ISO 27001 - Information security management system
ISO 27001 is the information security management system standard designed to specify the requirements for implementation of security controls within an individual organization. It also covers physical control and IT security issues.
Certification of the information security management system is a confirmation from an independent, competent and accredited agency that the business adheres to the requirements of an internationally recognized information security management system standard. This includes establishing, implementing, operating, monitoring, reviewing, maintaining and improving the organization’s information security management system.
ISO 27001 includes elements to ensure the following:
- Security requirements and objectives are properly formulated
- Security risks are managed in a cost efficient way
- Compliance with laws and regulations
- A proper framework for the implementation and management of controls to ensure the security objectives of the organization are met
- Compliance with the policies, directives and standards of the organization
- Information security for customers
How does the certification process work?
System audits in the certification process are a means to measure if the information security management system meets the requirements of ISO 27001. The main purpose of the system audits is to identify potential improvements
The certification process consists of two phases:
- Phase 1 normally consists of a visit to the business in order to review the status of the organization, system documentation, infrastructure, etc. In particular the organization’s Statement of Applicability (SOA) will be verified.
- Phase 2 is the certification audit verifying that the system documentation meets the requirements of ISO 27001. The certification audit will give feedback to the organization on issues that are not in conformance with the standard and that needs to be corrected before a certificate can be issued.
The certificate will be valid for 3 years after being granted. During this period, annual surveillance audits will be conducted
A new edition was published in 2013 and certified companies must be in line with the new version by October 2015.