ISO 27001 is the formal standard against which organizations may seek independent certification of their Information Security Management Systems (meaning their frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations).
The standard covers all types of organizations (e.g. commercial enterprises, government agencies and non-profit organizations). It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organization’s overall risk management processes. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.
The standard provides an ISMS model for adequate and proportionate security controls to protect information assets and give confidence to interested parties.
The Registration Cycle for ISO/IEC 27001:2005
Registration for the International Standard consists of the following activities:
Stage-1 Assessment
Stage-2 Assessment
Surveillance Assessment
Pre-Assessment
This helps in understanding the high level of integrity and understanding of clients’ ISMS scope
This will at least take 4 to 6 weeks before Stage-1 audit could be conducted
Completion of Statement of Applicability could trigger pre-assessment
This happens in the base site of the customer and additionally in other sites on mutual agreement
This brings out the readiness levels of the client towards Stage-1 audit
Stage-1 Assessment
Conduct an onsite ISMS Definition review
Review the client’s risk assessment methodology
Review of Statement of Applicability is done
This results in knowing the client’s readiness to take up Stage-2 audit
Stage-2 Assessment
This assessment verifies the effective implementation of ISMS
Involves assessing ISMS activities pertaining to its scope
Will confirm whether the client’s ISMS is able achieve the intended security objectives of the customer
Will have site tours in all sites to verify aspects of ISMS implementation
Will involve interviews with chosen people
Will be based on assessment plan to coverage of all areas under scope
Will result in the certification decision based on evidenced compliance
Surveillance Assessment
Assess that the Customer’s ISMS has been maintained
Re-confirm that the ISMS is able to achieve the security objectives of the organization
Verify whether the risk assessment is current
Encourage Customers to continuously improve their ISMS
Will be based on an assessment plan to cover all critical sites
