Zygma adds another approved CSP to its list of clients - Experian's PID granted Kantara Approval renewal, March 2016
 
   Home      Site map      About Us      Legal       Contact

 

Services

ISO/IEC 27001

ISO 27001/05 Training

Kantara Support

Standards & Regulations

Papers

Certificates

Partners

Curricula Vitae

http://news.bbc.co.uk

QYSA

 

There are many genuine questions you should ask concerning ISMSs, and they wont (yet) all be explained by the standards, even if you’ve bought them.

Therefore, the following 'QYSA' have been assembled as a means of providing both an overview of what an information security management system (ISMS) is, what it is that defines the idea (international standards) and what those standards are and require. It also explains how organizations seeking to be conformant to the international ISMS standards should approach that goal.

We hope that you find these questions useful and edifying - if they cause you to give thought to how having a certified ISMS could help your organization then please do not hesitate to contact us with your own questions, to which we will be pleased to respond, and maybe use to extend this list.

We will revise these QYSA from time to time, to reflect important issues that arise either from enquiries received which highlight issues of concern to clients and visitors to this website, and advances and in the development of these standards. To read a PDF version of this text click here.

Why QYSA, instead of a common-or-garden FAQ list?  Well, we’re really not great fans of ‘FAQ’s.  Usually they’re actually hardly asked questions (which makes them 'hacks') and are written by the owners of the subject, which tends to make them ‘TBE’ - Things Badly Explained in the original document!



These questions were revised 2007-01-22 (see '')
You should be asking questions such as these:

About Information Security Management System standards:
What is an Information Security Management System?
What is the ‘ISO 27000 family of standards’?
What is ISO/IEC 27001?
What is ISO/IEC 27002?
What is ISO/IEC 27006?
How do these standards work together?
Are other standards planned in this series?

About using an ISMS:
Why would my organization need to have an ISMS?
Isn't it going to be expensive to create and operate an ISMS?
Why should I bother, nobody is asking me if I’ve got a certified ISMS?
So, who does have a certified ISMS?
Who in the USA gives any recognition to the ISMS standards?
What do I need to do to become ISO/IEC 27001-certified?
Where can I obtain copies of 27001 and 27002?

About audits, conformance, accreditation and certification:
Can I make a self-declaration of conformity?
Can anyone audit me?
What is a Certification body?
Who decides whether an organization is actually competent to perform these assessments or audits?
Who are the Accredited Certification bodies for the standard?
In which countries are there accreditation and certification schemes actually set up?

About comparisons with other standards:
How do the ISMS standards fit with ISO 9000 & 14000?
How is 27001 different/better than other information security ‘standards’?

And, the BIG questions:
So, does Zygma have its own ISMS?
OK, how do I get any help I might need to set up my own ISMS?

and now, the answers .......

About Information Security Management System standards

What is an Information Security Management System?
The notion of an Information Security Management System (ISMS) was first mooted during the development of British Standard 7799 (which can be traced back to 1987). The definition first given has changed little since, today being as follows:
“an Information Security Management System is that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security”

and ‘information security’ is defined as the “preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved”.
These definitions come from ISO/IEC 27001:2005.

Back to Top»»

What is the ‘ISO 27000 family of standards’?
A part of ISO (the International Standardization Organization) is developing a family of ISMS standards jointly with the International Electrotechnical Committee, the ISO/IEC 27000 series. These standards fall under the general title of “Information technology – Security techniques”: the 27000 series specifically addresses standards related to information security management systems (ISMS).

There are presently three principal standards in this series: one defines a management standard, which sets out the requirements of an ISMS; another sets out a code of practice, with extensive guidance as to how implementers should select information security controls to be implemented within their ISMS. A third sets out the requirements for bodies which undertake the certification of ISMSs. These three standards are therefore symbiotic! To date, only the first two of these principal standards have been published. They are:

ISO/IEC 27001:2005 "Information security management systems - Requirements";

ISO/IEC 27002:2007 "Code of practice for information security management".

These two standards are based upon existing and proven practices which have been in use internationally since 1995. Today they are recognized globally as the de facto information security standards for businesses and governments alike.
The third of these standards is in the final drafting stages and is expected to be published before the year’s end. That standard is:

ISO/IEC 27006 “Information security management systems – Requirements for the accreditation of bodies providing certification of information security management systems”;

Additional standards in the ‘27000’ series are being presently drafted by the International Standards Organization. The actual drafting work is the responsibility of a specific sub-committee tasked with the development of Security Techniques standards, ISO JTC1 SC27.

For more details on the organisation of ISO and the inter-relationships between the 2700x family of standards, click here.

Back to Top»»

What is ISO/IEC 27001?
ISO/IEC 27001 is the international management standard for Information Security Management Systems and is a part of the ISO 27000 family of standards being developed. It is a normative standard, i.e. it states requirements that must be fulfilled for conformity to be claimed. It was published in September 2005, and is in its first release: its full reference is ISO/IEC 27001:2005. It is against 27001 that businesses’ ISMS may be certified.

It has a counterpart, ISO/IEC 27002:2007 (see below), which is the international code of practice for information security management systems. These standards originated as the two parts of British Standard BS 7799.

Back to Top»»

What is ISO/IEC 27002?
ISO/IEC 27002 is the international code of practice for Information Security Management Systems and is a part of the ISO 27000 family of standards being developed. Because it is a code of practice it offers implementation guidance, suggesting practices that implementers should adopt, but not requiring it. It was first published in 2000 and a revision was published in May of 2005: as presently published, its full reference is ISO/IEC 27002:2007. 

It has a counterpart, ISO/IEC 27001, which is the international management standard for Information Security Management Systems. It is against this latter standard which businesses may be certified.  These standards originated as the two parts of British Standard BS 7799.

Back to Top»»

What is ISO/IEC 27006?
ISO/IEC 27006 is intended to be the reference international standard to be used by accreditation bodies in determining the suitability of bodies operating ISMS certification schemes. It is a normative standard and those bodies adopting it will have to show full conformity to claim adherence to it. The publication of this standard and its adoption by accreditation bodies in those countries operating ISMS certification schemes will go a long way to ensuring consistency in accreditation and certification practices and in the mutual recognition of certificates issued under those schemes. Publication of this standard will be in late 2006 or early 2007.

Back to Top»»

How do these standards work together?
27001 is the foundation of the ISMS framework. In five normative sections it sets out requirements for an ISMS in terms of required documents, activities and a process model. It also, in a normative annex, sets out 133 controls (in 11 categories which are broken down into control groups). Organisations wishing to have their ISMS recognized as being conformant to the standard have to show that they fulfill the normative requirements of the standard.

ISMS implementers are given support through the code of practice which is set out in 27002. This document gives guidance on how to implement each of the controls specified in Annex A of 27001.

These two standards therefore are of primary interest to ISMS implementers. However, those organizations which provide ISMS certification services must also have in-depth understanding of the requirements of 27001, because they need to assess the conformity of their clients’ ISMSs. In addition they have to fulfill the requirements of 27006 in order to become accredited by an accreditation body.

27006 is based upon a generic standard which sets out requirements for bodies which certify management systems in general.  27006 adds requirements which are ISMS specific. It also offers guidance in a number of annexes which address key topics such as estimating the necessary resources to perform the assessment and on the actual conduct of certification assessments. Although of obvious importance to accreditation and certification bodies, implementers should take note of the requirements of this standard in order to understand what to expect from their chosen certification body.

By following this link you can watch Zygma’s animated PowerPoint presentation on how we see these standards interacting with the players on the ISMS field.

Back to Top»»

Are other standards planned in this series?
Yes - there are further standards in this series which are in various stages of being drafted. They can be expected to be published anytime from 2008 onwards.

The works in progress are (these title and number assignments are liable to change until the standards become formally published):
         27003 - Implementation guidance;
         27004 - Metrics and measurements;
         27005 - Risk management;
         27007 - Audit guidance.

Others are planned and may cover sector-specific requirements. This page will be updated as that happens.

Back to Top»»

About using an ISMS:

Why would my organization need to have an ISMS?
Firstly, implementing an ISMS based on ISO/IEC 27001 shows that an organization is serious about the way it views its information security responsibilities and embraces internationally-recognized best practices. Secondly, a certified ISMS provides an organization with an externally-verified way of demonstrating that it has in place the controls to adequately protect the organization’s information assets. It is almost a near certainty (in all but the most efficiently operated organizations) that the implementation of an ISMS will reap many improvements in how the owning organization exercises its internal controls.

An ISMS can also make the organization's information security strategy "defensible". Should a breach occur that results in damages to a third party, the existence of a certified ISMS could be used as a due diligence defense in court. This may «caveat, ‘may’ – nothing certain!» limit the damages for which the organization may be liable.

Back to Top»»

Isn't it going to be expensive to create and operate an ISMS?
If you have never before done any ISMS implementation then training in knowing what the ISMS standards cover, how they should be implemented and how to conduct internal audits will most likely be required. Investment may also required in developing policies, processes, procedures, and in operating the ISMS. However, while there are costs associated with setting up and operating an ISMS, there are also a number of benefits.

Simply implementing an ISMS is likely to provide benefits through identification of existing flaws, and a better understanding of the business’ information security needs. Overall, organizations that are operating certified ISMSs claim that they have saved money through better control of risk management within their organization. Manage your risk, manage your profits.

You can reduce significantly the time and cost to establish your ISMS by using Zygma’s Advanced Internal Management System model (AIMS) skeleton ISMS documentation aid. We can also provide you with training in the relevant standards and in use of the skeleton ISMS.

Back to Top»»

Why should I bother, nobody is asking me if I’ve got a certified ISMS?
Having a certified ISMS works two ways. One is the improvement it gives to an organization’s internal controls, and that includes specifically the way it controls risk associated with its information security assets. There is also, it is generally found, a net cost reduction to a business’ costs. An organization could set up its ISMS and simply run it entirely from within itself. The benefit of an external assessment and certification is that an independent view is applied, unlikely to suffer the blind spots we all have when we are deeply involved in a piece of our own work.

The other way a certified ISMS benefits an organization is that once other parties understand the merits of the ISMS approach the organization has an advantage over its competitors, by being able to show that it has satisfied an external assessor that it conforms to the (internationally-recognized) ISMS standards. This allows an organization to give greater assurance to its business partners, investors, clients, and quite likely insurers and regulators.

And, let’s face it, once an organization understands the benefits of having an ISMS it really should have one itself before it starts to demand one of its suppliers and business partners. The benefits affect everyone in the supply chain.

Back to Top»»

So, who does have a certified ISMS?
Firstly, there are now over two thousand certified ISMS around the world.
Just to give you a feel for the numbers (its hard to keep up, and we’re not promising to), here are a few ‘ball park’ figures: UK 220+; India 130+; Taiwan 60; Germany 45; Korea 33; Italy 26; USA 35, Netherlands 20+.  Oh, and Japan – 1600 (and growing almost daily!) The remaining certifications are spread across almost fifty additional countries, in some cases just one or two per country – these must represent truly pioneering organizations.  These numbers are of course increasing steadily.

By no means do each of the countries in which organizations have certified their ISMS operate accreditation and certification schemes, or have their own version of the standard.  A US-based accreditation scheme is only just now being put in place.

Back to Top»»

Who in the USA gives any recognition to the ISMS standards?
Let’s consider the question in two parts – firstly, which bodies with any standing recognize the value of the controls set out by ISO/IEC 27002?  In fact 27002 (when it was still published as 17799) has been recognized as being a guiding light in information security by a number of US bodies, amongst which are the US Congress Joint Economics Committee, the Food and Drug Administration, the States of Georgia and Maine and the Department of Health and Human Services.

For instance, in May 2002 the Joint Economic Committee of the US Congress reported on "SECURITY IN THE INFORMATION AGE".  In this report, under the heading 'VALIDATING COMPLIANCE - THE FUTURE OF INFORMATION PROTECTION' it is stated "The defining standard for developing an information protection program around is ISO [27002], formerly British Standard 7799".  At that time there was no international equivalent to BS 7799-2, the management system requirements, and one might suspect that it was considered impolitic to recommend a foreign standard as the basis of securing the nation's information infrastructure.  Now of course, the situation is vastly improved, with the publication of ISO/IEC 27001:2005.

The answer to the other part of the question is a rhetoric question itself: what about the 35 or so organizations in the US that have already gained certification of their ISMSs by seeking the services of foreign assessors and which have been certified against a foreign standard (BS 7799-2)?

We firmly believe that now ISO/IEC 27001:2005 has been formally published there will be very significant uptake in North America, which hitherto has had to rely on ‘off-shore’ certifications.  Zygma is talking to some of those leading the wave – in fact we’re among them, having built an ISMS which supports our own businesses, thereby helping us improve our services to our clients, by practicing what we preach.

Back to Top»»

What do I need to do to become ISO/IEC 27001-certified?
A simplified answer is that you need to establish policies for information security, identify your information assets, perform a risk assessment on those assets, establish a management structure to implement the defined policies and controls and then establish a continual improvement process to ensure that those policies and their implementation are under constant review and enhancement.  All of that needs to be documented in a way which can be shown to fulfill the requirements of the ISO/IEC 27001 ‘Statement of Applicability’.

Back to Top»»

Where can I obtain copies of 27001 and 27002?
The full texts of all published ISO standards are available from ISO and national standards bodies (see same ISO page) – suggested sources in the US are the American National Standards Institute or BSI Americas, in the UK the British Standards Institute.  Just a word of advice – get a PDF downloadable version.  It may seem obvious to point out that it is quicker and more convenient, but there are some sources selling paper versions still. 

Back to Top»»

About audits, conformance, accreditation and certification:

Can I make a self-declaration of conformity?
You could, but (there’s always a 'but') any such declaration would be more likely to be of use within an organization. It would be unlikely that a third party, especially one which understands the principles of the international ISMS standards, would place as much confidence in such a declaration as it would in a formal certification arising from an independent audit. Certainly a self-declaration would have no place in the context of international recognition of conformity.

Back to Top»»

Can anyone audit me?
Technically, yes, but (see above - you’ve already been warned about this), if the auditor has not had formal training and relevant experience then their performance may not give the client organization value for money and their opinion is likely to carry less weight (than that of someone who does have appropriate training and experience) if the organization is trying to ‘sell’ the audit outcome to its business partners, etc.

Note - the stress is on 'may not give satisfaction' - there are auditors with a wealth of experience and competence but who have not sought formal certification for themselves. That can give organizations looking for an auditor some problems in making a selection.

Back to Top»»

What is a Certification body?
A certification body is a third party organization that has been deemed competent to perform assessments and audits against a specified standard.
For a certified ISMS, the applicable standard is ISO/IEC 27001:2005.

Back to Top»»

Who decides whether an organization is actually competent to perform these assessments or audits?
Individual auditors are required to have undergone formal training and to have acquired certain levels of experience in order to perform ISMS audits. The International Register of Certified Auditors holds a register of those whose competence it recognizes.

Certification bodies are accredited by national accreditation bodies. Up to now many have chosen to apply the standard EA-7/03 to ensure that the organization concerned has adequate management, resources and skills in place to perform ISMS audits against ISO/IEC 27001 in a manner, which is competent, consistent and objective. They are required to use only auditors who have undergone training and acquired certain levels of experience.  The forthcoming ISO/IEC 27006 (due for publication in early 2007) draws heavily on the positive experiences of many years’ application of EA-7/03, and improves upon it.

Normally the accreditation bodies are affiliated through participation in the International Accreditation Forum. In the USA, ANSI-ASQ National Accreditation Board has stated an intention to establish an accreditation scheme based upon 27006 but to date there is little sign of progress and no US-accredited certification bodies.

Back to Top»»

Who are the Accredited Certification Bodies for the standard?
There are a growing number. However, the following are amongst them: BSI, Certification Europe, DNV, JACO IS, KEMA, KPMG, SFS-Sertifiointi Oy, SGS, STQC, SAI Global Limited, UIMCert GmbH. We make no claim that this is an exhaustive list – it certainly isn’t.

At this time there are no certification bodies (CBs) accredited by a North America Accreditation Body. Those CBs operating in North America are presently reliant upon accreditation elsewhere, generally in Europe. The ANSI-ASQ National Accreditation Board (ANAB) has established a scheme for the accreditation of ISMS Certification Bodies, although their scheme has yet to accredit any CBs.

Back to Top»»

In which countries are there accreditation and certification schemes actually set up?
Since 1995, when British Standard (BS) 7799 Part 2 was the de facto certification standard, many countries worldwide have either adopted it within their own national standards body or have simply taken up BS 7799-2 ‘ as is’. Many have developed their own accreditation and certification schemes. Amongst these countries are the Netherlands (the Dutch in fact beat the Brits at their own game, and established the first BS 7799-2 accreditation and certification schemes in the world; the UK was the second country to achieve this), Australia and New Zealand (who jointly badged it AS/NZS 4444), Denmark (DS484), India, Japan, Korea, Mauritius, Singapore, Spain, Sweden (SS62779).

In the USA the ANSI-ASQ National Accreditation Board (ANAB) has stated an intention to establish an accreditation scheme based upon 27006, but to date there is little sign of progress and no US-accredited certification bodies, with many CBs already having turned to accreditation overseas.

Back to Top»»

Comparisons with other standards:
How do the ISMS standards fit with ISO 9000 & 14000?
Both ISO/IEC 27001 and 27002 are "harmonized" with other management standards, including ISO 9000 and ISO 14000. ISMS is of course much more focused and generally requires significantly more resources to perform, on the basis of comparable organizational characteristics. However, because of the similarities we are starting to see certification bodies offering combined audits at a reduced cost. If you are certified under ISO 9000, it will cost less to maintain your ISO 27001 certification than it would cost if you are not ISO 9000 certified, because of certain shared practices. Indeed, some organizations cover both their in-house ISMS and QA schemes under a single management system and single audits.

Back to Top»»

How is 27001 different/better than other information security ‘standards’?
There are a number of other ‘standards’ used for information security auditing. None equal ISO/IEC 27001 and ISO/IEC 27002. The international ISMS standards have the benefit of thousands of hours of refinement and practical feedback from actual implementations across the globe. They have been recently upgraded to bring them up to date within our electronic information society. They are aligned with other international management and quality standards (ISO/IEC 9000, 14000, 20000). Furthermore, these ISMS standards actively encourage organizations to enhance and add their own controls whenever their specific circumstances demand it, but in a manner which is consistent with the form of expression and audit practices of the overall ISMS framework.

Additionally, the ISMS standards are supported by auditor training requirements, formal accreditation and certification schemes world-wide, which generally affords an ISMS certificate global recognition, adding significantly to its worth.

Certain other schemes have significant drawbacks which do not come up to the quality of the international ISMS standards. SAS-70, a common auditing standard applied especially in the accounting and financial world but also in other sectors, actually has no pre-determined control objectives or control activities that service organizations must achieve. It is left to the subject of the audit to set their own rules and targets – hardly a basis for an objective assessment, and certainly not one that gives any comparable benchmark between organizations. A cynical view of SAS-70 would be that at Level 1 the audit subject lies and the auditor accepts the lie; at Level 2 the audit subject and the auditor conspire together to lie. Perhaps a little extreme and not intended to suggest that those participating in SAS-70 audits do actually adopt such an approach, but the point should by now be made! It lacks controls and establishes no benchmark.

Others standards or schemes, such as Identrus, a banking trust scheme in which many banks participate, has not made its operating rules public, which certainly fails any generally-accepted test of openness. Undoubtedly, in certain circumstances these other approaches can have value, but they simply fail to come up to the level of the international ISMS standards. However, where other standards have explicit control objectives which have value to the organization it is entirely feasible, and indeed encouraged, to extend the standard ISMS controls to embrace these specific requirements and have them included within the scope of the certification – some organisations have done this, in particular through including their ISO 9000 controls within a broadened ISMS. The same goes for regulatory requirements, e.g. SOX, and HIPAA.

Zygma can provide clients with detail guidance on how they can implement an ISMS and, moreover, can demonstrate how an ISMS can be extended to show conformity with these specific two pieces of legislation, or indeed with any specific internal control needs which clients may have (refer to some of Zygma’s white papers).

Back to Top»»

The BIG questions:

So, does Zygma have its own ISMS?
Yes, in the firm belief that one has to practice what one preaches, Zygma has been formally operating an ISMS since 2006-07.  The scope of this ISMS is:
    "the Zygma partnership llc's whole business operations pertaining to the provision of information security consultancy, worldwide."

You can be assured that as soon as we have achieved certification, there will be at the least an update to this page!

Back to Top»»

OK, how do I get any help I might need to set up my own ISMS?
Well, there are many businesses in the game of selling ISMS guidance, tools and other support. As the consumer of their services, first of all, develop your own plan, decide how you want to use any external services, and make sure you remain in charge of their participation and the development of your ISMS. This way, you stay in charge of your business and understand better how the ISMS is a tool to help you do that. It is a part of your internal control system – and the ISMS management standard requires top-level management support.

Next, ensure that the business you choose to give you support really understands what the ISMS concept is about, and has a range of services from basic introduction to the concepts, through training, assistance with policy development, and maybe some tools to help you. Check also their track record, whether they are themselves certified auditors, whether they participate in the development of these standards and whether they have an ISMS themselves. We’re not saying that these are ‘musts’ – sometimes extensive experience is worth more than a piece of paper declaring a certified status, but our point is, look for strength overall, understanding of the practical application of the ISMS standards, not just theoretical knowledge, and match it to your needs.

We’d like you to take a look at Zygma and see how we might be able to assist you. We think we can fulfill these requirements and provide a team of size and competence to meet your needs. Furthermore, our AIMS ISMS Skeleton documentation aid can put you on the fast-track to building, implementing and getting certified your ISMS.

We look forward to hearing from you – we hope that at the least this ‘QYSA’ list has made you more aware of the merits of having your own ISMS. Good luck with your endeavours in that direction.

Back to Top»»


© 1993 - 2015   the Zygma partnership LLC     Office: +1 714 965 99 42      Mobile: +1 714 797 99 42      Email: Enquiries @ Zygma.biz    
All Zygma services are provided in accordance with its Ethics Policy.
Note - if you are submitting an enquiry or expect to receive email from us, please ensure that your spam filtering will accept mail from the domain 'Zygma.biz'