Search in ISMS Guides


Thursday, August 16, 2007

The standard effectively comes in two parts

The standard effectively comes in two parts:
  • ISO/IEC 27001:2005 is a standard specification for an Information Security Management Systems (ISMS). An ISMS is the means by which Senior Management monitor and control their security, minimising the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements. It forms part of an organisation's internal control system.

Click here to go to out page of the Fast Track implementation approach

Interested in obtaining certification quickly? Click the graphic to read our white paper on Fast Track certification

  • ISO/IEC 27002:2005 is a standard code of practice and can be regarded as a comprehensive catalogue of good security things to do.

A Technical Corrigendum was published by ISO on 1 July 2007 renaming ISO/IEC 17799:2005as ISO/IEC 27002:2005.

The Management Standard

ISO/IEC 27001:2005 instructs you how to apply ISO/IEC 27002 and how to build, operate, maintain and improve an ISMS.

The major components of an ISMS are summarised in Figure 1. The activities continually cycle around the PLAN-DO-CHECK-ACT cycle.

diagram of the PLAN-DO-CHECK-ACT cycle.

Figure 1 - The major steps towards ISMS compliance. Click here to see the detail.



The first step is to define the scope of the ISMS. It could be the whole of your organisation. It could be a particular site. It could be just a particular service - Internet banking for example. The choice is yours.

ISMS Policy

Why is information security important to you? Is there a particular threat, or other worries that concern you? What do you want to achieve, for example in terms of confidentiality, integrity and availability? What do you believe is an acceptable level of risk? Are there any constraints, such as laws and regulations, or particular ways in which you wish to do things? Document your answers in a policy document. Note that it covers the whole of the ISMS, not just the security controls . It is therefore far more extensive than the "information security policy", referred to in the Code of Practice. It should be a relatively short document (1-3 pages) and signed off by the CEO. Security, as with all other internal controls flows down from the top of the organisation.

Risk assessment

Now you know what you are trying to protect and what is an acceptable level of risk, what is your actual risk? Choose a method that is appropriate to your organisation and the scope of your ISMS. What are the risks? Determine these by a consideration of the impacts that would occur if some threat exploits a weakness in your defences to compromise the security of an asset, and how likely is the impact to occur.

Evaluate the risks. If you plot the likelihood of the impact occurring against the magnitude of the impact you may consider that there are risks that of not of any great concern because:
  • even if they would have a major impact they are extremely unlikely or

  • even if they occurred all the time they would have an insignificant impact.

diagram showing that applicable risk includes high impact-low likelihood events, low impact-high likelihood events and high impact-high likelihood events.

The Institute of Chartered Accountants in England and Wales refers to the remaining risks as the applicable risks. These are the risks that you need to control. You will either have controls in place that reduce the risk to an acceptable level, or you will need to introduce them. Make sure that you have controls in place that will tell you if a non-applicable risk turns into an applicable risk.

Risk treatment plan

After completing your assessment of risk, ISO/IEC 27001 asks you to treat that risk. Are you just going to accept the risk and rely on your ability to promptly detect and respond to security incidents? (By the way, you will need such a procedure to comply with the standard.) Are you going to avoid the risk, transfer it to a third party (e.g. via insurance) or are you going to apply appropriate controls? This is your risk treatment plan. We have developed a methodology for doing this that does the risk assessment on the fly and avoids the usual gobbledegook associated with IT risk assessments - so easy, based on events and impacts expressed in business terms, senior business managers can do it.

Select control objectives and controls

ISO/IEC 27001:2005 presents a list of 133 candidate control objectives and controls, drawn one-to-one from ISO/IEC 27002. The list is not exhaustive and you are free to identify additional control objectives and controls as you please. Not all of those listed in ISO/IEC 27001:2005 may be relevant to your ISMS. In our methodology, selecting your controls also forms part of the risk treatment plan.

Statement of Applicability (SOA)

You are required to go through all 133 ISO/IEC 27001:2005 controls and justify which ones you have used and which you have not. You are required to relate the selection of the controls back to the risk assessment. In practice, you can also relate the selection of controls back to statements in your ISMS policy, the precedence for this being set by the Common Criteria (ISO/IEC 15408). This process acts as a safety net in case you inadvertently omitted something important in your risk assessment/risk treatment. In our approach to integrated management systems, we refer to this as an Alternative Ideas List.


The DO part of the cycle requires you to operate the controls. You will need a procedure, as mentioned above, to ensure the prompt detection and response to incidents. You will also need to ensure that all staff are security aware, and are appropriately trained and are competent to carry out their respective security tasks. To ensure all of this is carried out you will need to manage the necessary resources.


The purpose of the CHECK phase is to ensure that the controls are in place and are achieving their objectives. There are a variety of possible check activities, but only internal ISMS audit and management review are mandatory requirements

A new requirement, not included in BS 7799-2:2002, is the measurement of the effectiveness of your controls. Our paper on measuring the effectiveness of an internal control system explains how this can be done.


The outcomes of the CHECK activity are actions. There are three varieties:

  • corrective action

  • preventive action

  • improvements.

Further information

There are particular requirements concerning documentation and records. These are very similar to those required by ISO 9001. Indeed there is a great deal of overlap making the creation of integrated management systems a real possibility.

The Code of Practice

ISO/IEC 27002:2005 defines 133 security controls structured under 11 major headings (see Figure 2) to enable readers to identify the particular safeguards that are appropriate to their particular business or specific area of responsibility. These security controls contain further detailed controls bringing the overall number somewhere in the region of 5000+ controls and elements of best practice.

The standard stresses the importance of risk management and makes it clear that you do not have to implement every single guideline; only those that are relevant. The scope of the standard covers all forms of information, including voice and graphics, and media such as mobile phones and fax machines. The new standard recognises new ways of doing business, such as e-commerce, the Internet, outsourcing, tele-working and mobile computing.

The code of practice covers: (1) security policy; (2) organising security; (3) asset management; (4) human resources security; (5) physical and environmental security; (6) communications and operations management; (7) access control; (8) acquisition, development and maintenance; (9) incident management; (10) business continuity management and (11) compliance

Figure 2 - Coverage of ISO/IEC 27002

Certification schemes

Certification schemes are being established in many parts of the world. It is therefore useful to reveal who the players are and what is going on. Have a look at Figure 3.

ISO/IEC 27006:2007 provides guidance to National Accreditation Bodies for the accreditation of Certification Bodies wishing to assess ISMSs, e.g. against ISO/IEC 27001:2005. The various National Accreditation Bodies around the world operate a "mutual recognition" process that allows certificates awarded in one country to be accepted by the Accreditation Body of another.

Diagram showing the relationship between the certification scheme players

Figure 3: Relationship between scheme players

In order to be awarded a certificate, your ISMS will be audited by an ISMS assessor. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as BSI Assessment Services Limited and Det Norske Veritas).

The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Click here to see the official list of published scope statements from around the world. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.

The assessor will return periodically to check that your ISMS is working as intended.

Obtaining the Standards

In order to buy a copy of the standards, please contact BSI Customer Services by telephone at (+44) 20 8996 7555 or electronically from

Gamma(ISO/IEC 27001:2005 and BS EN ISO 9001: 2000 registered company)

No comments: