ISO 27001 is an internationally recognised specification for an Information Security Management System, or ISMS. It's the only auditable standard that deals with the overall management of information security, rather than just which technical controls to implement

ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.

Most organizations have a number of information security controls. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Security controls in operation typically address certain aspects of IT or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole. Moreover business continuity planning and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.

ISO/IEC 27001 requires that management:

Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;
Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and

Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

While other sets of information security controls may potentially be used within an ISO/IEC 27001 ISMS as well as, or even instead of, ISO/IEC 27002 (the Code of Practice for Information Security Management), these two standards are normally used together in practice. Annex A to ISO/IEC 27001 succinctly lists the information security controls from ISO/IEC 27002, while ISO/IEC 27002 provides additional information and implementation advice on the controls.

Organizations that implement a suite of information security controls in accordance with ISO/IEC 27002 are simultaneously likely to meet many of the requirements of ISO/IEC 27001, but may lack some of the overarching management system elements. The converse is also true, in other words, an ISO/IEC 27001 compliance certificate provides assurance that the management system for information security is in place, but says little about the absolute state of information security within the organization.
Technical security controls such as antivirus and firewalls are not normally audited in ISO/IEC 27001 certification audits: the organization is essentially presumed to have adopted all necessary information security controls since the overall ISMS is in place and is deemed adequate by satisfying the requirements of ISO/IEC 27001.
Furthermore, management determines the scope of the ISMS for certification purposes and may limit it to, say, a single business unit or location. The ISO/IEC 27001 certificate does not necessarily mean the remainder of the organization, outside the scoped area, has an adequate approach to information security management.

Other standards in the ISO/IEC 27001 family of standards provide additional guidance on certain aspects of designing, implementing and operating an ISMS, for example on information security risk management (ISO/IEC 27005).

Certification, inspection and audit solutions focused on business optimization.






WHO WE ARE           






244 Fifth Avenue, Suite 1203, New York, NY 10001 US
How to prepare for ISO 27001 certification

There is no one-size-fits-all answer to this question, as the amount of preparation required will vary depending on the size and complexity of your organisation, as well as your current level of compliance with the Standard. However, some tips on how to prepare for ISO 27001 certification wilt us (LL-C) include the following:

Perform a gap analysis to identify any areas where your organisation does not meet the requirements of the Standard.
Develop an implementation plan that outlines how you will close any gaps identified in the gap analysis.
Train your staff on the requirements of the Standard and on your implementation plan.
Create or update your organisationís ISMS documentation, including policies, procedures, and other supporting documents.
Conduct internal audits to verify that your ISMS is functioning as intended and that all employees are following the required procedures.
Schedule and complete an external certification audit with a certification body.

The ISO 27001 certification process

Once you are ready for certification, you will need to engage the services of an independent, accredited certification body. These certification bodies have been assessed by the relevant national authority based on their competence, impartiality and performance capability through a rigorous assessment process.

The ISO 27001 accreditation process consists of two stages and is conducted by a qualified auditor.

Stage 1
The auditor will review your documentation to check that the ISMS has been developed in accordance with the Standard. You will be expected to present evidence of all critical aspects of the ISMS, but how much depends on the certification bodyís requirements.

Stage 2
If you pass the first stage, the auditor will conduct a more thorough assessment. This assessment will involve reviewing the activities that support the development of the ISMS. The auditor will analyse your policies and procedures in greater depth and check how the ISMS works in practice with an on-site investigation.
The auditor will also interview key staff members to verify that all activities are undertaken following the specifications of ISO 27001.

How much does ISO 27001 certification cost?

The cost of ISO 27001 certification usually depends on the number of employees working for the organisation