ISO/IEC 27001 FAQ Frequently Asked Questions and Answers

What is ISO27001?

ISO 27001:2013 is a standard for information security that provides a management framework and security controls to better secure information for organizations.

How to be ISO 27001 Certified?

An organization can be come ISO 27001:2013 certified by successfully completing the certification process as mentioned above. Preparation for the certification requires the establishment of an Information Security Management System, which meets the requirements of the ISO 27001:2013 Standard.

Why get ISO 27001 Certification?

An ISO 27001:2013 certification provides numerous benefits to an organization:

  • Evidence that the organization has a program in place to manage information security
  • The framework may be used to manage multiple compliance requirements such as NIST, PCi, FedRAMP, etc., which impact the organization and can cause resource constraints if not well integrated
  • Cyber security is an evolving challenge and ISO 27001 may be used to manage constant changes and growing security needs as technology advances and security practices are required to keep ahead of emerging threats
  • Provides a framework for people, processes, and technology to align to organizational requirements

Differences between ISO 27001 and 27002?

ISO 27001 is the standard that an organization seeks certification against while ISO 27002 is the code of practice that provides additional guidance on information for the security controls identified in Annex A of ISO 27001:2013.

Differences between ISO 9001 and 27001?

ISO 9001 focuses on quality while ISO 27001 focuses on information security. Both standards have a common framework, which allows for integration to manage quality and security concerns.

Why do a Risk Assessment?

An information security risk assessment is an evaluation of your organization’s vulnerabilities against common areas that require security controls to manage internal and external threats to your data. Understanding your risks is the first step in deciding what level of control is needed to manage risks to an acceptable level to better protect the confidentiality, availability, and integrity of your organization’s critical information and assets.

What is an ISO 27001 Audit?

Either an internal or external audit to evaluate the organization’s Information Security Management System against both internal requirements and the ISO 27001:2013 standard to determine how well the organization is using their information security policies and controls to manage vulnerabilities and protect against threats that pose a risk to the organization and the confidentiality, availability, and integrity of information.

What is an ISMS?

An ISMS is a management system framework for information security. It involves a risk based approach to managing information security and includes guidance for practices and controls necessary to manage the confidentiality, integrity, and availability of information.

Definition of ISO 27000 Standards Series

ISO 27000 consists of multiple standards that are a series of documents that comprise guidance on how to implement an information security management system.

The ISO 27000 series is comprised of the following six most commonly used standards:

  1. ISO 27000:2016 – Describes the terminology and vocabulary used for information security management systems;
  2. ISO 27001:2013 – Specific requirements for the implementation of an information security management system and controls for information security risks that each organization must consider to maintain the confidentiality, integrity and availability of information assets;
  3. ISO 27002:2013 – Commonly referred to as the Code of Practice, ISO 27002 provides guidance on the application of security controls in an information security management system;
  4. ISO 27003:2010 – Guidance on the implementation of ISO 27001 and ISO 27002 for organizations;
  5. ISO 27004:2009 – Guidance on the use of metrics to manage the health of information security management systems.
  6. ISO 31000:2009 – Guidance on risk management methodologies and techniques.

In the last several years’ multiple additional standards have been published in the ISO 27000 series including sector specific guidance for healthcare and telecommunications, and more specific information on technical control management around applications and networks to name a few.

Most organizations typically work with ISO 27001 and ISO 27002 when implementing an information security management system