You are on page 1of 22

Overview on ISO/IEC 27001:2005 (formerly BS 7799-2:2002)

BSI Overview on ISO/IEC 27001 : 2005

Gusztav Arany,
Sales & Marketing Manager

IDC Security Roadshow, Bucharest, Feb 9th 2006


Overview on ISO/IEC 27001:2005 (formerly BS 7799-2:2002)

Content
1.BSI Global Introduction
2. BS7799- 2 /ISO27001:2005
Timeline,
Products,
3. New and Important in ISO / IEC 27 001:2005
4. Process of assessment and registration
5. Certification Benefits
6. BSI Presence and abilities in Romania
7. Next Steps
1.BSI Global introduction

BSI (British Standard Institution)

Established in 1903

Standard producing, product certification, system


certification

ISO9001,14001,OHSAS,ISO/TS16949,ISO22000

in 105 countries

40 000 certificates issued


1. BSI Global introduction

Main Partners
3M Oxford Automotive
ABB Shell
American Axle Xerox
Alcoa Toyota
Bosch Corporation Sony
BT Yell
Fujitsu Lockheed Martin
Guardian Honeywell
HP/Compaq Lloyds TSB Group
ITT Industries Marconi
Johson And Johson Marley
1.BSI Global introduction

BS7799 references
IN UK:

357 certificates

On the World:

4900 certificates

ABN AMRO, Acces Co. Atos, Kodak, Marconi


2. BS 7799 Timeline
BS
BS7799:1995 BS
BSISO/IEC BS
BSISO/IEC BS
7799:1995 ISO/IEC
17799:2000
ISO/IEC
17799:2005 BSISO/IEC
ISO/IEC
17799:2000 17799:2005 27002:2005
27002:2005

BS
BS7799-1:1999
7799-1:1999 1999: UK
International
committee
Normal revision cycle committee
decision to
in ISO decision to
Revised in UK submit to
change number
ISO Fast-
track

1995 2000 2005 2007


2004: UK decision
made to submit to
ISO Fast-track

BS
BS7799-2:1999
7799-2:1999
developed
developedtotosupport
support
certification
certification International
committee BS
BSISO/IEC
ISO/IEC
decision to 27001:2005
27001:2005
BS 7799 Development change number
2. BS7799 Products
International Standards
BS ISO/IEC 27000 Fundamentals and
vocabulary
BS ISO/IEC 27001
Information security management systems
Requirements
BS ISO/IEC 27002 Code of practice for
Information security management
BS ISO/IEC 27003 Implementation guidance
BS ISO/IEC 27004 Metrics and measurement
BS ISO/IEC 27005 Information security risk
management
27006...27011
Reserved for future development (products driven
by both BSI and potentially ISO TC)

Still in Development
Available now
Future new product development
3.New and Important in ISO / IEC 27 001:2005

Several Clauses and Control Objectives have been added or changed in order to
emphasize their importance:
Organization of Information Security:
A.6.1.5. Confidentiality Agreements
A.6.1.6. Contact with Authorities
A.6.1.7. Contact with Special Interest Groups (may be CERTS, Specialists, Security
Forums)
Asset Management:
A.7.1.2. Ownership of Assets
A.7.1.3. Acceptable Use of Assets
Human Resource Security:
The entire Clause has been modified in order to be more comprehensive and to follow the
entire employment cycle.
3.New and Important in ISO / IEC 27 001:2005
Communications and Operations Management:
Several Control Objectives have been added reflecting changes in
technology: Mobile Code Security, Electronic Commerce, On-line Transactions
Other Control Objectives added in order to emphasize: level of services,
monitoring, logging, clock synchronization
Information Systems Acquisition Development and Maintenance:
 Removed: Control Objectives regarding Encryption, Digital Signature and Non-
Repudiation Services
 Added: Control Objectives regarding Technical Vulnerability Management
Information Security Incident Management:
The entire Clause has been added with Control Objectives regarding reporting
events and weaknesses and their management
Business Continuity Management:
The Control Objective A.11.1.2. Business Continuity and Impact Analysis has
been modified in A.14.1.2. Business Continuity and Risk Assessment
4.Process of assessment and registration

Step 1 Site visit by Business Advisor and Company


Initial Enquiry Profile completed

Step 2 Fully costed proposal for the certification


Quotation Given process

Step 3
Formal application to BSI
Application Submitted

Step 4
Appointment of Information Security Client
Assessment Team
(3 month noticing period) Manager
Appointment
4.Process of assessment and registration

Pre-Assessment Visit
(Optional)

Step 5 Staged
Assessment

Stage 1

Stage 2
4. Process of assessment and registration

Pre-Assessment Visit (Optional)

Gap-Analysis audit to establish your

state of compliance and readiness for assessment


4.Process of assessment and registration

Step 5 Phased Assessment

Stage 1
Scope of the management system
Information Security Policy
Risk Assessment method and results
Selection of Controls
Statement of Applicability

Time consumption stage 1. :1-2 days


4.Process of assessment and registration

Step 5 Phased Assessment

Stage 2

Assessment of the implementation of information


security controls and the operational management
system.
Time consumption stage 2.: 1-11 days
The time lapsed max. 6 weeks between Stage 1. and
stage 2.
4.Process of assessment and registration

Focus at the initial audit stage 2.

The assessment of information security related risks and the framework of the
ISMS
The statement of Applicability
The objectives and the targets obtained from the design process
Performance monitoring, measuring, reporting and reviewing against objectives
and targets
Security and management reviews
Management responsibility for information security policy
Links between policy, results of security risk assessment, objectives and targets
,responsibilities, programmes, procedures, performance data and security review
4.Process of assessment and registration

Specific elements of the audit are:

For the client to define the criteria by which information


security threats and impacts are identified.

For BSI require the client to demonstrate that their analysis is


relevant and adequate.
4.Process of assessment and registration

Step 6 Corrective actions, review, certificate


Registration issued

Step 7
On-going annual assessment
Continual Assessment
Tri-Annual Re-assessment

Integration with other management systems?


4.Process of assessment and registration

Major nonconformities:

The absence of or the repeated failure to implement and maintain one


or more required management system elements or situation which
would on basis of objective evidence raise significant doubt as to the
capability of the ISMS to achieve the security policy and objectives of
the organization .

If any kind of nonconformities identified corrective action must be carried


and a Reassessment will be necessary. Corrective action must be
lunched and started to be worked within 30 days from the initial audit
The time lapsed between the initial assessment and the further
assessment is max. 6 month.
5. Certification Benefits

External audits ensure that security disciplines are


maintained
Reduced risk of material and commercial losses
Use of the BSI Registered symbol
Maintain legal compliance
Marketing tool
6. BSI Presence and abilities in Romania

2004 Information Security Expert Conference (1st Edition)


arranged by PROVISION the BSI presented ISMS
Implementation Roadmap according to BS 7799 Part 2
2005 PROVISION and BSI held two sessions of BS 7799 -
ISMS Implementation Course, one session of BS 7799:2
Lead Auditor Course and one session of ISO/IEC 27001:
2005 Lead Auditor Course

Abilities
2 persons Certified BS 7799 Lead Auditor
2 persons Certified ISO/IEC 27001 Lead Auditor
7. Next Steps

Enquiry
Preliminary Visit
Company Profile
Quotation
Application
Client Manager Appointed
Thank You
for your attention!

You might also like