8/6/2019 ISO 27001_Guide

1/12

BSI Information Security

A guide to ISO 27001

+ + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + +

BSIInforma

tionSecurityManagementS

ystems

8/6/2019 ISO 27001_Guide

2/12

Information is the lifeblood of allorganizations and can exist in manyforms. It can be printed or written onpaper, stored electronically, transmittedby mail or by electronic means, shown infilms, or spoken in conversation.

In today's competitive businessenvironment, such information isconstantly under threat from many

sources. These can be internal, external,accidental, or malicious. With theincreased use of new technology to store,transmit, and retrieve information, therehas been a subsequent increase in thenumbers and types of threats.

Furthermore, there has been a markedincrease in pressure from legal andregulatory authorities. Informationsecurity is more than a simple matter oftechnology; its a major governance issueand can directly affect an organization'sreputation and ultimately its survival. It istherefore vital that an organization takessteps to protect its information assets.

A proven solution is the adoption of anInformation Security Management System(ISMS), which meets the requirements ofISO/IEC 27001.

> The security of information assets is crucial

to all organizations and requires effective

management.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Information assetsManaging information is vital to an organization's future.

02 | BSI Information Security

BSIIntroduction

8/6/2019 ISO 27001_Guide

3/12

In order to effectively manage yourorganization's information risks and

threats, you should establish an InformationSecurity Management Systems (ISMS). AnISMS, based on ISO 27001, will help youmanage these issues while continuallyimproving the security of your information.

ISO 27001 (previously BS 7799) is theinternationally recognized standard forsetting out the requirements for an ISMS. Ithelps identify, manage and minimize the

range of threats to which information isregularly subjected.

The standard is designed to ensure theselection of adequate and proportionatesecurity controls that protect informationassets and give confidence to interestedparties including an organizationscustomers and suppliers.

It uses a risk-based approach to managinginformation security, which ensures thatresults are both appropriate andaffordable for your organization.

It also incorporates the proven Plan-Do-Check-Act (PDCA) cycle, which enables

your organization to continually improveits information security management andmeet the changing legal and regulatory

requirements for information security.

me

> Establishing an ISMS based on ISO 27001

enables your organization to protect its

information assets.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

BSIISO 27001 model

BSI Information Security | 03

Informationsecurity

requirementsand

expectations(eg: legal, regulatory

and commercial)

Interestedparties

(eg: seniormanagement,customers and

partners)

Informationsecurity

managed asexpected

Interestedparties

(eg: customers)

Plan

CheckDo

Establish thedocumented ISMS

Implement andoperate the ISMS

Monitor and reviewthe ISMS

Maintain & improvethe effectiveness of

the ISMS

An international standard that

provides guidance on information

security management based onindustry best practice. It aligns with,

and expands on, the controls of ISO

27001 but it is not an auditable

standard. ISO 17799 is due to become

ISO 27002 in 2007.

ISO/IEC 17799 CODE OF PRACTICE FOR

INFORMATION SECURITY MANAGEMENT

Act

8/6/2019 ISO 27001_Guide

4/12

Establishing an ISMS, which meets therequirements of ISO 27001, is an idealplatform for building effective security foryour business information. This processcan be complex and is made much easierby grouping it into a number of steps.

Steps 1 and 2 involve establishing thescope, boundaries and policy of the ISMS.These should be defined on the basis ofthe organizations specific characteristics

such as size, assets and types ofinformation systems while legal,regulatory and contractual requirementsmust also be taken into account. Thesesteps require management direction andsupport while being crucial to the overallsuccess of implementing an ISMS.

Steps 3 to 5 involve assessing the securityrisks to the organization's information.

A risk assessment approach andmethodology need to be defined tofacilitate these steps. The key outputs arethe identification of the risks along withthe undertaking of a risk assessment.

> Expenditure on controls to protect

information and information systems

needs to be balanced against the

business harm likely to result from

security failures.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

04 | BSI Information Security

BSIGetting Started

Establishing an ISMSThe steps you should follow.

Step 1

Define the scopeand boundaries of

the ISMS

ISMSScope

Statement

Step 2

Define an ISMSpolicy

An ISMSpolicy

Step 3

Define the riskassessment approach

Documentedrisk

assessmentapproach

Step 4

Identify risks

List ofthreats,

vulnerabilitiesand impacts

Step 5

Undertake a risk

assessment

Report onbusiness

impacts andlikelihoods

8/6/2019 ISO 27001_Guide

5/12

Steps 6 and 7 involve evaluating thetreatment options for business risks andselecting the relevant control objectivesand controls. Where risks are deemed to beunacceptable, an organization needs tochoose how to manage them as part of arisk treatment plan. This plan will involveapplying appropriate controls, accepting ortransferring the risks to other parties.Alternatively, avoiding action can be taken.In line with the decision on how risks are

treated, appropriate control objectives andcontrols need to be selected from Annex Aof the standard. Additional controls can beintroduced to address an organization'sspecific risks.

Steps 8 and 9 require management toapprove the proposed residual risks andauthorize the implementation the ISMS.The residual risks are those that

management accept on behalf of thebusiness as not being treated. Examplesinclude risks which would be very costly totreat, but have a low impact to the business.

Step 10 involves the preparation of aStatement of Applicability. This describesand documents the selected controlobjectives, controls and the reasons for theirselection or exclusion.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

BSI Information Security | 05

BSIGetting Started

Step 7

Select controlobjectives & controls

List ofcontrol

objectivesand controls

Step 6

Evaluate risktreatment options

Risktreatment

plan

Step 8

Obtain managementapproval of proposed

residual risks

Record ofapprovedresidual

risks

Step 9

Obtain managementapproval to

implement the ISMS

Managementauthorization

toimplementthe ISMS

Step 10

Prepare statement

of applicability

Statementof

applicability

8/6/2019 ISO 27001_Guide

6/12

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

The Security Control AreasControl objectives and controls to help protect yourorganizations information.

Within the ISO 27001 standard, thereare numerous control objectives andcontrols, which are categorized in thefollowing sections:

1. Security Policy

The documented policy helpscommunicate an organizationsinformation security goals. It should beclearly written and understandable to itsreaders. The policy helps managementprovide direction and support forinformation security throughout theorganization.

2. Organization of Information Security

This security control outlines howmanagement ensures implementation ofinformation security within anorganization. It provides a forum for

reviewing and approving security policiesand assigning security roles andresponsibilities.

3. Asset Management

Managing both physical and intellectualassets are important to maintainingappropriate protection. It determinesownership, accountability and protectionof information assets.

4. Human Resources Security

The assessing and assigning of employeesecurity responsibilities and awarenessenables more effective human resource

management. Security responsibilitiesshould be determined during therecruitment of all personnel andthroughout their employment.

5. Physical and Environmental Security

Securing physical areas and workenvironments within the organizationcontributes significantly towardinformation security management.

Anyone who deals with your physicalpremises, whether they are employees,suppliers or customers, play a key role indetermining organizational securityprotection.

06 | BSI Information Security

BSISecurity Controls

8/6/2019 ISO 27001_Guide

7/12

6. Communications and OperationsManagement

Covers the secure delivery andmanagement of the daily operations ofinformation processing facilities andnetworks.

7. Access Control

Managing access levels of all employeeshelps to control information security inan organization. Controlling levels of

systems and network access can become acritical success factor when protectingdata or information network systems.

8. Information Systems Acquisition,Development and MaintenanceInvolves the secure development,maintenance and acceptance of businessapplications, products and services intothe operational environment.

9. Incident Management

Facilitates the identification andmanagement of information securityevents and weaknesses and allows fortheir appropriate and timely resolutionand communication.

10. Business Continuity Management

Using controls against natural disasters,operational disruptions and potentialsecurity failures helps the continuity ofbusiness functions.

11. Compliance

To assist organizations with theidentification and compliance withcontractual obligations, legal andregulatory requirements.

> Control objectives and controls are

selected as part of the ISMS risk process.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

BSI Information Security | 07

BSISecurity Controls

8/6/2019 ISO 27001_Guide

8/12

Adopting ISO 27001 can bring significant

benefits including:

Providing a common frameworkenabling organizations to develop,implement, and effectively measureinformation security managementpractices

Providing a risk-based approach that isstructured and proactive to help plan

and implement an ISMS resulting in alevel of organizational security that isappropriate and affordable

Ensuring the right people, processes,procedures and technologies are inplace to protect information assets

Protecting information in terms ofconfidentiality, integrity and availability

Aligns with other managementstandards such as ISO 9001

However, accredited certification to ISO27001 is a powerful independentdemonstration of an organizationscommitment to managing informationsecurity.

Being certified will provide a number ofspecific benefits which are described:

>The above benefits are not realized by

organizations who simply comply withISO 27001 or the recommendations in the

Code of Practice standard, ISO 17799.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

The benefits of an ISO 27001 based ISMSImplementing an ISMS certified to ISO 27001 is the clearest demonstrationof commitment to good information security governance.

08 | BSI Information Security

BSIBenefits

+ Demonstrates independent assuranceof an organizations internal controlstherefore meeting corporategovernance and business continuityrequirements.

+ Provides third-party assurance thatapplicable laws and regulations areobserved.

+ Provides a competitive edge, e.g.,

by meeting contractual requirementsand demonstrating to customers thatthe security of their information isparamount.

+ Independently verifies thatorganizational risks are properlyidentified, assessed and managedwhile formalizing information securityprocesses, procedures anddocumentation.

+ Proves senior managementscommitment to the security of anorganizations information.

+ The regular assessment process helpsan organization continually monitorand improve.

BENEFITS OF CERTIFICATION

8/6/2019 ISO 27001_Guide

9/12

Contact BSI Management Systems.

We will consider your business

requirements, then arrange the

services that best suit your needs.

Upon contacting BSI, we will

provide an estimate of costs and

timescales for formal assessment.

On return of your completed

application form, we will assign you

to a Lead Assessor. They will be your

principal contact throughout the

registration process and beyond,

have knowledge concerning the

nature of your business, and will

offer support while you develop

your systems.

BSI will undertake a desk top

review of the Risk Assessment,

Policy, Scope, Statement of

Applicability and Procedures. This

will then identify any weaknesses

and omissions in your management

system that need to be resolved.

On successful completion of the

audit, a certificate of registration is

issued which clearly identifies the

scope of the ISMS. It remains valid

for three years and is supported by

routine assessment visits.

After registration your assessor will

visit your organization at regular

intervals each year to facilitate

improvement and ensure that you

continue to meet the requirements

of ISO 27001.

Submit a formal application for

registration services to BSI.

BSI will then conduct an on-site

assessment and make

recommendations.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

The BSI Route to RegistrationThere are eight steps to achieving and maintaining yourISO 27001 certificate.

Step 5

Undertakea review

Step 6

Undertake afull audit

Step 7

Registration

Step 8

Continualassessment

Step 1

Initialenquiry

Step 2

Quotationprovided

Step 3

Applicationsubmitted

Step 4

Assessmentteam

appointed

BSI Information Security | 09

BSIRoute to Registration

8/6/2019 ISO 27001_Guide

10/12

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

ISO 27001 Services and Tools from BSIEverything you need from one convenient and reputable source.

The standards

Before you can begin preparing for thecertification process, you will require acopy of the ISO 27001 standard.You should read this and make yourselffamiliar with it. Other related standardsare also available from BSI.Purchase standards from:www.bsi-global.com/bsonline

Free guidance documents,publications and software

There is a wide range of freeguidance documents on the BSI websitewww.bsi-emea.com. You can alsopurchase support publications andsoftware tools designed to help youunderstand, implement and becomecertified to an ISO 27001 basedInformation Security Management

System. These are available from:www.bsi-global.com/ict/security

Implementation and improvement tools

Various BSI tools are available to helpyou implement and improve your ISMS.They cover subjects such as RiskAssessments, Risk Methodologies, GapAnalysis and Benchmarking.

Training

There is a wide range of ISO 27001 andinformation security management relatedtraining courses to suit variousrequirements. These include: ISO 27001Introduction; Implementation; Internalauditor and Lead auditor courses. Coursescan be delivered in-company, at publicvenues or online via e-learning. Thesecourses are highly regarded and wellattended.

> Implementing an ISO 27001 ISMS can

be complex but BSI tools and services can

simplify and reduce the process cost.

TRAINING COURSES

INFORMATION SECURITY COURSES:www.bsi-emea.com/isms-training

ALL BSI COURSES:www.bsi-emea.com/training

10 | BSI Information Security

BSIServices and tools

8/6/2019 ISO 27001_Guide

11/12

BSI has over 40,000 registered clients,making BSI one of the largest and mostexperienced certification bodies in theworld. This places BSI in an unrivalledposition of experience and knowledgeabout companies' needs, irrespective ofsize and industry sector. Furthermore,BSI is the clear global market leader inISO 27001 certification and pioneered thedevelopment of BS 7799, its BritishStandard predecessor.

Independent accreditation

BSI's ISO 27001 certification service isaccredited by the United KingdomAccreditation Service (UKAS).Accreditation is a valuable indicator foryou to use to verify that your certificationbody is competent to be carrying outassessment services at your facility. Itprovides assurances to you that BSI

continues to operate according tointernationally accepted criteria.

Added value auditing

BSI is one of the few certification bodiesto employ full-time auditors withinformation security expertise. BSIemploys very strict auditor qualificationcriteria and auditors are regularlyassessed. BSI carefully matches theauditor's industry experience with anorganizations activities enabling theassessment to add real value withminimum disruption and cost to youroperation.

Global network of delivery

When you choose BSI as your businesspartner, you are also choosing ourinternational reputation for excellenceand delivery. BSI operates in over 90countries and we have the flexibility andcapability to provide a first class serviceanywhere around the world.

To find your nearest office, please visit:www.bsi-emea.com/locations

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

BSI Information Security | 11

BSIYour ISO 27001 partner

Partner with the global ISO 27001 leaderKey reasons for choosing BSI as your partner.

THE ISO 27000 FAMILY OF STANDARDS

ISO 27000 Vocabulary

and Definitions

ISO/IEC 27001:2005

Specification

Document

ISO 27002 (ISO17799)Code of Practice

ISO 27003,

Implementation

Guidance

ISO 27004, Metrics

and Measurement

ISO 27005, (BS 7799-3)

Risk Management

Planned Release

2008/2009

Released

October 2005

Planned ReleaseApril 2007

(number change only)

Planned Release

2008/2009

Planned Release

2008/2009

Planned Release

2008/2009

8/6/2019 ISO 27001_Guide

12/12

BSI Management Systems

389 Chiswick High Road

London

W4 4AL

Tel: +44 (0) 20 8996 6325

Fax: +44 (0) 20 8996 7852

international@bsi-global.com

www.bsi-emea.com

BSI Group: Standards Information Training Inspection Testing Assessment Certification

raising standards worldwide