Search in ISMS Guides


Wednesday, August 8, 2007

Guide to ISO Standards and Certification

ISO 9000 and other certifications can help build your company's credibility
By Chris Caggiano

You may have come across one of the following bizarre-looking codes in your business travels: ISO 9002, ISO 14001 and ISO 27003. Each of these arcane codes, formulated by the International Organization for Standardization, represents a different family of quality certifications for companies of all sizes. The ISO 9000 series covers overall organizational quality and efficiency. ISO 14000 addresses environmental management. And ISO 27000 is a new designation that covers information and physical security.

ISO certification doesn't guarantee quality, but rather verifies that companies are following consistent business processes, under the presumption that high-quality products and services will result. Achieving ISO certification costs in the tens of thousands of dollars, depending on the size of your company, and takes up 18 months or more of your time. Benefits include:

1. Greater credibility and marketability
2. Lower operating expenses
3. Increased employee and customer satisfaction

Action Steps
The best contacts and resources to help you get it done

Discover basic requirements of ISO certification
The ISO Web site defines the vocabulary and describes the basics and the requirements of ISO certification. You can also buy documents that will help you get on the road to compliance.
I recommend: Start on the official ISO Web site. You can also find straightforward primers on the ISO process from the ISO 9000 Council.

Get help and get going
There are various organizations through which you can achieve ISO certification and numerous consultants to help you through the process.
I recommend: Look on Quality Network to find an ISO registrar near you. Quality Digest, an ISO trade publication, provides a downloadable list of ISO 9000 consultants.

Find out if your industry has its own certification
Some industries have created sector-specific interpretations of the ISO standards, so you'll want to find out if your industry has its own version of ISO.
I recommend: Check with the National Institute of Standards and Technology (NIST) for information on the aerospace industry's ISO 9000 interpretation. You'll find pharmaceuticals-specific standards on the Pharmaceutical Quality Group's FAQ. Quality Digest offers automotive-industry information and details on telecom interpretations. Find information about the medical-device industry at NSF International Strategic Registrations Ltd.

Check with your state for ISO help
A number of states offer training, assistance and even funding for small companies looking to get ISO certified, especially those looking to meet the ISO environmental-management standards.
I recommend: States that provide help for companies considering ISO certification include Maryland, Massachusetts, Rhode Island and New Hampshire.

Tips & Tactics
Helpful advice for making the most of this Guide

* Consider becoming compliant rather than fully certified. In other words, you can research and implement the standards without going through the effort and expense of full certification.
* An ISO certificate isn't a one-time thing: You need to renew your certification every three years or so.
* ISO isn't just for manufacturing companies, but for service providers as well.
* Some large organizations might require your company to be ISO certified before doing business with you.

Introduction To ISO 27006 (ISO27006)

This is the standard which offers guidelines for the accreditation of organizations which offer certification and registration with respect to an ISMS. Again it was overseen by ISO's committee SC 27. The previous standard related to this issue was EA 7/03. This has effectively been replaced by the new standard, to meet market demands to better support ISO 27001. It effectively documents the requirements additional to those specified within standard ISO 17021, which identified the more generic requirements.

Its formal title is "Information technology - Security techniques. Requirements for bodies providing audit and certification of information security management systems", and it consists of 10 chapters and four Annexes.

The chapters within the standard are as follows: Scope; References; Terms; Principles; General Requirements; Structural Requirements; Resource Requirements; Information Requirements; Preciess Requirements; Management System Requirements.


The ISO 27006 standard is intended to be used in conjunction with a number of others. These, specifically, are: ISO 27001, ISO 17021 and ISO 19011.

From :

Introduction To ISO 27005 (ISO27005)

ISO 27005 will be the name of an emerging standard covering information security risk management. As with some of the other standards in the ISO 27000 series, no firm dates have been established for its release. However, it will define the ISMS risk management process, including identification of assets, threats and vulnerabilities.


It is likely that the ISO27005 standard will be based upon ISO 13335 (MICTS Part 2), which provide guidelines for the management of information and communications technology security. There is also likely to be a relationship with BS7799-3, which was published in March 2006.

More information will be published on this page as it is made available.

From :

Introduction To ISO 27004 (ISO27004)

ISO 27004 is the official number of the emerging standard covering information security management measurement and metrics. Again, however, it is not expected to be published in the immediate term. However, its development is well underway, being at stage 3, working draft level.

It is intended to help an organization establish the effectiveness of its ISMS implementation, embracing benchmarking and performance targeting within the PDCA cycle.

From :

Introduction To ISO 27003 (ISO27003)

The purpose of this proposed development is to provide help and guidance in implementing an ISMS (Information Security Management System). This will include focus upon the PDCA method, with respect to establishing, implementing reviewing and improving the ISMS itself.

ISO committee SC27 will oversee the development, as with other information security standards.However, this is a longer term project, and publication is not expected until late in 2008 or early in 2009.

Its suggested title at the present time is: "Information technology - Security techniques. Information security management system implementation guidance".

The following is the originally mooted broad table of contents:
1. Introduction
2. Scope
3. Terms & Definitions
4. CSFs (Critical success factors)
5. Guidance on process approach
6. Guidance on using PDCA
7. Guidance on Plan Processes
8. Guidance on Do Processes
9. Guidance on Check Processes
10. Guidance on Act Processes
11. Inter-Organization Co-operation

From :

The Benefits of ISO 27001 Implementation

The benefits of standardization, and of implementation of one or more of the ISO 27000 series are wide and varied. Although they tend to differ from organization to organization, many are common.

The following is a list of potential benefits. As with many items on this website, this is an ongoing project. Please feel free to add further points via the comments option below.

This is a general benefit of standardization. The idea is that systems from diverse parties are more likely to fit together if they follow a common guideline.

Management can be assured of the quality of a system, business unit, or other entity, if a recognized framework or approach is followed.

Due Diligence
Compliance with, or certification against, and international standard is often used by management to demonstrate due diligence.

Bench Marking
Organizations often use a standard as a measure of their status within their peer community. It can be used as a bench mark for current position and progress.

Implementation of a standard such as ISO 27001 can often result in greater security awareness within an organization.

Because implementation of ISO 27001 (and the other ISO 27000 standards) tends to involve both business management and technical staff, greater IT and Business alignment often results.

From :

ISO 17799 Overview

ISO17799 also BS7799 is a widely accepted standard for information security management. It is a great tool for the fundamentals of security management and also helps in promoting information security to top management.

When ISO adopted the British standard BS7799 it became ISO17799. The latest version of ISO17799 was released 2005.

The standard has 16 sections (0 - 15) as outlined below

Section 0 - Introduction
The introduction discuses what information security is, why it is important, and outlines how to work with information security, and how ISO17799 is a good starting point.

Section 1 - Scope
Says that the standard establishes general guidelines for implementing and working with information security, and that risk assessments are required to make good use of the standard.

Section 2 - Terms and Definitions
Defines terminology used in the standard. The following terms are defined: asset, control, guideline, information processing facilities, information security, information security event, information security incident, policy, risk, risk analysis, risk assessment, risk evaluation, risk management, risk treatment, third party, threat, and vulnerability.

Section 3 - Structure of the Standard
Describes the structure of the standard. Identifies the eleven security control clauses:
Section 5 to 15 below.

Section 4 - Risk Assessment and Treatment
Section 4.1 describes how risk assessment needs to be performed periodically, and is the basis for implementing security controls.

Section 4.2 shows on the possible options for risk treatment, including:
- applying appropriate controls to reduce the risks;
- knowingly and objectively accepting risks, providing they clearly satisfy the organization's policy and criteria for risk acceptance;
- avoiding risks by not allowing actions that would cause the risks to occur;
- transferring the associated risks to other parties, e.g. insurers or suppliers.

Further, it is pointed out that there is no single solution that will fit all. Organisations have to find controls that are appropriate for them.

Section 5 - Security Policy
The objective of a policy is identified as a management guidance with clarity.
Section 5.1 Information security policy covers the policy document, and policy review.

Section 6 - Organizing Information Security
Section 6.1 covers internal organization while section 6.2 dicusses external parties.

Section 7 - Asset Management
Seciton 7.1 discusses responsibility for assets. Section 7.2 is about information classification.

Section 8 -Human Resources Security
Section 8.1 is about th3e time before employment while section 8.2 is about the employment period and section 8.3 is about termination or change of employment.

Section 9 - Physical and Environmental Security
Section 9.1 is about secure areas and section 9.2 is about equipment security.

Section 10 - Communications and Operations Management
Section 10.1 is about operational procedures and responsibilities while section 10.2 is about external parties delivering services (outsourcing) and section 10.3 is about system planning and acceptance. Section 10.4 is about malicious and mobile code and section 10.5 is about backups and section 10.6 is about network security management. Section 10.7 covers media handling and section 10.8 covers exchanges of information. Section 10.9 is about e-commerce while section 10.10 is about monitoring things.

Section 11 - Access Control
Section 11.1 is about business requirements while section 11.2 is about user controls and section 11.3 is about user responsibilities. Section 11.4 drills down into network access control, section 11.5 examines operating system access controls, section 11.6 is about applicaiton level controls, and section 11.7 is focussed on mobile computing.

Section 12 - Information Systems Acquisition, Development and Maintenance
Section 12.1 focuses on security requirements while Section 12.2 focuses on correct processing. Section 12.3 is about cryptographic controls while section 12.4 is about control of system files. Section 12.5 focuses on the development and support processes, section 12.6 centers around vulnerability management.

Section 13 - Information Security Incident Management
Section 13.1 is about reporting security events and weaknesses. Section 13.2 is about managing incidents and improvements.

Section 14 - Business Continuity Management
Section 14.1 covers information security aspects of business continuity management.

Section 15 - Compliance
Section 15.1 is about compliance with legal requirements while section 15.2 is about compliance with policies, standards, and technical specifications. Section 15.3 is about audit considerations.

From :

Auditing for ISO 17799 compliance

SANS have published an Audit Check List for ISO 17799:2005. It is available as an MS Word file "Sans Iso 17799:2005 Check List".

ISO 17799 to ISO 27002: A Warning

It is well known that ISO 17799 has been renamed to ISO 27002. This was confirmed by the appropriate ISO Technical Committee some weeks ago.

A number of people questioned the need for this, and have asked why this couldn't wait until the next upgrade of the standard. Nonetheless, it went ahead, and we waited for the renamed copy to be made available.

Here is the crux though: ISO have now made this available... BUT.... it is simply ISO 17799:2005 with a single accompanying PDF sheet stating "Replace '17799' with '27002'". Seriously, that is it!

So the warning is that if you already have a copy of ISO 17799:2005 and were thinking of buying another copy to replace it, don't, unless the situation changes (and it may not).

If you don't have a copy of ISO 17799:2005 and were thinking of buying a copy of ISO 27002, go for ISO 17799:2005 instead if you can find that cheaper than ISO offer it for (and you can), unless the situation changes (and it may not).

We will continue to monitor the situation and will immediately post any changes which we identify.

From :


As the international standards for information security, ISO 27001 and ISO 27002 (also known as ISO 17799) are, by their very nature, highly complex. But whether you wish to pursue certification, achieve compliance, or simply position your organization against them, the first question usually is: where do you start?


The answer to this question surely is The ISO27000 Toolkit. This is a series of materials and documents brought together specifically to help you achieve these objectives, and support both ISO27001 and ISO27002 (ISO17799).

It comprises the following essential components:

Both parts of the standard: ISO 27002 (formerly ISO 17799) and ISO 27001

A management presentation

A complete set of ISO 27002 compliant information security policies

A Business Continuity Kit (Ref: section 12)

A jargon busting glossary of information security and IT terms

A BIA questionnaire

The certification roadmap

The essential audit kit (Ref: section 12) for a network system


The ISO 27000 Toolkit will get you off to an excellent start in understanding the two ISO 27000 standards, and addressing the key issues. Further, the support resources and materials included in the kit should prove to be useful for many years to come.

All the items in the kit have been designed and created from the standpoint of helping with the ISO 27001 and ISO 27002 compliance initiative. Indeed, their quality is such, that some are sold stand alone, as independent security products. However, purchase within the toolkit delivers significant and substantial savings.

Each item within the toolkit is described more fully on its own page. To view, simply select from the menu on the left hand side. For more information, please feel free to contact us


To purchase the product and download the full toolkit for a special price of just $995, please visit our secure ISO27000 purchase page.

Every Hard Drive Tells a Story

Fraud, extortion and pornography; All in a day’s work. One of the most interesting jobs in IT has to be that of the computer forensic investigator.

Unlike mainstream forensics such as fingerprint analysis, not a great deal is known of this specialist field by the general public. One of the reasons that computer forensics has rapidly evolved over the last few years is that the ubiquitous PC can be found in almost every home and workplace in the land, and every day people visit web sites, send emails and create documents which leave a trail of evidence.

When users delete documents and watch them disappear from the ‘Recycle Bin’, they are permanently deleted, or so they might have thought. Although the documents can no longer be accessed by the user via Windows, what really happens is that the deleted stuff remains on the disk on an area that can be recovered using specialist software and hardware tools.

Forensic investigators need to ensure that the actions that they follow adhere to legally acceptable standards, because if the correct process is not followed they can be certain that a lawyer will be waiting to question the admissibility of evidence. In the UK, the Association of Chief Police Officers’ (ACPO) guidelines are used as the best practice reference.

These procedures can be summarised into four main phases: Collection, Examination, Analysis and Reporting. It is vital that evidence contained on computers and computer related storage media is preserved and recovered in such a way that it can be demonstrated to the courts that the actions of the investigator has not changed the evidence.

No WriteTo demonstrate the sensitivity of this point, the mere act of turning on a computer will change some of the data held within it. The data from a computer hard drive will commonly be recovered by connecting the hard drive to a write protected device (pictured) and then using specialist forensic software to make a forensic image of the hard drive.

The write protected device prevents any changes being made to the evidential hard drive, therefore maintaining the integrity of the original evidence.

The forensic image is an exact copy of the hard drive (or other media), from the very start of the media to the end. Unlike a backup of media that just includes the accessible files, a forensic copy includes all areas of the media including unallocated space. It is within this unallocated space that the data that appeared to be deleted from the recycle bin resides. Following analysis of an investigation, strictly factual reporting of the information found is required.

So, what are some applications of computer forensics? At the basic level, data files that have been accidentally deleted may be recovered (if no backups are available), but it gets more interesting than that. In one case performed in tandem with a UK police force, our investigators were able to dismiss the allegations of the defendant who claimed that the malicious software on his computer was responsible for the illegal images that were found on it. This was performed by interrogating the machine and locating all malicious software present and active, then investigating each instance of the malicious software.

During the investigation, a recovered keystroke logger output text file was discovered in unallocated disk space, although the keystroke logger software and log file had actually been deleted. This important artefact had recorded the defendant’s keystrokes, including him typing incriminating web site addresses and his conversations using instant messaging software.

Heard about Voice Phishing?

Not to be confused with a Babel fish, an emerging con that utilises technology has been dubbed ‘voice phishing’, and it’s a new spin on an old crime. In a nutshell, here is how it works:

  • Victim receives an email asking them to verify their identity by phoning a telephone number
  • Victim calls number (set up by the criminals) and is greeted by a recorded voice message asking for an account number etc.

This bid to trick users into handing over confidential information is a variation on phishing, which utilises an email and bogus web site combination. Sadly, it seems that there is no end in sight to the ways in which the criminals are attempting to dupe people out of their hard-earned money.

Alan Phillips MBCS
Alan Phillips is a registered BCS security practitioner and contributing author of IT Security training courses at 7Safe, an independent Information Security services consultancy delivering an innovative portfolio of services including Penetration Testing, ISO 27001 Consulting, Forensic Investigation and Information Security training courses