Anyone gone through ISO 27001?
- Thread starter Dale_tem
- Start date
Contax
Suspended / Banned
- Messages
- 151
- Name
- Philip
- Edit My Images
- No
Not gone through a formal certification, but I was responsible for producing an IS policy for a large financial institution which was based on BS 7799 (forerunner of ISO 27001).
I'd ask myself (1) WHY are you going for certification and (2) do you need it for the whole organisation or just some departments?
I'd ask myself (1) WHY are you going for certification and (2) do you need it for the whole organisation or just some departments?
bl0at3r
Suspended / Banned
- Messages
- 3,883
- Name
- Alan
- Edit My Images
- Yes
I successfully implemented our ISO27001:2005 ISMS back in April 2011 and have just gone through the 3 year re-certification audit last month. Our organisation needed it to satisfy our major stakeholder - DWP.
What do you want to know?
What do you want to know?
Purchased and download the pack from IS
rg and it is pretty s***e on detail, adequate this, adequate that etc. without any detail. Is there anywhere to find out what is adequate or requirements etc.
Who did you use to audit you, would you recommend them?
Thanks for the help
rg and it is pretty s***e on detail, adequate this, adequate that etc. without any detail. Is there anywhere to find out what is adequate or requirements etc.Who did you use to audit you, would you recommend them?
Thanks for the help
bl0at3r
Suspended / Banned
- Messages
- 3,883
- Name
- Alan
- Edit My Images
- Yes
Hi, just to point out that you will need to commit to significant expenditure and resource going for an ISO certification - it is not easy and is time consuming. Obviously the size of your organisation and scope will have a bearing but the route to certification (stage 1, stage 2, continuing assessment visits, management fees and re-certification every 3 years) is not cheap or quick - we took about 9 months to get the certificate on the wall.
I initially purchased a copy of 27001 (the clauses) and 27002 (the annex a control guidance) standards - these are the 'bibles' and what the auditor will be looking to evidence compliance against. Know them inside out, back to front and upside down. The clauses have shall and shall not statements - this is telling you what you need to do to meet the requirements. 27002 is the guidance of what each control comprises and examples of what to implement.
Your next step is to consider a gap analysis to understand how ready you are and how much work you've got to do. The biggest challenge will be a culture shift of your staff. Remember 27001 is not just about computers and IT - it is about 'information security' - your information assets and information processing facilities will include IT, people, hard copy and electronic data, premises, intangibles like reputation, your intellectual property, software etc etc.
It is also more than just data protection - the principles are about protecting the Confidentiality, Integrity and Availability of Information and Information Assets - or CIA for short.
The biggest weakness and vulnerability will always be your staff - no matter how many layers of controls (technical, physical security, policy and procedures) you put in place, humans will be the ones who F it up and cause a security breach.
I can thoroughly recommend IT Governance for training, consultancy, to purchase copies of the standards, books etc. we used them back in 2010 for initial gap analysis consultancy, document toolkit and training. We continue to use them every 6 months as part of our internal audit programme and have a very good relationship.
For the actual certification we went with BSI - as I said the certification process is not cheap and DO NOT be tempted to go with a shortcut company like QMS - reputable certification companies have to adhere to regulatory bodies (ukas/certification Europe) and codes of conduct. The validity of a 27001 certificate is 3 years - DO NOT go with a company (like QMS) who says they can get you 27001 certificate in about 2 weeks, without understanding your business and that the certificate is valid 10 years - this is not worth the paper it's written on.
Whenever I do due diligence on a supply chain partner who says the they have an ISO and it is with QMS we laugh and reject them politely
BSI also do 27001 training and their courses are also good (I also successfully implemented ISO14001 environmental management) and used them for the training.
Not to forget that 27001 was updated in October 2013 and is now ISO27001:2013 so make sure any courses or materials and copies of the standards refer to 2013 not 2005. We are currently going through a transition to the newer version but it would be short sighted for you to implement a 2005 ISMS now as you are going for it from scratch.
I am called Mr ISO at work for some reason !
If you want to chat them pm me your number/email address and I'll gladly offer some more 'free' consultancy when I'm back at work next week
I initially purchased a copy of 27001 (the clauses) and 27002 (the annex a control guidance) standards - these are the 'bibles' and what the auditor will be looking to evidence compliance against. Know them inside out, back to front and upside down. The clauses have shall and shall not statements - this is telling you what you need to do to meet the requirements. 27002 is the guidance of what each control comprises and examples of what to implement.
Your next step is to consider a gap analysis to understand how ready you are and how much work you've got to do. The biggest challenge will be a culture shift of your staff. Remember 27001 is not just about computers and IT - it is about 'information security' - your information assets and information processing facilities will include IT, people, hard copy and electronic data, premises, intangibles like reputation, your intellectual property, software etc etc.
It is also more than just data protection - the principles are about protecting the Confidentiality, Integrity and Availability of Information and Information Assets - or CIA for short.
The biggest weakness and vulnerability will always be your staff - no matter how many layers of controls (technical, physical security, policy and procedures) you put in place, humans will be the ones who F it up and cause a security breach.
I can thoroughly recommend IT Governance for training, consultancy, to purchase copies of the standards, books etc. we used them back in 2010 for initial gap analysis consultancy, document toolkit and training. We continue to use them every 6 months as part of our internal audit programme and have a very good relationship.
For the actual certification we went with BSI - as I said the certification process is not cheap and DO NOT be tempted to go with a shortcut company like QMS - reputable certification companies have to adhere to regulatory bodies (ukas/certification Europe) and codes of conduct. The validity of a 27001 certificate is 3 years - DO NOT go with a company (like QMS) who says they can get you 27001 certificate in about 2 weeks, without understanding your business and that the certificate is valid 10 years - this is not worth the paper it's written on.
Whenever I do due diligence on a supply chain partner who says the they have an ISO and it is with QMS we laugh and reject them politely
BSI also do 27001 training and their courses are also good (I also successfully implemented ISO14001 environmental management) and used them for the training.
Not to forget that 27001 was updated in October 2013 and is now ISO27001:2013 so make sure any courses or materials and copies of the standards refer to 2013 not 2005. We are currently going through a transition to the newer version but it would be short sighted for you to implement a 2005 ISMS now as you are going for it from scratch.
I am called Mr ISO at work for some reason !
If you want to chat them pm me your number/email address and I'll gladly offer some more 'free' consultancy when I'm back at work next week
Last edited: