Aexis Hompage

ISMS Standard:

The ISMS standard ISO/IEC 27001:2005 was published by ISO on the 15th October 2005. It is based on BS 7799-2:2002 and was developed in ISO/IEC JTC1 SC27 (this is the committee also responsible for ISO/IEC 27002 and the other standards in the 27000 series). This ISMS standard sets the requirements for an ISMS (Information Security Management System) and is a management system standard, like ISO 9001 and ISO 14001, which can also be used for certification.

Currently, ISO/IEC JTC1 SC27 has started the revision of ISO/IEC 27001 - this is a normal process for standards and the version published in 2005 will remain valid until the new version is published. This Web site will keep you updated about the results of the revision process.

More information about the ISMS standard, ISO/IEC 27002 and the other standards in the 27000 series can also be obtained by participating in courses and tutorials (see more under Training Courses). ISO has published several Focus Papers, which emphasise the importance of information security; these papers can be downloaded here.

27000 Series of Standards:

In addition to the development of ISO/IEC 27001, ISO/IEC JTC1 SC 27 is working on several other standards that will all be included in the 27000 series of standards - in analogy to the other management system standards, such as ISO 9000. The standards in the 27000 series are:

- ISO/IEC 27000: Information security management system fundamentals and vocabulary (published and freely available)

- ISO/IEC 27001: Information security management system - Requirements (published - currently under revision)

- ISO/IEC 27002: Code of practice for Information Security Management (published - currently under revision)

- ISO/IEC 27003: Information security management system implementation guidance (about to be published)

- ISO/IEC 27004: Information security management measurement (about to be published)

- ISO/IEC 27005: Information security risk management (published in 2007)

- ISO/IEC 27006: Requirements for bodies providing audit and certification of information security management systems (published in 2006)

- ISO/IEC 27007: Guidelines for information security management systems auditing (under development)

- ISO/IEC 27008: Guidance for auditors on information security management systems controls

In addition, there are several sector-specific ISMS standards which are currently under development:

- ISO/IEC 27010: Information Security Management for Inter-Sector Communications (under development)

- ISO/IEC 27011(X.1051): Information security management guidelines for telecommunications (published)

- ISO/IEC 27013: Guidance on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001

- ISO/IEC 27014: Information security governance framework

- ISO/IEC 27015: Information security management system for financial and insurance services sector

The next SC 27 meeting is in autumn, this site will keep you updated about the developments.

Useful Documents:

Useful documents for the application of ISO/IEC 27001, ISO/IEC 27002 and other ISMS standards are the following BIPs (more about these BIPs at the BSI Web site, for BIP 0070 or the indiviual BIPs):

- BIP 0070: A CD containing the standards ISO/IEC 27001 and ISO/IEC 27002, the BIPs quoted below, and much more

- BIP 0071: Guidelines on requirements and preparation for ISMS certification based on ISO/IEC 27001

- BIP 0072 – Are you ready for an ISMS Audit based on ISO/IEC 27001?

- BIP 0073 – Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001

- BIP 0074 – Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001

About ISO/IEC 27001:

ISO/IEC 27001:2005 specifies the requirements for an ISMS (Information Security Management System). ISO/IEC 27001 is based on BS 7799-2:2002 and is harmonized with the other management system standards ISO 9001:2000 und ISO 14001:2004. This facilitates the implementation of consistent and integrated management systems. ISO/IEC 27001 uses the Plan-Do-Check-Act (PDCA) model as part of a management system approach to developing, implementing, and improving the effectiveness of an organization's information security management system.

The implementation of the PDCA model will also reflect the principles as set out in the OECD guidance (OECD Guidelines for the Security of Information Systems and Networks, 2002) governing the security of information systems and networks. In particular, this new edition gives a robust model for implementing the principles in those guidelines governing risk assessment, security design and implementation, security management and reassessment.

ISMS Certification:

Third party certification of an organisation’s information security management system (ISMS) is one means of providing assurance that the certified organisation has implemented a system for the management of information security in line with the ISMS standard ISO/IEC 27001. The document ISO/IEC 27006 "Requirements for bodies providing audit and certification of information security management systems" specifies requirements for ISMS certification and certification bodies, in addition to the general requirements contained in ISO/IEC 17021.

If you are interested in how many ISMS certificates have been issued so far, then go to the Certificate Register. This register displays all organisations that have been certified so far. The register will be updated regularly, in co-operation with those certification bodies issuing ISMS certificates. You can also look at the ISMS scope for plenty of the certificates listed in the register.

If you have any further questions regarding ISMS certification, please do not hesitate to contact me.