What is certification?
ISO/IEC 27001 certification is the process by which an organization’s ISMS is examined against the ISO/IEC 27001 specification by an accredited certification body.
What is a certification body?
A certification body (also called a registration body, assessment and registration body, or registrar) is a third party that assesses and certifies that the ISMS of an organization meets the requirements of the standard.
Who accredits certification bodies?
Accreditation organizations accredit the competence of certification bodies to perform services in the areas of product and management system approval. These accreditation organizations are often, but not always national in scope.
What is the certification process?
The certification process includes:
1. Part 1 audit (also known as a desktop audit). Here the CB auditor examines the pertinent documentation.
2. Taking action on the results of the part 1 audit.
3. Part 2 audit (on site audit). Here the CB sends an audit team to examine your implementation of the reviewed, documented ISMS.
4. Correction of audit findings. Agreeing to a surveillance schedule.
5. Issuance of certificate. (Depending on the CB this can take a few weeks to several months.)
Following initial certification, the ISMS is subject to surveillance as specified by the CB, and then requires re-certification after three years.
From: www.atsec.com
Showing posts with label Certification. Show all posts
Showing posts with label Certification. Show all posts
Monday, June 30, 2008
ISO 27001 CERTIFICATION EXPLAINED
Contrary to common belief, certification is applicable against ISO 27001, rather than ISO 17799. The certification itelf is international, in that National Accreditation Bodies have a mutual recognition model in place enabling certifications granted in one territory to be recognized in another. Clearly, this is essential for an international standard.
Common reasons to seek certification include: Organisational assurance; trading partner assurance; Competitive advantage (market leverage); reduction or elimination of trade barriers; reduced regulation costs; and so on.
To meet the certification requirements, an organization's ISMS must be audited by a 'Certification Body' (or strictly speaking, an assessor who works for a Certification Body). There is a clear segregation of dutues here: the assessor must be independent of consultancy and training.
A Certification Body must have been accredited by the National Accreditation Body for the territory in question (eg: UKAS in the UK). This helps ensure that the Certification Bodies meet national and international standards for their services, and ensure consistency. In respect to ISO 27001, this is typically a document called EA-7/03 (‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’).
The following diagram may clarify this process:
Different certification bodies tend to adopt slightly different approaches to the exercise, with some being more 'hands on' than others. However, the following six step process is a fairly common one:
1 - Questionnaire (the Certification Body obtains details of your requirements)
2 - Application for Assessment (you complete the application form)
3 - Pre-assessment Visit or a ‘Gap Analysis’ (optional).
4 – The Stage 1 Audit (a ‘Document Review’). This is the first part of the audit proper.
5 - The Stage 2 Audit (otherwise called the ‘Compliance Audit’)
6 – Ongoing Audits
Common reasons to seek certification include: Organisational assurance; trading partner assurance; Competitive advantage (market leverage); reduction or elimination of trade barriers; reduced regulation costs; and so on.
To meet the certification requirements, an organization's ISMS must be audited by a 'Certification Body' (or strictly speaking, an assessor who works for a Certification Body). There is a clear segregation of dutues here: the assessor must be independent of consultancy and training.
A Certification Body must have been accredited by the National Accreditation Body for the territory in question (eg: UKAS in the UK). This helps ensure that the Certification Bodies meet national and international standards for their services, and ensure consistency. In respect to ISO 27001, this is typically a document called EA-7/03 (‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’).
The following diagram may clarify this process:
Different certification bodies tend to adopt slightly different approaches to the exercise, with some being more 'hands on' than others. However, the following six step process is a fairly common one:
1 - Questionnaire (the Certification Body obtains details of your requirements)
2 - Application for Assessment (you complete the application form)
3 - Pre-assessment Visit or a ‘Gap Analysis’ (optional).
4 – The Stage 1 Audit (a ‘Document Review’). This is the first part of the audit proper.
5 - The Stage 2 Audit (otherwise called the ‘Compliance Audit’)
6 – Ongoing Audits
Friday, November 2, 2007
Certification : BS 7799
In the Information Security Space we believe that people are the strongest and weakest link in the attempt of securing ones IT resources. Security professionals are responsible for the making and breaking the best security systems developed till date.
The best method to validate ones attempt to provide an Effective Information Security Management is to first benchmark the same with BS 7799 Standard and then certify the same through an external vendor.
In the earlier articles we looked at finer aspects of the standard where we discussed the standard itself, risk assessment, implementation and risk management.
In this final session we would attempt to understand the structure and steps involved in certification for BS7799.
A quick recap
Before we go in to the details of acquiring certification we need to go back and look at what constitutes the standard and what will a company be certified for:
ISO/IEC 17799:2000 (Part 1) is the standard code of practice , which can be regarded as a comprehensive catalogue of "the best things to do in Information Security"
BS7799-2: 1999 (Part 2) is a standard specification for Information Security Management Systems (ISMS). ISMS is the means by which Senior Management monitor can control their security, minimising the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.
Please note that certification is against BS7799-2:1999.
In order to be awarded a certificate, a BS7799 assessor will audit the ISMS. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as Det Norske Veritas and BSI Assessment Services Limited).
The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.
The assessor will return periodically to check that your ISMS is working as intended.
Domains on which one would be assessed:
As discussed in the earlier sessions the company needs to prepare its policies and procedures, which would cover the following domains.:
•Security policy
•Security organisation
•Asset classification and control
•Personnel security
•Physical and environmental security
•Communications and operations management
•Access control
•Systems development and maintenance
•Business continuity management
•Compliance
Statement of applicability
BS 7799 requires a company to identify process and controls , which they practically work on. If for example the company does not require to outsource any of its functions to any external vendor they can state that 4.2.3.1 (Security Requirements in outsourcing contracts ) is not relevant to that particular organisation.
You are required to identify all of your chosen security controls, justify why you feel they are appropriate, and explain why those BS7799 controls that have not been chosen are not relevant.
Preparing oneself for Certification:
The traditional formula of PLAN …DO …CHECK and ACT works well with BS 7799 too and this is a good place to either start or review the progress of the implementation team.
Plan
While planning one has to particularly be careful of the Business Context with which the ISMS is being prepared, which would include defining business policy and objectives, estimating the scope of ISMS, deciding and collecting resources for conducting risk assessment and a definitive approach to Identification, Analyzing and Evaluating risks in a continuous mode.
Do
While implementing the ISMS the focus should always be to build a long run and faultless mechanism for managing risk. This would include evaluating options of going in for automated or manual systems. The ideal method is to strike a perfect balance between both the counts. BS7799 controls need to be addressed, as our ultimate objective is to acquire certification.
Deploy qualified and tested vendors to implement various products and solutions, which would be required. Preparation of the statement of applicability is also an important step where the management plays a important role.
Check
Here is where one has to get an external security audit team qualified to perform a third party security audit for BS7799. Certification companies like Det Norske Veritas can also help in finding qualified BS7799 consultants for companies interested in performing a pre assessment audit.
The audit team would check for appropriate controls and evidence of implementation.
For Example: If a company has prepared a policy for Contractual Agreements the company would have to submit the templates and documents where, third party contractors have signed documents for security.
Implementation would also include continuous monitoring of the ISMS from the perspective of satisfying business needs first and its practical validity in the organisation.
Act
After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions.
Preventive actions, for unseen but predictive incidents can be taken and polices to drive it into action can be framed in an appropriate time.
Communication and delivery of policies to IT users and IT team should be done with ease and determination. Cultural changes and differences, which arise should be tackled with justification and transparency. Management , partners and users should be trained on policies and procedures.
Creative techniques like designing
posters, which clearly states the rules such as PC usage and the best practice followed in Password Framing and Maintenance can go a long way in the success of the policies and procedures.
The 4 Step method of Certification
The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.
We now come to Specifics of Certification Process
Step One
Desktop Review:
All documented polices and procedures need to be verified and checked for consistency and practicality. Corresponding templates and forms are presented to the Audit team.
One important check on documentation will be its validity and relevance to BS7799 controls.
The following documents needs to be presented
ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.
Step Two
Technical Review
The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure.
The company would also need to submit a document stating the ‘permissible risk’ statement; this is the risk, which the company can afford to take.
Step Three
Internal Audit
The team of BS7799 implementers and BS7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.
This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.
Step Four
External Audit- Certification
Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.
The company consultants and internal team would not be allowed to be part of the audit team.
They can assist and help auditors find relevant material.
The auditors check for documentation and objective evidence with the following intention.
- Are records Correct and Relevant?
- Are polices Known and Tested?
- Are policies Communicated?
- Are controls Implemented?
- Are Polices Followed up?
- Are preventive Actions taken?
The auditor then evaluates the quality of risk assessment and the level of security claimed by the company.
Conclusion
After the audit, the certification company recommends the said company for BS7799 Certification. This is certainly a victory for the IT team as they can be assured that its IT systems are world class and the possibility of a security incident happening is minimum.
To summarize the series ., BS7799 is a culture one has to build in the company, which would help one:
- Heighten security awareness within the organisation
- Identify critical assets via the Business Risk Assessment
- Provide a structure for continuous improvement
- Be a confidence factor internally as well as externally
- Enhance the knowledge and importance of security-related issues at the management level
- Ensure that "knowledge capital" will be "stored" in a business management system
- Enable future demands from clients, stockholders and partners to be met
Recommended Reading
- Information Security Management: An introduction (PD3000)
- Preparing for BS7799 Certification (PD3001)
- The Guide to BS7799 Risk Assessment and Risk Management (PD3002)
- Are you Ready for a BS7799 Audit? (PD3003)
- Guide to BS7799 Auditing (PD3004)
- Guide on selection of BS 7799 controls (PD3005)
- BS7799 : Part 1: 1999 Code of Practice for information security management
- BS7799 : Part 2: 1999 Specification for information security management systems
- EA Guidelines 7/03
BS7799 Interpretation Guide (Free Download): www.dnv.com
Det Norske Veritas (DNV) is an independent autonomous foundation with the objective of safeguarding life, property and the environment. Established in 1864, DNV provides an extensive range of technical services to the land, offshore and marine industries worldwide. The organization comprises of over 300 offices in 100 countries, with a total of 5,500 employees of 75 different nationalities.
DNV started their operations in Region India in 1972 and have established itself as a Leading Classification Society. DNV has been providing Classification, Certification, Consultancy and Verification Services for the Marine, Offshore and Land based process industries ever since both for Public and Private Sectors.
DNV is accredited in 21 countries for the Certification of Quality Management Systems and in 14 countries for Environmental Management System and is a leading Certification Body in India for both Quality & Environment Management System Certification having issued over 2500 certificates under ISO 9000 Standards and over 250 certificates under ISO 14000 Standards. DNV, in India, is also involved in Tick-IT, QS 9000, BS 7799, Risk Based Inspection (RBI), OHSMS, SA 8000 Systems Certification and CE Marking.
Key advisory services include Risk / Reliability Assessment and Loss Control Management Services. DNV is recognized by the Chief Controller of Explosives both as an Inspection Authority and Competent Person and DNV is also approved by Indian Boiler Regulations (IBR) as Competent Inspection Authority in 22 countries world-wide.
Source : http://www.computersecuritynow.com/7799part3.htm
Wednesday, October 3, 2007
Executive Briefing On ISO 17799:2005 & ISO 27001:2005
Pdf File
22 Page
Source : http://sqm-advisors.com
http://sqm-advisors.com/downloads/Executive_Briefing_on_ISO_27001_3_07.pdf
• What is Information Security?
• What is Information Security Management?
• Why is Information Security Management Needed?
• What is an Information Security Management System?
• How does ISO 17799 and IS0 27001 fit into the picture?
• ISO 17799 & ISO 27001 summarized
• What are the benefits of ISO 27001 certification?
• ISO 27001 certification scheme
• How does an organization achieve certification?
• Worldwide trends in ISO 27001 certification
• Market considerations
• Where to go from here?
• The bottom line
• More Information
22 Page
Source : http://sqm-advisors.com
http://sqm-advisors.com/downloads/Executive_Briefing_on_ISO_27001_3_07.pdf
• What is Information Security?
• What is Information Security Management?
• Why is Information Security Management Needed?
• What is an Information Security Management System?
• How does ISO 17799 and IS0 27001 fit into the picture?
• ISO 17799 & ISO 27001 summarized
• What are the benefits of ISO 27001 certification?
• ISO 27001 certification scheme
• How does an organization achieve certification?
• Worldwide trends in ISO 27001 certification
• Market considerations
• Where to go from here?
• The bottom line
• More Information
Sunday, September 23, 2007
BS 7799 Certification
In the Information Security Space we believe that people are the strongest and weakest link in the attempt of securing ones IT resources. Security professionals are responsible for the making and breaking the best security systems developed till date.
The best method to validate ones attempt to provide an Effective Information Security Management is to first benchmark the same with BS 7799 Standard and then certify the same through an external vendor.
In the earlier articles we looked at finer aspects of the standard where we discussed the standard itself, risk assessment, implementation and risk management.
In this final session we would attempt to understand the structure and steps involved in certification for BS7799.
A quick recap
Before we go in to the details of acquiring certification we need to go back and look at what constitutes the standard and what will a company be certified for:
ISO/IEC 17799:2000 (Part 1) is the standard code of practice , which can be regarded as a comprehensive catalogue of "the best things to do in Information Security"
BS7799-2: 1999 (Part 2) is a standard specification for Information Security Management Systems (ISMS). ISMS is the means by which Senior Management monitor can control their security, minimising the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.
Please note that certification is against BS7799-2:1999.
In order to be awarded a certificate, a BS7799 assessor will audit the ISMS. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as Det Norske Veritas and BSI Assessment Services Limited).
The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.
The assessor will return periodically to check that your ISMS is working as intended.
Domains on which one would be assessed:
As discussed in the earlier sessions the company needs to prepare its policies and procedures, which would cover the following domains.:
•Security policy
•Security organisation
•Asset classification and control
•Personnel security
•Physical and environmental security
•Communications and operations management
•Access control
•Systems development and maintenance
•Business continuity management
•Compliance
Statement of applicability
BS 7799 requires a company to identify process and controls , which they practically work on. If for example the company does not require to outsource any of its functions to any external vendor they can state that 4.2.3.1 (Security Requirements in outsourcing contracts ) is not relevant to that particular organisation.
You are required to identify all of your chosen security controls, justify why you feel they are appropriate, and explain why those BS7799 controls that have not been chosen are not relevant.
Preparing oneself for Certification:
The traditional formula of PLAN DO CHECK and ACT (PDCA CYCLE) works well with BS- 7799 too and this is a good place to either start or review the progress of the implementation team.
Plan
While planning one has to particularly be careful of the Business Context with which the ISMS is being prepared, which would include defining business policy and objectives, estimating the scope of ISMS, deciding and collecting resources for conducting risk assessment and a definitive approach to Identification, Analyzing and Evaluating risks in a continuous mode.
Do
While implementing the ISMS the focus should always be to build a long run and faultless mechanism for managing risk. This would include evaluating options of going in for automated or manual systems. The ideal method is to strike a perfect balance between both the counts. BS7799 controls need to be addressed, as our ultimate objective is to acquire certification.
Deploy qualified and tested vendors to implement various products and solutions, which would be required. Preparation of the statement of applicability is also an important step where the management plays a important role.
Check
Here is where one has to get an external security audit team qualified to perform a third party security audit for BS7799. Certification companies like Det Norske Veritas can also help in finding qualified BS7799 consultants for companies interested in performing a pre assessment audit.
The audit team would check for appropriate controls and evidence of implementation.
For Example: If a company has prepared a policy for Contractual Agreements the company would have to submit the templates and documents where, third party contractors have signed documents for security.
Implementation would also include continuous monitoring of the ISMS from the perspective of satisfying business needs first and its practical validity in the organisation.
Act
After checking for flaws and vulnerabilities the company needs to improve ISMS by identifying key vulnerabilities and take appropriate corrective actions.
Preventive actions, for unseen but predictive incidents can be taken and polices to drive it into action can be framed in an appropriate time.
Communication and delivery of policies to IT users and IT team should be done with ease and determination. Cultural changes and differences, which arise should be tackled with justification and transparency. Management , partners and users should be trained on policies and procedures.
Creative techniques like designing
posters, which clearly states the rules such as PC usage and the best practice followed in Password Framing and Maintenance can go a long way in the success of the policies and procedures.
The 4 Step method of Certification
The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with the solid backing of the management.
We now come to Specifics of Certification Process
Step One
Desktop Review:
All documented polices and procedures need to be verified and checked for consistency and practicality. Corresponding templates and forms are presented to the Audit team.
One important check on documentation will be its validity and relevance to BS7799 controls.
The following documents needs to be presented
ISMS, Policies, IT- Environment Documentation, Risk Assessment Reports, Business Continuity Planning documentation, Statement of applicability.
Step Two
Technical Review
The definition and implementation of Security Architecture with its various products and networking components are checked for vulnerabilities and possible risk exposure.
The company would also need to submit a document stating the ‘permissible risk’ statement; this is the risk, which the company can afford to take.
Step Three
Internal Audit
The team of BS7799 implementers and BS7799 professionals can take up an initial Internal audit where non-conformances are picked up and recommendations are documented.
This step involves simulation of the real time third party audit and has to be taken seriously among the team and users of IT in the company.
Step Four
External Audit- Certification
Inviting the Certification Company is pre determined and the company gets ready to face the external auditors.
The company consultants and internal team would not be allowed to be part of the audit team.
They can assist and help auditors find relevant material.
The auditors check for documentation and objective evidence with the following intention.
- Are records Correct and Relevant?
- Are polices Known and Tested?
- Are policies Communicated?
- Are controls Implemented?
- Are Polices Followed up?
- Are preventive Actions taken?
The auditor then evaluates the quality of risk assessment and the level of security claimed by the company.
Conclusion
After the audit, the certification company recommends the said company for BS7799 Certification. This is certainly a victory for the IT team as they can be assured that its IT systems are world class and the possibility of a security incident happening is minimum.
To summarize the series ., BS7799 is a culture one has to build in the company, which would help one:
- Heighten security awareness within the organisation
- Identify critical assets via the Business Risk Assessment
- Provide a structure for continuous improvement
- Be a confidence factor internally as well as externally
- Enhance the knowledge and importance of security-related issues at the management level
- Ensure that "knowledge capital" will be "stored" in a business management system
- Enable future demands from clients, stockholders and partners to be met
Recommended Reading
- Information Security Management: An introduction (PD3000)
- Preparing for BS7799 Certification (PD3001)
- The Guide to BS7799 Risk Assessment and Risk Management (PD3002)
- Are you Ready for a BS7799 Audit? (PD3003)
- Guide to BS7799 Auditing (PD3004)
- Guide on selection of BS 7799 controls (PD3005)
- BS7799 : Part 1: 1999 Code of Practice for information security management
- BS7799 : Part 2: 1999 Specification for information security management systems
- EA Guidelines 7/03
BS7799 Interpretation Guide (Free Download): www.dnv.com
Det Norske Veritas (DNV) is an independent autonomous foundation with the objective of safeguarding life, property and the environment. Established in 1864, DNV provides an extensive range of technical services to the land, offshore and marine industries worldwide. The organization comprises of over 300 offices in 100 countries, with a total of 5,500 employees of 75 different nationalities.
DNV started their operations in Region India in 1972 and have established itself as a Leading Classification Society. DNV has been providing Classification, Certification, Consultancy and Verification Services for the Marine, Offshore and Land based process industries ever since both for Public and Private Sectors.
DNV is accredited in 21 countries for the Certification of Quality Management Systems and in 14 countries for Environmental Management System and is a leading Certification Body in India for both Quality & Environment Management System Certification having issued over 2500 certificates under ISO 9000 Standards and over 250 certificates under ISO 14000 Standards. DNV, in India, is also involved in Tick-IT, QS 9000, BS 7799, Risk Based Inspection (RBI), OHSMS, SA 8000 Systems Certification and CE Marking.
Key advisory services include Risk / Reliability Assessment and Loss Control Management Services. DNV is recognized by the Chief Controller of Explosives both as an Inspection Authority and Competent Person and DNV is also approved by Indian Boiler Regulations (IBR) as Competent Inspection Authority in 22 countries world-wide.
For comments and questions on this paper please write to: bmukund@yahoo.com
Source : http://www.computersecuritynow.com/7799part3.htm
Wednesday, August 8, 2007
Guide to ISO Standards and Certification
ISO 9000 and other certifications can help build your company's credibility
By Chris Caggiano
You may have come across one of the following bizarre-looking codes in your business travels: ISO 9002, ISO 14001 and ISO 27003. Each of these arcane codes, formulated by the International Organization for Standardization, represents a different family of quality certifications for companies of all sizes. The ISO 9000 series covers overall organizational quality and efficiency. ISO 14000 addresses environmental management. And ISO 27000 is a new designation that covers information and physical security.
ISO certification doesn't guarantee quality, but rather verifies that companies are following consistent business processes, under the presumption that high-quality products and services will result. Achieving ISO certification costs in the tens of thousands of dollars, depending on the size of your company, and takes up 18 months or more of your time. Benefits include:
1. Greater credibility and marketability
2. Lower operating expenses
3. Increased employee and customer satisfaction
Action Steps
The best contacts and resources to help you get it done
Discover basic requirements of ISO certification
The ISO Web site defines the vocabulary and describes the basics and the requirements of ISO certification. You can also buy documents that will help you get on the road to compliance.
I recommend: Start on the official ISO Web site. You can also find straightforward primers on the ISO process from the ISO 9000 Council.
Get help and get going
There are various organizations through which you can achieve ISO certification and numerous consultants to help you through the process.
I recommend: Look on Quality Network to find an ISO registrar near you. Quality Digest, an ISO trade publication, provides a downloadable list of ISO 9000 consultants.
Find out if your industry has its own certification
Some industries have created sector-specific interpretations of the ISO standards, so you'll want to find out if your industry has its own version of ISO.
I recommend: Check with the National Institute of Standards and Technology (NIST) for information on the aerospace industry's ISO 9000 interpretation. You'll find pharmaceuticals-specific standards on the Pharmaceutical Quality Group's FAQ. Quality Digest offers automotive-industry information and details on telecom interpretations. Find information about the medical-device industry at NSF International Strategic Registrations Ltd.
Check with your state for ISO help
A number of states offer training, assistance and even funding for small companies looking to get ISO certified, especially those looking to meet the ISO environmental-management standards.
I recommend: States that provide help for companies considering ISO certification include Maryland, Massachusetts, Rhode Island and New Hampshire.
Tips & Tactics
Helpful advice for making the most of this Guide
* Consider becoming compliant rather than fully certified. In other words, you can research and implement the standards without going through the effort and expense of full certification.
* An ISO certificate isn't a one-time thing: You need to renew your certification every three years or so.
* ISO isn't just for manufacturing companies, but for service providers as well.
* Some large organizations might require your company to be ISO certified before doing business with you.
By Chris Caggiano
You may have come across one of the following bizarre-looking codes in your business travels: ISO 9002, ISO 14001 and ISO 27003. Each of these arcane codes, formulated by the International Organization for Standardization, represents a different family of quality certifications for companies of all sizes. The ISO 9000 series covers overall organizational quality and efficiency. ISO 14000 addresses environmental management. And ISO 27000 is a new designation that covers information and physical security.
ISO certification doesn't guarantee quality, but rather verifies that companies are following consistent business processes, under the presumption that high-quality products and services will result. Achieving ISO certification costs in the tens of thousands of dollars, depending on the size of your company, and takes up 18 months or more of your time. Benefits include:
1. Greater credibility and marketability
2. Lower operating expenses
3. Increased employee and customer satisfaction
Action Steps
The best contacts and resources to help you get it done
Discover basic requirements of ISO certification
The ISO Web site defines the vocabulary and describes the basics and the requirements of ISO certification. You can also buy documents that will help you get on the road to compliance.
I recommend: Start on the official ISO Web site. You can also find straightforward primers on the ISO process from the ISO 9000 Council.
Get help and get going
There are various organizations through which you can achieve ISO certification and numerous consultants to help you through the process.
I recommend: Look on Quality Network to find an ISO registrar near you. Quality Digest, an ISO trade publication, provides a downloadable list of ISO 9000 consultants.
Find out if your industry has its own certification
Some industries have created sector-specific interpretations of the ISO standards, so you'll want to find out if your industry has its own version of ISO.
I recommend: Check with the National Institute of Standards and Technology (NIST) for information on the aerospace industry's ISO 9000 interpretation. You'll find pharmaceuticals-specific standards on the Pharmaceutical Quality Group's FAQ. Quality Digest offers automotive-industry information and details on telecom interpretations. Find information about the medical-device industry at NSF International Strategic Registrations Ltd.
Check with your state for ISO help
A number of states offer training, assistance and even funding for small companies looking to get ISO certified, especially those looking to meet the ISO environmental-management standards.
I recommend: States that provide help for companies considering ISO certification include Maryland, Massachusetts, Rhode Island and New Hampshire.
Tips & Tactics
Helpful advice for making the most of this Guide
* Consider becoming compliant rather than fully certified. In other words, you can research and implement the standards without going through the effort and expense of full certification.
* An ISO certificate isn't a one-time thing: You need to renew your certification every three years or so.
* ISO isn't just for manufacturing companies, but for service providers as well.
* Some large organizations might require your company to be ISO certified before doing business with you.
Monday, July 30, 2007
ISO 27001 CERTIFICATION EXPLAINED
Contrary to common belief, certification is applicable against ISO 27001, rather than ISO 17799. The certification itelf is international, in that National Accreditation Bodies have a mutual recognition model in place enabling certifications granted in one territory to be recognized in another. Clearly, this is essential for an international standard. 
From : www.27001-online.com
Common reasons to seek certification include: Organisational assurance; trading partner assurance; Competitive advantage (market leverage); reduction or elimination of trade barriers; reduced regulation costs; and so on.
To meet the certification requirements, an organization's ISMS must be audited by a 'Certification Body' (or strictly speaking, an assessor who works for a Certification Body). There is a clear segregation of dutues here: the assessor must be independent of consultancy and training.
A Certification Body must have been accredited by the National Accreditation Body for the territory in question (eg: UKAS in the UK). This helps ensure that the Certification Bodies meet national and international standards for their services, and ensure consistency. In respect to ISO 27001, this is typically a document called EA-7/03 (‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’).
The following diagram may clarify this process:
Different certification bodies tend to adopt slightly different approaches to the exercise, with some being more 'hands on' than others. However, the following six step process is a fairly common one:
1 - Questionnaire (the Certification Body obtains details of your requirements)
2 - Application for Assessment (you complete the application form)
3 - Pre-assessment Visit or a ‘Gap Analysis’ (optional).
4 – The Stage 1 Audit (a ‘Document Review’). This is the first part of the audit proper.
5 - The Stage 2 Audit (otherwise called the ‘Compliance Audit’)
6 – Ongoing Audits
From : www.27001-online.com
Thursday, July 19, 2007
The ISO27001 Certification Process
Some of the most common questions pertaining to the 27000 series of standards relate to the certification process for ISO27001. This page is intended to help address some of these.
In a nutshell, the following diagram explains the logical flow of the process itself:
The process starts when the organization makes the decision to embark upon the exercise. Clearly, at this point, it is also important to ensure management commitment and then assign responsibilities for the project itself.
An organizational top level policy can then be developed and published. This can, and will normally, be supported by subordinate policies. The next stage is particularly critical: scoping. This will define which part(s) of the organization will be covered by the ISMS. Typically, it will define the location, assets and technology to be included.
At this stage a risk assessment will be undertaken, to determine the organization's risk exposure/profile, and identify the best route to address this. The document produced will be the basis for the next stage, which will be the management of those risks. A part of this process will be selection of appropriate controls with respect to those outlined in the standard (and ISO27002), with the justification for each decision recorded in a Statement of Applicability (SOA). The controls themselves should then be implemented as appropriate.
The certification process itself can then be embarked upon via a suitable accredited third party.http://www.27000.org/ismsprocess.htm
Subscribe to:
Posts (Atom)
