why should I certify my ISMS?
Certification of a management system brings several advantages. It gives an independent assessment of your organization’s conformity to an international standard that contains best practices from experts for ISMS. A certified ISMS does not guarantee compliance with legislative and local policies, but provides a systematic platform to build on.

Drivers for certification include:

  • Meeting U.S. legislative requirements directly:
    • Sarbanes-Oxley Act of 2002, Section 404
    • SAS/70 requirements
    • HIPAA requirements (Security rule)
    • Gramm Leach Bliley Act of 2002
    • California’s privacy laws including SB 1436
  • Meeting legislative and regulatory requirements indirectly:
    • Privacy legislation
    • Managing the need to meet international legislative requirements
  • As part of a supplier management program:
    • Some major corporations prefer suppliers that can prove they meet best-practice standards.
    • In some industries, certification is demanded by customers. This is often seen in finance related industries, data centers, and online service providers.
  • As a measure and independent evidence that industry best practices are being followed.
  • To reduce insurance premiums:
    • In some cases insurance premiums can be reduced if you can prove that you meet the best practice standards
  • As part of a corporate governance program
    • Corporations must take care to meet the best practices and often need to show stakeholders such as sponsors, shareholders, and financers that they take good care of information security.
  • May offer competitive advantage; ISO/IEC 27001 (BS 7799) certification might be a differentiating factor between you and your competition.

What is the history and future of the standards?
The ISMS standard was first published as British Standard (BS) 7799 in two parts:

  • The code of practice: BS 7799-1, which later became ISO/IEC 17799 and is planned to be renumbered as ISO/IEC 27002.
  • The management system that can be used as a standard for certifying an organization, which was originally published as BS 7799-2 and has been released as an international standard, ISO/IEC 27001.

Throughout this FAQ we emphasize the new names for the standards.

What are the main concepts of ISO/IEC 27001 (BS7799)?

  • All activities must follow a method. The method is arbitrary but must be well defined and documented.
  • The standard requires a company to specify its own security goals. An auditor will verify whether these requirements are fulfilled.
  • All security measures shall be the result of a risk analysis.
  • The standard offers a set of security controls. It is up to the organization to choose which controls to implement based on the specific needs of their business.
  • A process must ensure the continuous verification of all elements of the security system through audits and reviews.
  • A process must ensure the continuous improvement of all elements of the security system.

What is ISO/IEC 27001 (BS 7799), and how does an ISMS relate to it?
British Standard 7799 (BS 7799) is an internationally-recognized standard describing the protection of information assets:

  • ISO/IEC 17799 (also known as BS 7799 Part 1), a code of practice for information security management. It will be renumbered to ISO/IEC 27002.
  • BS 7799 Part 2, the specification for an ISMS that can be used as the basis for certification. It has been adopted as an international standard, ISO/IEC 27001.

Why does ISO/IEC 17799 (BS 7799 Part 1) matter?
ISO/IEC 17799 is a code of practice for information security managers. It matters because it documents the best-practice security objectives and the associated controls (safeguards) that help support those objectives. This part of the standard will be renumbered ISO/IEC 27002 in 2007.

Why does ISO/IEC 27001 (BS 7799 Part 2) matter?
ISO/IEC 27001 (BS 7799 Part 2) is the specification for an ISMS. It explains how to apply ISO/IEC 17799. It matters because it provides the standard against which certification is performed including a list of mandatory documents. An organization that seeks ISO/IEC 27001 certification is examined against the management system standard.

How does ISO/IEC 27001 (BS 7799) relate to other management system standards (ISO 9001 and 14001)?
ISO/IEC 27001 (BS 7799-2) is aligned with both the ISO 9001 (quality management systems) and ISO 14001 (environmental management systems) standards. The three standards share system elements and principles, including adopting the PLAN, DO, CHECK, ACT cyclic process. This approach makes it possible to integrate the systems to the extent it makes sense.

Why should I invest in implementing an ISMS and certifying it using ISO/IEC 27001 (BS 7799-2)?
If information assets are important to your business, you should consider implementing an ISMS in order to protect those assets within a sustainable framework.

If you implement an ISMS, you should consider going through the process to be certified against the ISO/IEC 27001 standard. ISO/IEC 27001 and BS 7799 continues to build a reputation for helping to model business practices that enhance an organization’s ability to protect its information assets. A growing number of organizations around the world have already gone through the certification process.

How can I get a copy of the standards?
The standards are copyright protected text and must be purchased.

For ISO standards including ISO/IEC 27001, contact ANSI

Or you can purchase from ISO directly:

Risk Assessment and Risk Management
A responsible organization will assess the risk to its identified information assets, make decisions about which risks are intolerable and therefore need to be controlled, and manage the residual risks through carefully-considered policies and procedures.

What is risk assessment?
Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of information and information systems and processing facilities, and the likelihood of their occurrence.

What is risk management?
Risk management is the process of identifying, controlling, and minimizing or eliminating security risks.

Why are risk assessment and risk management relevant to information security?
In the real world, the cost of protecting information must be balanced against the potential cost of security breaches. A company must fully understand the security risks it faces in order to determine the appropriate management action and to implement controls selected to protect against these risks.

How is risk assessment related to ISO/IEC 27001 (BS 7799)?
Selecting the right set of controls requires the use of a risk assessment-based approach. This approach is a mandatory part of the PLAN (identify, analyze and evaluate the risks), DO (select, implement, and use controls to manage the risks to acceptable levels), CHECK, and ACT cyclic process defined in BS 7799-2 for the establishment, implementation, and maintenance of an ISMS.

Does ISO/IEC 27001 (BS 7799) define the methodology for risk assessment?
The standard specifies only that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). A specific methodology is not prescribed; here are some published examples.
ISO/IEC 13335 (Management of information and communications technology security
NIST SP 800-30 (Risk Management Guide for Information Technology Systems)

After implementation, must the organization re-assess risks?
An organization that manages change effectively has a better chance of survival. The PDCA process model provides a means of assessing the risks an organization is challenged with as a result of changes in the business environment.


What is ISMS certification?
ISO/IEC 27001 is the standard that specifies an ISMS . A third party can audit an ISMS and if satisfied that it is true can certify that an organization is compliant with this standards.

What is a certification body (CB)?
A certification body (also called a registration body, assessment and registration body, or registrar) is an independent third party that assesses and certifies that the ISMS of an organization meets the requirements of the standard.

Who accredits certification bodies?
Accreditation organizations have the responsibility of assessing the competence of certification bodies to perform ISMS assessments. These accreditation organizations are often, but not always national in scope. Examples of accreditation bodies are ANAB, UKAS, DAR.

It is vital that your certification body is accredited by a reputable accreditation organization otherwise your certificate might be worthless.

What is the Certification Process?
1. Assess if your ISMS is ready for certification.

  • Is your ISMS conformant with the standard?
  • Do you need to do work to get it ready?

2. Identify an accredited CB

  • Find a CB (Many are listed on
  • Agree and sign a contract wit the CB (Generally this is a 3 year commitment)
  • Agree the Schedule.

3. Go through the audit process:

  • Stage 1 audit (also known as a desktop audit). Here the CB examines the mandatory ISMS documentation.
  • Take action on the results of the stage 1 audit.
  • Stage 2 audit (on-site audit). Here your CB sends an audit team to examine your implementation of the ISMS.
  • Address audit findings and agree on a surveillance audit schedule.

4. When your ISMS is found to be conformant, the CB recommends to its validating committee that the ISMS is compliant with the standard, and if the validation committee agree then they issue the certificate. (Depending on the organization this can take a few weeks to several months)

5. Go through the surveillance audit as scheduled with the CB

6. Keep your CB informed of any significant changes affecting your ISMS

7. Re-certification after three years.

How long is a certificate valid?
Usually certificates have a limited validity only. The maximum term of validity is three years.

Will I be supervised by the certification body?
Yes. The certification body will conduct regular continuing assessments of your ISMS. You are also obliged to announce major changes of your ISMS. The certification body will then decide on the necessity of additional checks.

Can a certificate be withdrawn?
Yes. In the case of a minor non-conformity, the auditor will require you to write a corrective action plan and will verify its implementation. If identified non-conformities are not quickly eliminated, the certificate will be revoked.

Can I return a certificate?
Yes, but before you do so, contact your CB.

How do I choose a CB?
You could consider including the following factors as you make your choice from among available CBs:

  • Who are they accredited by?
  • Do they have expertise in your business area?
  • What resources do they have?
  • What is their schedule?
  • What is their reputation and do they have references?
  • What is the cost of certification?

What expertise does atsec have in ISMS?

  • atsec employees have over 500 years of experience in information security
  • atsec have consulted and implemented ISMS for many customers including Vodafone, Swisscom Mobile, and Axalto
  • atsec’s expertise is in demand – our consultants speak at international conferences and author books and articles about information security management.
  • atsec employees were and are members of standardization organizations including ISO:
    • Oliver Weissmann – Co-editor of ISO/IEC 17799, Active leadership role in WG1
    • Fiona Pattinson – INCITS CS1 Committee (US ISO SC27 TAG), US chapter of International ISMS Users Group co-chair
  • atsec mandate ISO/IEC 27001 (BS 7799) lead auditor training for ALL technical employees.
From : atsec information security


Anonymous said...


I like this post very much. It help me to solve some my work under my director’s requirements.

Apart from that, below article also is the same meaning

ISO 9001 principles

Tks again and nice keep posting

ISO 27001 Certification said...

ISO 27001 Training is an international standard giving requirements related to Information Security Management System in order to enable an organization to assess its risk and implement appropriate controls to preserve confidentiality, integrity and availability of information assets. The fundamental aim is to protect the information of your organization getting into the wrong hands or losing it forever.

Thiru Maran said...

useful information .thanks for sharing.
ISO Certification Body in India

Kartik singh said...

thanks for sharing about Information Security Management System.ISMS Certification In India

Quality Services said...

nice blog !! i was looking for blogs related of iso certification india . then i found this blog, this is really nice and interested to read.

Zab Clement said...

Thanks for sharing. I like your thoughts and with that I want to share an article regarding the benefits of being an ISO certified company.

nvtquality said...

The information on this blog is very useful and very interesting. If someone needs to know about the just clickISO certification cost in india | ISO certification cost | ISO certification cost in bangalore

loginfotech SEO India said...

Best iso certification consultancy in singapore,that provides iso certification,iso 9001:2015,9001 qms training,qms consulting,iso 14001:2015,14001 training,45001:2016,45001 training,27001 training,iso 9001:2015 certification,14001:2015 certification,ohsas18001:2007 certification,iso 45001:2016 certification,iso 27001:2013 certification,iso 29990:2010 certification,iso 45001:2016 certification,lsp iso 29990:2010,iso 9001 internal auditor course,resident engineer,resident technical officers,man power providers,consultancy,providers,bizsafe,technical staff,re,rto,part-time rto,precast trained supervision staff in singapore,managing projects. Rstar

Rahul Gupta said...

Thank you sharing the knowledge about ISO 27001 certification, this is beneficial for get information about quality system.

primeinfoserv said...

thank u for posting this informative content
iso 27001 certification in kolkata
Informatio Security Management Services in kolkata

igc exam said...

It's Very Informative Blog... Thanks for Posting...

$ud!p R0y said...

Information and the contain are good and easy language is used to understand.