This FAQ (Frequently Asked Questions) provides explanation and guidance for those implementing the ISO/IEC 27000-series (“ISO27k”) standards. 

If you have questions that you would like answered, please post a message on the ISO27k Implementers’ Forum or contact us directly and we’ll do our best to respond. We reserve the right to reproduce common questions and answers here for the benefit of all our visitors, although we will do so anonymously and in a generic sense. 

We are neither infallible nor all-knowing so please bear with us if we take a while to respond and are sometimes a bit vague. If you are experienced in this field and have better, more precise or more accurate answers to questions noted below, by all means join and respond to queries on the Forum or get in touch. We appreciate the help!

ISO27k FAQ quick links

• Buying ISO27k standards
• Learning more about the ISO27k standards
• Information security glossary (opens a separate browser window/tab)
• ISO/IEC acronyms and committees
• Keeping up with security standards developments
• Getting started on your ISO27k implementation
• Information security risk analysis
• ISO/IEC 27001 certification process

Buying the ISO27k standards

Q: “Where can I obtain [insert name of standard here]?”

A: ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27006 and other published standards may be purchased from from ISO or from the various national standards bodies (such as ANSI or the British Standards Institute) and/or a number of third party commercial organizations (such as IHS Technical Indexes, SAI Global and TechStreet). We have no ongoing commercial relationship with these organizations. There are several other sources - shop around for the best deals, for example using this Google search.

If money is tight, it is worth checking the prices for localized/national versions of the standards. ISO sells the standards directly e.g. ISO/IEC 27002 costs ~200 Swiss dollars as a PDF or hardcopy. Several national standards bodies release translated versions of the standards in their local languages but all of them go to great lengths to ensure that the translations remain true to the original. Various commercial organizations sell the standards under license. SAI Global, for example, charges about US$180 for the ISO/IEC version of ISO/IEC 27002, or US$110 for the Australia and New Zealand Standards version, whereas the BSI charges about US$200 for the British version. 

ANSI sells downloadable PDFs of ISO/IEC 27001 and ISO/IEC 27002 for just US$30 each (bargain!).

Both ISO/IEC 27001 and ISO/IEC 27002 can be purchased in electronic softcopy and hardcopy formats. Hardcopies are easier to read on the train or discuss in meetings. Softcopies are ideal for online searching for specific controls and for cutting and pasting into your own policy documents etc. (subject to the copyright restrictions). In addition to the usual PDF downloads, standards bodies may license online (intranet) access to the standards, limited by the number of concurrent users - this may be suitable for organizations who implement the standards and want to give their employees instant access to the standards for reference.

Back to top

Learning more about the ISO27k standards

Q: “I’m looking to find a book or college that teaches ISO 27000 standard. I want to become certified pro to help or consult companies on how to develop certified products and procedure. Is there an exam that I have to take??? Any info will help.”

A: The best books on the ISO27k standards are the standards themselves - in other words, you should buy and read the standards (see above). Being standards, they are quite formal in style but readable and useful. If you are going to implement them, write policies based upon them etc. you will inevitably have to become very familiar with them so buy your copies and start reading!

There are two main parts:

• ISO/IEC 27001 is the formal certification standard, the ‘Specification for Information Security Management Systems’. It is especially useful if you intend to become a accredited ISMS certification auditor - the usual way of doing that is to go through a training course run by one of the information security management system accredited audit and certification bodies such as the BSI, or various training and consultancy companies. They are generally called “ISO/IEC 27001 Lead Auditor” courses.
• ISO/IEC 27002 is the ‘Code of Practice’, a practical standard with tons of advice for those designing and implementing an information security management system. The best way to learn ISO/IEC 27002 is to use it, which means going all the way through an implementation from planning to operations, auditing and maintenance. If you have no prior experience in information security, you should try to find an experienced mentor or guide. Professional organizations such as ISSA, ISF and ISACA can help. Once you have made a start on your implementation, please join the free ISO27k Implementers’ Forum to consult with your peers.

As to becoming a consultant, I advise you to start by building a solid technical understanding of IT, risk and control concepts. Advice for people who want to become IT auditors in the IT audit FAQ is useful for those planning to become “ISMS Lead Auditors” and is also pretty relevant to becoming an information security management specialist since the two fields are very closely related. Another excellent source is www.cccure.org, especially if you are considering becoming CISSP, SSCP or CISM qualified in information security management.

Further resources are listed on the books and links pages.

Back to top

ISO/IEC acronyms and committees

Q: What does “ISO” mean? And what about “ISO/IEC”?

A: ISO is the short or common name of the global standards body known in English as the International Organization for Standardization. “ISO” is not strictly an abbreviation since the long name varies in different languages - it is in fact derived from the Greek word isos meaning equal. At least, that’s what we’re told.

IEC is the International Electrotechnical Commission, another international standards body that cooperates closely with ISO on electrical, electronic and related technical standards. Standards developed jointly with ISO are prefixed “ISO/IEC” although in practice most users [incorrectly] shorten it to “ISO”.

ISO/IEC also collaborate on some standards with other international organisations (both governmental and private sector) such as the ITU, the International Telecommunication Union. The ITU is primarily a trade body coordinating telecomms organizations to enable worldwide communications. It allocates radio frequencies, for example, to minimize co-channel interference and encourage the manufacture of radio equipment that can be used internationally.

Q: “What do ‘FDIS’ and those other acronyms prepended to draft ISO standards really mean?”

A: The acronyms indicate the stages reached by International Standards as they progress sequentially through the various committees and approvals:

1. PWI = Preliminary Work Item - initial feasibility and scoping activities
2. NP = New Proposal (or study period) - formal scoping phase
3. WD = Working Draft (1^st WD, 2^nd WD etc.) - development phase
4. CD = Committee Draft (1^st CD, 2^nd CD etc.)- quality control phase
5. FCD = Final Committee Draft - ready for final approval
6. DIS = Draft International Standard - nearly there
7. FDIS = Final Draft or Distribution International Standard - just about ready to publish
8. IS = International Standard - published!

A similar sequence applies to Technical Reports.

The process from PWI to IS normally takes between 2 and 4 years, given the attention to detail at every stage and the need for collaboration and consensus on a global scale e.g. when a WD is issued for comments, representatives of the national standards bodies that belong to ISO or IEC (known as “Member Bodies” MBs within ISO but “National Committees” NCs in IEC) typically have ~3 months to review the document, discuss it amongst themselves and submit formal comments. If the comments are unfavourable or complex, an updated WD is normally released for a further round of comments. When documents are stable, they are circulated for voting. Any of you with experience of getting formal documents such as security policies prepared, reviewed and approved by your management will surely appreciate the ‘fun’ involved in doing this in an international arena.

Published standards are reviewed every five years or less.

Q: “What is meant by JTC/1 SC27 and what are WG’s?”

A: As you might expect, an international body developing and coordinating a vast range of technical standards on a global basis has evolved a correspondingly vast bureaucracy to manage and share the work. Member Bodies normally participate in the development of standards through Technical Committees established by the respective organisation to deal with particular fields of technical activity. The ISO and IEC Technical Committees often collaborate in fields of mutual interest. IT standardisation presents unique requirements and challenges given the pace of innovation therefore, in 1987, ISO and IEC established a Joint Technical Committee ISO/IEC JTC 1 with responsibility for IT standards.

JTC1’s purpose is “Standardization in the field of Information Technology” which “includes the specification, design and development of systems and tools dealing with the capture, representation, processing, security, transfer, interchange, presentation, management, organization, storage and retrieval of information.” While there is general agreement that information security is a superset of IT security, the fact that the ISO/IEC committee is IT specific means that the ISO27k information security standards are in fact labelled IT standards.

In ISO-speak, “SC” is a “Sub-Committee”. SC27 is the main (but not the only!) ISO Sub-Committee responsible for IT security standards. SC27 is a Sub-Committee of ISO/JTC1. SC27, in turn, has carved-up its workload across five WGs (Working Groups):

• SC27/WG1 - Information Security Management Systems: responsible for developing the ISO27k family, in particular the core ISMS specification ISO/IEC 27001 and the code of practice ISO/IEC 27002;
• SC27/WG2 - Security Techniques and Mechanisms: cryptography, algorithms, authentication, key management, digital signatures and all that;
• SC27/WG3 - Security Evaluation Criteria: Common Criteria, evaluation methods, protection profiles, security capability maturity models etc.;
• SC27/WG4 - Security Control Objectives and Controls: responsible for a variety of existing standards covering intrusion detection, IT network security, incident management, ICT disaster recovery, use of trusted third parties etc. and new areas such as business continuity, application security, cybersecurity and outsourcing;
• SC27/WG5 - Identity Management and Privacy Technologies : does pretty much exactly ‘what it says on the tin’ (the title is self-explanatory). Includes biometrics.

As if that wasn’t complicated enough, there are also “Other Working Groups” (OWGs), “Special Working Groups” (SWGs), “Rapporteur Groups” (RGs, advisors), “Joint Working Groups” (JWGs), Workshops and the IT Task Force (ITTF). [There is presumably a CRfA (Committee Responsible for Acronyms) somewhere in ISO/IEC land!].

It is conceivable that WG1 may split away from SC27 as a Special Committee for governance, not a bad idea given the volume of work involved in developing new ISO27k standards and reviewing those already issued. However, this has not happened yet and was not discussed at the SC27 meeting in Kyoto in April 2008.

Please note: this website is independent of and does not belong to, nor is it endorsed by or affiliated with, ISO/IEC. Please read the disclaimer for more.

Back to top

Keeping up with security

standards developments

Q: “How can I keep up with developments to the ISO 27000-series standards?”

A: First of all, check out some of the ISO27k newsletters and sign-up to any that provide useful information as opposed to merely promoting specific products.

Next try Googling ISO/IEC 27000 or related terms. You’ll find helpful articles such as this from the UK’s National Computing Centre.

Professional information security-related organizations such as ISSA and ISACA are increasingly publishing articles on ISO/IEC 27001/2 etc.

Finally, don’t forget to bookmark this website and call back every month or so. And if you discover some news before we publish it here, please share it with our community of readers.

Q: Can I see draft ISO/IEC standards? Can I contribute to them?

A: If you would like to get involved in contributing to, reviewing and commenting on the ISO/IEC 27000-series standards, contact your national standards body and get in touch with the person, team or committee working with JTC1/SC27 on the information security standards.  There is a genuine chance for experienced professionals to influence the future directions of ISO27k if they are prepared to put in the effort and collaborate with colleagues around the world. Don’t wait for the published standard to raise your criticisms and improvement suggestions!

Q: “How can I get involved in the development of security standards?”

A: Contact your local national standards body (e.g. BSI, NIST) to find out about any special interest groups and committees working in the information security arena. If you can spare the time to get involved with standards specification, development and/or review, contact your local ISO/IEC JTC1/SC27 representative/s to volunteer your services. 

A quiet word of warning though: the ISO/IEC security Sub-Committees and Working Groups are extremely busy and produce lots of paperwork. Responding to queries from members of the public has to be slotted-in with other duties. If you get involved, be prepared to lose a substantial chunk of your free time reading, reviewing and contributing to draft standards. It’s fun though!

Back to top

Getting started on ISO27k implementation

Q: “What is really involved in becoming ISO/IEC 27001 certified?”

A: See the overview ISMS implementation and ISO/IEC 27001 certification process diagram (click the thumbnail below for the full scale diagram).

The flow chart gives a high level view of the major steps in the process. This is a generic diagram - the details will vary from situation to situation. The main activities are as follows:

1. Get management support - easier said than done! This typically involves raising management’s awareness of the costs and benefits of having a ISO/IEC 27001 compliant ISMS. A great way to start is to raise management’s awareness of some of the key current information security risks and potential good practice controls (drawn from ISO/IEC 27002) that are not yet in place, perhaps through a “gap analysis” (outline risk assessment) followed by a business case and/or strategy for the security improvement (ISMS implementation) program.
2. Define ISMS scope - what businesses, business units, departments and/or systems are going to be covered by your Information Security Management System?
3. Inventory your information assets - the inventory of information systems, networks, databases, data items, documents etc. will be used in various ways e.g. to confirm that the ISMS scope is appropriate, identify business-critical and other especially valuable or vulnerable assets etc. (more below)
4. Conduct an information security risk assessment - ideally using a recognized formal method but a custom process may be acceptable if applied methodically. There’s more advice below.
5. (a) Prepare a Statement of Applicability - according to the draft ISO/IEC 27000, the SoA is a “documented statement describing the control objectives and controls that are relevant and applicable to the organization’s ISMS”. Which control objectives in ISO/IEC 27002 are applicable to your ISMS, and which are irrelevant, not appropriate or otherwise not required? Document these management decisions in your SOA; and in parallel ...
   (b) Prepare Risk Treatment Plan - the draft ISO/IEC 27000 describes the information security RTP as “a plan that identifies the appropriate management actions, resources, responsibilities, timeliness and priorities for managing information security risks”.
6. Develop ISMS implementation program - given the scale, it is generally appropriate to think in terms of an overall program of individual projects to implement various parts of ISO/IEC 27002, for example one project for each of the main sections of the standard. Which resources can you call upon, direct, use, borrow or persuade to build or supplement your core ISMS implementation team? You will probably need experienced information security professionals (particularly to lead the team) and support from a variety of related functions such as Internal Audit, Risk, Compliance, HR, Finance and Marketing, not just IT. You are advised to plan the work in risk-priority-order where possible i.e. tackle the biggest risks early so that, whatever happens to your program of work in practice, it has had a good go at knocking down the main issues and can demonstrate real progress. Also, early wins are a source of helpful positive feedback: this is an important aspect to the program which as to be seen to be effective by management, as well as actually being effective. If all the program does is interfere with business, annoy managers and cost a packet, it is hardly going to be on the shortlist of “things we really must keep doing next year”!
7. Run the ISMS implementation program - through the individual project plans, the implementation team sets to work to implement the controls identified in the RTP. Conventional program and project management practices are required here, meaning proper governance, planning, budgeting, progress reporting, project risk management and so forth. If the program is large, seek professional program management assistance.
8. Operate the ISMS - as each project in the program fills in part of the ISMS, it hands over a suite of operational security management systems and processes, accompanied by a comprehensive set of policies, standards, procedures, guidelines etc. Operating the ISMS is an ongoing activity for the organization, not a one-off project! The Information Security Management function needs to be established, funded and directed, and many other changes are likely to be required throughout the organization as information security becomes part of the routine.
9. Collect ISMS operational artifacts - the ISMS comprises a framework of security policies, standards, procedures, guidelines etc., and it routinely generates security logs, log review reports, firewall configuration files, risk assessment reports etc. ... all of which need to be retained and managed. These artifacts are crucial evidence that the ISMS is operating correctly. You need to build up sufficient artifacts to prove to the auditors that the system is stable and effective.
10. Review compliance - are your doing what you said you were going to do? Section 15 of ISO/IEC 27002 covers compliance with internal requirements (policies etc.) and external obligations such as laws and regulations. The ISMS itself needs to incorporate compliance testing activities, resulting in the generation of reports and corrective actions. Internal compliance assessments are therefore a routine activity for a mature ISMS. The ISMS operational artifacts are a major source of evidence for this and other compliance activities.
11. Undertake corrective actions - to improve the ISMS and address risks. The “Plan-Do-Check-Act” Deming cycle is central to the ‘management system’ part of ISMS and results in continuous alignment between business requirements, risks and capabilities for information security. 
12. Conduct a pre-certification assessment - when the ISMS has stabilized, a certification body or other trusted, competent and independent advisor is invited by management to check whether the ISMS is functioning correctly. This is largely a compliance assessment but should ideally incorporate some independent review of the SOA and RTP to make sure that nothing important has been missed out of the ISMS, especially as the business situation and information security risks have probably changed in the months or years that it will have taken to implement the ISMS.
13. Certification audit - when management is happy that ISMS is stable and effective, they select and invite an accredited certification body to assess and hopefully certify that the ISMS complies fully with ISO/IEC 27001. The auditors will check evidence such as the SOA, RTP, operational artifacts etc. and will attempt to confirm that the ISMS (a) is suitable and sufficient to meet the organization’s information security requirements in theory i.e. it is correctly specified; and (b) actually meets the requirements in practice i.e. it is operating as specified.

Q: “I have been asked to work on ISO 27001, because my company looking to be certified against ISO 27001. I do not how to start, how to write documentations, because I have not done that before. I have gone through ISO 27002 which is general rules, but I can not translate that to match what I have at work (real life). Any guide or advice ?”

A: There is no definitive answer for your question: 'it all depends' is the classic consulting advice. The diagram and outline above should give you a reasonable idea of the overall process and the key documents that will be required or produced. However, the details vary in each organization. Take a look at the ISO27k Toolkit for more advice.

If you already have a security policy manual, for instance, the specified controls may well address most of the risks in scope of ISO/IEC 27002, in which case you need to work more on the implementation and compliance side, having reviewed the manual for currency and suitability.

If your organization is just setting out on the path towards having an ISMS, you will probably need to start with management understanding in order to justify the financial expense and changes associated with the program of work ahead - i.e. prepare your plan, business case and/or strategy. Think about it, document it, circulate it for comment and build executive support. Deal with the inevitable objections as best you can, don't just ignore them. 

Get some professional help with the program management, project planning etc. unless you are a wizard with these things. Take suggestions from sources within the organization: most people are flattered simply to be asked their professional opinion.

How will you obtain sufficient dedicated budget to achieve what needs to be done and how will you deal with the probable shortfall between ideal and actual funding? If you define your strategy as an investment proposal or business case, you will need to track projected and actual costs and benefits to demonstrate the net value of the program. This implies designing and implementing a comprehensive suite of information security metrics, either up-front or behind the scenes as the program continues.

Q: “What are the differences between the Statement of Applicability (SOA), Risk Treatment Plan (RTP) and Action Plan (AP)?”

A: The SOA is your formal definition of the controls listed in ISO/IEC 27002 that are relevant to your ISMS. There needs to be some rationale to explain your reasoning and persuade the auditors that important decisions were not made arbitrarily. Be ready for some robust discussions if you decide not to implement common controls, or to accept significant risks.

The AP and RTP seem similar at first glance but the AP is normally a development/contraction of the RTP. The RTP systematically identifies the controls that are needed to address each of the identified risks from your risk assessment, whereas the AP (or program plan or project plans) says what you are actually going to do - who will do it, by when, and how. A single control, especially a baseline control such as physically securing the organization's perimeter, may address numerous risks and so may appear multiple times in the RTP but hopefully only once in the AP when it is designed, implemented, verified and ‘operationalized’ (horrid word!).

ISO/IEC 27000 should help resolve any remaining confusion when it is released.

Q: “In order to conduct a risk assessment, we need a list of all of our ‘information assets’. What kinds of things should be included in the list?”

A: You need to start with a reasonably comprehensive inventory of your information assets. Information assets may for example be categorized under the following generic headings:

• Pure/intangible information assets (content, data, knowledge, expertise);
• Software assets (commercial, bespoke or internal/proprietary applications, middleware, operating systems etc.);
• Physical IT assets (computers, routers, disks etc.);
• IT service assets - see ITIL (ISO 20000);
• Human information assets (“people are our greatest assets” is actually true when considering their skills, expertise and unwritten knowledge).

The classification is based on a list originally submitted to the ISO27k Implementers’ Forum. A much more comprehensive version of this list is now available in the free ISO27k Toolkit.

Q: “What will be covered in our security policy?”

A: It’s up to you - well, strictly speaking, it's up to your management. See section 5 of ISO/IEC 27002. 

My personal preference is for a comprehensive security policy manual following the structure of ISO/IEC 27002 and supported by technical standards (e.g. “Baseline security standard for Windows 2003”), procedures and guidelines:

I find the 39 control objectives ISO/IEC 27002 make an excellent comprehensive yet succinct set of policy axioms, albeit with the wording adapted to reflect what management actually wants to achieve in relation to the organization’s business objectives. Taken together, the 39 axioms comprise a useful ‘overarching security policy statement’ that summarizes and forms a solid basis for the entire policy suite. 

Some may wish to include generic statements of security principles at an even higher-level (e.g. the principles of least privilege and defense-in-depth). There are just a handful.

Two styles of policies are common:

1. Individual policies covering specific security issues such as “Email security policy” and “Network access control policy”. Typically these are quite formally worded and define security responsibilities of key groups, functions, teams or people. They may include introductions and explanations to aide reader comprehension, and should reference relevant documents at higher and lower levels of the policy hierarchy.
2. A comprehensive policy manual containing succinct policy statements reflecting the whole of ISO/IEC 27002, with numerous embedded cross-references between related policy statements and to related axioms, standards, procedures and guidelines. The manual functions as a master index for the entire policy suite, which helps avoid overlaps, gaps and (worst of all) conflicts.

Many organizations use both styles of policy.

The axioms, if not the principles and detailed policies, should be formally reviewed and mandated by senior management to endorse the entire security programme. Don't neglect the value of senior management support, right from the start. The programme will most likely lead to changes to working practices and systems throughout the organization so management must be aware of the overall objectives and support the changes when it comes to the crunch. Consider starting with security awareness activities targeting the CIO and her peers: build your cohort of supporters by talking in strategic business terms as much as possible (e.g. do you have a documented business case for the security work?).

Finally, the whole policy suite should be put online on the corporate intranet, ideally through a dedicated security policy management system or wiki, for two good reasons:

• The online set becomes the definitive reference - no more wondering about whether printed policies are still current or have been superseded. Other online policies should be ruthlessly hunted down and eliminated;
• Everyone can refer to the policies etc. easily, cross-referencing between them or to/from other items using URLs and hyperlinks.

Q: “Should the risk assessment process cover all information assets?”

A: It's probably too much work to risk-analyze everything in depth so consider instead a two-phase process:

1. A broad but shallow/high-level risk assessment to categorize all your information assets and distinguish those that deserve more in-depth risk analysis from those that will be covered by baseline information security controls;
2. A detailed risk analysis on individual higher-risk assets or groups of related assets to tease out the specific supra-baseline control requirements. 

Document “everything” e.g. management decisions about the categorization process. There’s more advice on inventories above.

Q: “Will the security controls we have already implemented be sufficient for the final ISO 27001 certification?”

A: Unlikely, unless your organization already has a full suite of mature best practice security controls, supporting a comprehensive ISMS! Controls already in place are unlikely to be wasted but (in my experience) will probably need improvements, most likely documentation for a start and probably some extensions to cover the whole breadth of ISO/IEC 27001 or ISO/IEC 27002. Identifying and initiating any necessary security improvements is the first step towards a true self-sustaining ISMS. This process will eventually become a routine part of maintaining your ISMS.

Q: “What documents are normally part of an ISMS?”

A: Please visit our ISO27k Toolkit page for a checklist of typical ISMS documents and examples/samples. We (being members of the ISO27k Implementers’ Forum) are working to produce a more comprehensive suite of samples/examples of each type of document. If you own materials that you are willing to donate to the cause, please get in touch.

Back to top

Information security risk analysis

Q: “We are just starting our ISO27k program. Which information security risk analysis method should we use?”

A: The ISO/IEC ISMS standards do not specify a particular risk analysis method, giving you the flexibility to select a method, or more likely several methods, that suit your specific requirements. 

When released (during 2008, hopefully), ISO/IEC 27005 will offer general advice on choosing and using risk analysis methods.

It is difficult to recommend a particular method or toolset without knowing more about your organization in terms of its experience with risk analysis and information security management, size/complexity, industry and so on. Instead, here are some common information security risk analysis methods, standards and tools (in no particular order) that you might care to evaluate:

• AS/NZS 4360:2004: a well-respected risk management standard published jointly by Australia Standards and New Zealand Standards;
• Citicus One: a commercial software product from Citicus, based on FIRM, one of the more successful information security risk analysis methods originally developed by the Information Security Forum for its members;
• CRAMM: “CCTA Risk Assessment and Management Methodology” was originally developed for UK Government use but has since been commercialised and the IP is now owned by Insight Consulting, part of the global Siemens group;
• HB 436:2004: risk management guidelines are designed to accompany and expand on AS/NZS 4360. HB 436 includes the text of the standard and is available as a package deal along with a full copy of AS/NZS 4360;
• ISO 31000 is a draft ISO standard based on AS/NZS 4360 and others such as COSO-ERM. It provides guidelines on the principles and implementation of risk management in general (not IT or information security specific). ISO 31000 is intended to provide a consensus general framework for managing risks in areas such as finance, chemistry, environment, quality, information security etc. Publication is due at the end of June 2009;
• ISO TR 13335: this multipartite ISO Technical Report is a precursor to ISO/IEC 27005;
• MAGERIT “Metodologia de Analisis y Gestion de Riesgos de los Sistemas de Informacion” is available in Spanish and English;
• Mehari: a risk analysis and management method developed by CLUSIF (Club de la Sécurité de l'Information Français);
• Microsoft’s security risk management guide consists of a 129-page document and a set of Excel worksheets delivered as a typical Windows installation package. The process (outlined below) combines quantitative and qualitative analysis, return on security investment (ROSI) and other best practices. The Microsoft Security Assessment Tool (MSAT) partially automates the process through more than 200 questions covering infrastructure, applications, operations, and people;

• NIST SP 800-30: NIST’s Risk Management Guide for Information Technology Systems is a free 55-page PDF download;
• NIST SP 800-39 “Managing Risk from Information Systems - An Organizational Perspective” is currently available in draft. NIST welcomes feedback comments and improvement suggestions;
• OCTAVE: “Operationally Critical Threat, Asset, and Vulnerability Evaluation” is a risk-based strategic assessment and planning technique for security, owned/managed by CERT;
• Proteus Enterprise is a security risk management support tool by Veridion distributed by BSI;
• Others: if you know of other information security risk analysis tools and methods worth including in this FAQ, please get in touch;
• DIY: do-it-yourself is a genuine alternative, not just a straw man. It involves using risk analysis methods with which you or your organization are already familiar, perhaps even those that are not normally used to examine information security risks. Most if not all organizations have to examine and respond to all sorts of risks routinely. Many use informal/unstructured techniques such as risk workshops and brainstorming, coupled with more structured and rigorous methods as necessary. Maybe your existing risk analysis methods, processes and tools are already being used or could be adapted to examine information security risks? Provided they are sufficiently documented, rational, comprehensive and stable (meaning the results are reasonably repeatable), the ISO/IEC 27001 auditors may be persuaded that your organization understands its information security risks well enough to design a solid management system.

We have no commercial relationship with any of the vendors or products listed above. We are not recommending them, merely providing some options for you to consider. Your evaluation criteria are likely to include factors such as:

• Quantitativeness. Few information security or risk management professionals would recommend truly quantitative analysis of information security risks due to the shortage of reliable data on incidents (probabilities and impacts). However, opinions vary on the rigor with which qualitative methods should be applied. For example, some favor quick/simple qualitative risk assessments, followed by risk analysis on selected ‘high risk’ areas using more detailed and hence more quantitative methods;
• Scope. Are you purely looking at “information security risks”, or risks in a broader context? What do you really mean by “information security risks” in any case? And which information assets are you concerned with? These questions are very much linked to the scope of your ISMS and need to be thrashed out by management in order to compile your Statement Of Applicability (SOA);
• Suitability and usability: some methods use clever software to support those undertaking the analysis, whereas others are procedural or can be supported by generic tools such as spreadsheets. Clearly, therefore, they vary in the amount of technical expertise required to install and configure them. Similarly, some tools lead the user through the risk analysis process a step at a time, whereas others are more flexible but arguably assume more knowledge and expertise of the users;
• Value. By this we mean the net benefits to your organization from the tool, set against the costs of acquiring and using the tool. Purchase price is just one factor. An expensive tool may be entirely appropriate for an organization that will get loads of value from the additional features. A cheap or free tool may prove costly to learn, difficult to use and limited in the features it offers ... or it may be absolutely ideal for you. Your value judgment and final selection is the end result of the evaluation process. You may even decide to adopt more than one!

Check the templates and samples page for a risk analysis spreadsheet and risk register, along with other helpful items generously contributed by members of the ISO27k Implementers’ Forum.

Back to top

Certification against ISO/IEC 27001

Q: “How does my organization get certified against ISO/IEC 27002?”

A: It cannot - no organization is certified against ISO/IEC 27002. ISO/IEC 27002 is a code of practice containing general good practice guidance rather than prescriptive requirements. Your organization could be reviewed informally or even audited against ISO/IEC 27002 but ISO/IEC 27001 is the standard against which organizations are formally certified.

Q: “OK then, how do we get certified against ISO/IEC 27001?”

A: First obtain and read the standard. We recommend obtaining ISO/IEC 27001 (which is the 'certification standard' and summarizes the process of implementing an Information Security Management System ISMS) plus ISO/IEC 27002 (which gives more detail on the nature of the ISMS). ISO/IEC 27002 contains a reasonably comprehensive set of 39 key control objectives for information security and lists a whole load of 'best practice' security controls that are commonly used to satisfy those control objectives. I tend to speak of ISO/IEC 27002 as a 'menu' of information security controls from which you need to pick your 'meal'. You make your order (select the specific controls) using a risk analysis process which is briefly mentioned in section 4 of the standard, and is covered in more detail in yet another ISO/IEC standard, ISO/IEC TR 13335-3 (and will be covered by ISO/IEC 27005 later).

Next you need to plan and conduct the risk analysis noted above. In reality, you first need to set the scene with management and then line the whole organization up to ensure they engage with the risk analysis process. They need to be reasonably open to the concept of improving their information security controls and you will probably need to engage suitable risk/security experts to make this process as painless and effective as possible (hopefully you are lucky enough to have the resources on board already, otherwise you have to choose between building the competence in this area or buying-in expertise in the form of contractors/consultants). The risk analysis may be called a 'gap analysis' or 'ISO27k review' since it makes sense to compare your existing controls against the advice in the standard, looking for weaknesses and omissions.

Having completed the risk/gap analysis, you have the challenge of persuading senior management that they really do need to invest in information security, and of explaining the issues and risks that your analysis has identified in terms they appreciate. This is a tricky step, a balancing act: over-egg your dire predictions and they may back away saying you are being sensationalist. Underplay the security issues and they may not pay much attention to the need for improvements. It really helps to lean on someone with prior experience in this area. Management's appetite for addressing the issues you identify will determine the financing and priorities for the next step. If management say “no” at this point, you might as well reconsider your career options.

With management backing, you now implement the security improvements. Easier said than done! It could be a mere formality if your setup is already very security aware and competent in this area. It could be an extremely arduous job if you are starting from a low base, such as an organization which has habitually underinvested in information security, has made strategic changes in its use of, and dependence on, IT (e.g. it has started using the Internet for business processes/transactions and communications, rather than simply for promotional websites), or where there are no clear accountabilities for information security. It is impossible for me - or indeed for you - to say how long or how costly this phase will be for you until you have completed the previous steps.

With the improvements well under way and security gradually becoming an inherent part of business-as-usual, it's time to think forward towards ISO/IEC 27001 certification. Certification involves contacting a suitable accredited certification body to review your Information Security Management System ...

Q: “Who can certify us against ISO/IEC 27001?”

A: ANY certification bodies, registrars or whatever they are called, who have been properly accredited by their ISO/IEC-recognised national standards bodies' accreditation services (such as the United Kingdom Accreditation Service UKAS), are empowered to assess organizations for compliance with ISO/IEC 27001 and grant certificates of compliance. This is the beauty of international standards and the formal accreditation processes operated by ISO/IEC and the national standards bodies. “Accredited” means their certification practices have been checked to ensure that the certificates issued are legitimate, trustworthy and meaningful. If anyone could issue certificates, they would soon lose their value and be discredited. The formality in the process builds confidence.

As to whether a given certification body will be keen to travel to your particular location to do the certification audits, however, I guess that depends on the $$$ on offer. It's a free market so shop around. The formalized accreditation process means that there is no harm in going to a lesser-known certification body since (in theory at least) they all work to essentially the same quality and performance standards. Remember that ISMS certification bodies are strictly forbidden from also offering [lucrative] ISMS consultancy services to the same clients to avoid the obvious conflict of interest.

The UK Accreditation Service publishes details of certification bodies that are accredited to certify against ISO/IEC 27001, although there may well be others that have been accredited elsewhere. Check the final column in the table. If you know of other accredited certification bodies, please let us know.

The accreditation process (i.e. checking that certification bodies are competent and suitable to assess clients against ISO/IEC 27001) is itself the subject of ISO/IEC 27006.

Q: “How does the certification process work?”

A: The ISO/IEC 27001 certification process is essentially the same as that for ISO 9000 and other management systems. It is an external audit of the organization’s ISMS (Information Security Management System) in three main phases:

1. Pre-audit - having engaged an accredited certification body, they will request copies of your ISMS documentation, your policy manual etc. and may request a short on-site visit to introduce themselves and identify contacts for the next phase. When you are ready, they will schedule the certification audit itself by mutual agreement.
2. Certification audit - this is the formal audit itself. One or more auditors from the accredited certification body will come on site, work their way systematically through their audit checklists, checking things. They will check your ISMS policies, standards and procedures against the requirements identified in ISO/IEC 27001, and also seek evidence that people follow the documentation in practice (i.e. the auditors’ favorite “Show me!”). They will gather and assess evidence including artifacts produced by the ISMS processes (such as records authorizing certain users to have certain access rights to certain systems, or minutes of management meetings confirming approval of policies) or by directly observing ISMS processes in action.
3. Post-audit - the results of the audit will be reported formally back to management. Depending on how the audit went and on the auditors’ standard audit processes, they will typically raise the following (in increasing order of severity):
• Observation - information on minor concerns or potential future issues that management is well advised to consider;
• Minor noncompliance - these are more significant concerns that the organization has to address at some point as a condition of the certificate being granted. The certification body is essentially saying that the organization does not follow ISO/IEC 27001 in some way, but they do not consider that to be a significant weakness in the ISMS. The certification body may or may not make recommendations on how to fix them. They may or may not check formally that minor noncompliances are resolved, perhaps relying instead on self-reporting by the organization. They may also be willing to agree a timescale for resolution that continues beyond the point of issue of the certificate, but either way they will almost certainly want to confirm that everything was resolved at the time of the next certification visit;
• Major noncompliance - these are the show-stoppers, significant issues that mean the ISO/IEC 27001 certificate cannot be awarded until they are resolved. The certification body may recommend how to resolve them and will require positive proof that such major issues have been fully resolved before granting the certificate. The audit may be suspended if a major noncompliance is identified in order to give the organization a chance to fix the issue before continuing.
   

There will be periodic follow-ups (reassessments) every few years after the initial certification for as long as the organization chooses to maintain its certification.

Q: “How can we confirm the implementation of controls selected in the Statement of Applicability?”

A: If the auditors are coming, they should be able to check that your identified ISMS controls are truly in operation, not merely listed as such in some dusty old policy manual or intranet website. Evidence is key! This is the reason that it's best if possible to hold off the certification auditors for a few months after the ISMS is considered “done”, in order to build up your ‘stock’ of evidence demonstrating that the processes are operating correctly, in addition to letting the processes bed-in. For example, you need to have experienced at least one incident to confirm that the incident management process actually works in practice and is not just a fine set of words in your ISMS policy manual. This is analogous to the situation with ISO 9000 where the auditors typically check that genuine quality issues have been identified through quality reviews etc., addressed following the stated QA processes and resolved, not just that you say you will deal with them in a certain way should they ever happen.

Clearly, it is not reasonable to wait for a complete disaster to check that your contingency planning processes function correctly - there are pragmatic limits to this principle, thankfully! But you should probably have completed at least one contingency planning exercise or Disaster Recovery test including the vital post-test washup to identify things that need fixing. For many common security controls that are in action all the time (e.g. antivirus, access controls, user authentication, security patching), the auditors will want to check the evidence (they may call them “artifacts” or “records”) relating to and proving operation of the information security management processes in action.

Remember, an ISMS is for life, not just for the certification process.

Back to top

-- End of FAQ --

Feel free to submit further questions and (especially) more comprehesive answers. We are only human. If you see errors in the FAQ or want to add to what we say here, go ahead - share your knowledge for the benefit of us all!