Overview of ISO27001 Consultancy
What is ISO 27001:2005? What is ISO 27002?
Why do organisations implement an ISMS?
What does committing to establishing an ISMS involve?
What does an ISMS Structure look like?
What is ISO 27001:2005?
ISO 27001:2005 was formally a British standard (BS: 7799) and is the de-facto international standard on establishing, operating and maintaining and Information Security Management System (ISMS).
The standard is structured into two sections 1) S.4-S.8 which is the mandatory sections of the standard and details specific processes and policies which must be adhered to in order to gain formal certification and 2) Annex A of ISO 27001:2005 which covers the following 11 security sections:
- Security Policy
- Organisation of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition, development and maintenance
- Information security incident management
- Business continuity management
- Compliance
These 11 security sections are made up of 133 information security control objectives, not all 133 controls need to be implemented by an organisation in order to gain certification, an organisation should select the controls it requires on the back of a formal risk assessment and also on what it deems as best practice for the industry it operates in.
For further information, please download The Principles of ISO27001.
What is ISO 27002?
ISO 27002 (formally ISO/IEC 17799:2005) is an expansion on Annex A of ISO 27001:2005 and is a best practice guidance document (code of practice) for information security control objectives covering (in detail) the 11 security sections listed above.
ISO 27002 provides a strong and expanded (on Annex A ISO 27001:2005) framework for information security management.
Useful Downloads
The PCI Standard and How ISO 27001 Aids Compliance Datasheet
Money Laundering Regulations 2007 and the Relationship to ISO 27001:2005 Datasheet
RPMI Case Study
Devon County Council Case Study
NHS Fife Case Study
Why do Organisations Implement an ISMS? 
Intellectual property and other sensitive or business critical information is the life blood of companies and with an ever increasing number of security breaches being reported, companies need to protect themselves and their customers.
The ability to respond quickly to any information security breaches or incidents is one of the key clauses in ISO27001:2005. The ability to minimse the opportunity for incidents to occur is a major advantage for an organisation and it’s service resilience.
Organisations realise the risks to its information is the fastest growing business issue. Continuous monitoring for constant vigilance is now a business or service necessity and a culture of security is vital for organisations to survive in the modern world and the rapidly changing environment.
Compliance to the standard is becoming an increasing requirement from customers and the government.
For further information, please download Information Security Management - The Importance of ISO27001 Compliance.
What does committing to establishing an ISMS involve?
By establishing ISMS an organisation expresses its commitment to operating an information security framework that:
- Ensures that a high level corporate information security policy exists
- Creates an organisational structure to ensure that roles and responsibilities for information security management are established
- Ensures that personnel security issues are highlighted and controlled
- Ensures that an information assets register is created
- Validates the adequacy of physical and environmental security arrangements
- Validates the adequacy of IT technical security measures including communications and operational procedures; logical access controls; systems development and maintenance arrangements; vulnerability management,
- Ensures physical security measures are appropriate
- Validates the existence or adequacy of business continuity and Disaster recovery arrangements
- Ensures that there is an ongoing compliance and monitoring mechanism in place
What does an ISMS Structure look like?
The diagram details the mandatory ISMS document and management system structure.
Please download the CAS (Computer Application Systems) Case Study for further information on how Sapphire helped CAS to implement a fully operational ISMS which was fully integrated with its existing certified ISO9001 quality management system .
“Working with Sapphire enabled us to streamline our current security procedures. Their guidance allowed us to look at our existing procedures and focus on the important aspects of the ISMS, for example proper risk analysis and to quantify and qualify the security of every asset.” Pete Murray, Information Security Manager at CAS
