K
keres
Last edited by a moderator:
Thanks! It's an interesting document. As an implementation guide I note that the author mixes the role of the certification audit without any further description of what "Certification" actually is! Also, some other key aspects - management review and improvement/corrective actions are completely missed, despite all the discussion about 'Plan, Do, Check, Act' at the beginning!
So, as an implementation guide it has some nice points to make, but is somewhat lacking in having an incomplete 'story!...
So, as an implementation guide it has some nice points to make, but is somewhat lacking in having an incomplete 'story!...
P
pldey42
In addition to Andy's comments, with which I agree, some corrections which I hope might be appreciated:
The 7799 series has been withdrawn and replaced with the ISO 27000 series:
ISO 27001 - ISMS Requirements (audit criteria)
ISO 27002 - Implementation guidance - mostly the controls
ISO 27003 - IS Management System Implementation guidance
ISO 27004 - IS Measurements
ISO 27005 - IS Risk Management
ISO 27006 - Requirements for bodies providing ISMS audit and certification sercvices
Accredited Certification Bodies will not generally Certify "just a department, just one floor of an organization." The ISMS Scope must encompass a meaningful set of information assets and their associated processes, facilities, etc.
While ISO 27001 does indeed require assets and their owners to be identified, there is no requirement for an "asset custodian", nor is the term defined.
Business Impact Analysis (BIA) is a concept from BS 25999 Business Continuity Management. It should not be conflated with information security risk assessment and is designed for sustaining an organization's critical products and services - not necessarily its IT assets.
It is not a requirement of ISO 27001 to provide the SoA to clients or external trusted authorities, nor an expectation of CBs, because it's a security risk. The SoA is sometimes requested, and sometimes shared, but in sanitized form.
The audit guidance is not consistent with what CBs do or teach, in that it is over-simplified. For example, in addition to the controls, CB's and internal auditors look for consistent processes that satisfy the requirements of clauses 4 through 8, and audit the SoA against the risk assessment reports, the risk assessment method, and the ISMS scope and policy. Organizations that have not implemented these mandatory clauses are too common, and fail their initial certification audits.
Finally, in the ISMS world, a desktop audit is another term for the Stage 1 or documentation review. It's nothing to do with the desktop on a user's computer. (Checks for illegal content on user machines are normally done with automated tools that scan disks periodically.)
Hope this helps,
Pat
The 7799 series has been withdrawn and replaced with the ISO 27000 series:
ISO 27001 - ISMS Requirements (audit criteria)
ISO 27002 - Implementation guidance - mostly the controls
ISO 27003 - IS Management System Implementation guidance
ISO 27004 - IS Measurements
ISO 27005 - IS Risk Management
ISO 27006 - Requirements for bodies providing ISMS audit and certification sercvices
Accredited Certification Bodies will not generally Certify "just a department, just one floor of an organization." The ISMS Scope must encompass a meaningful set of information assets and their associated processes, facilities, etc.
While ISO 27001 does indeed require assets and their owners to be identified, there is no requirement for an "asset custodian", nor is the term defined.
Business Impact Analysis (BIA) is a concept from BS 25999 Business Continuity Management. It should not be conflated with information security risk assessment and is designed for sustaining an organization's critical products and services - not necessarily its IT assets.
It is not a requirement of ISO 27001 to provide the SoA to clients or external trusted authorities, nor an expectation of CBs, because it's a security risk. The SoA is sometimes requested, and sometimes shared, but in sanitized form.
The audit guidance is not consistent with what CBs do or teach, in that it is over-simplified. For example, in addition to the controls, CB's and internal auditors look for consistent processes that satisfy the requirements of clauses 4 through 8, and audit the SoA against the risk assessment reports, the risk assessment method, and the ISMS scope and policy. Organizations that have not implemented these mandatory clauses are too common, and fail their initial certification audits.
Finally, in the ISMS world, a desktop audit is another term for the Stage 1 or documentation review. It's nothing to do with the desktop on a user's computer. (Checks for illegal content on user machines are normally done with automated tools that scan disks periodically.)
Hope this helps,
Pat
Thanks, Pat, for your in depth analysis. These are very valid points. I didn't spend too much time and saw only basic missing key components, so thanks for the more detailed insights.
With so much knowledge of Management Systems implementation and certification now available, there's no need for the ISMS community to be making the same mistakes that the 'ISO 9000' world has done over the years, fueled by inaccurate information from this type of article...
With so much knowledge of Management Systems implementation and certification now available, there's no need for the ISMS community to be making the same mistakes that the 'ISO 9000' world has done over the years, fueled by inaccurate information from this type of article...
O
omid020
Thanks, very useful .
Z
Zubin
Got a question on ISMS (ISO 27001), I thought as it being a very basic question, I shall put it here.
When compared to other ISO Systems like QMS or EMS, why there is no "Objectives" for ISMS?. I am a layman in ISMS, but while trying to compare the systems, I could see that there is no specific mention on ISMS Objectives. Can the experienced members give me an insight on why it is not required.
Thanks
Zubin
When compared to other ISO Systems like QMS or EMS, why there is no "Objectives" for ISMS?. I am a layman in ISMS, but while trying to compare the systems, I could see that there is no specific mention on ISMS Objectives. Can the experienced members give me an insight on why it is not required.
Thanks
Zubin
P
pldey42
They're there, but in terms that relate to information security:
4.2.1.b ISMS policy includes a framework for setting objectives
4.2.1.c Develop (define) criteria for accepting risks
4.2.2.d Define how to measure the effectiveness of (some) selected controls
4.2.3.c measure effectiveness of controls (and improve as necessary)
4.2.3.d review risk assessments and residual risks (against risk acceptance critia dn policy)
For example, an ISMS objective might be to improve stakeholder confidence in the organization's ability to maintain the confidentiality, integrity and availability of sensitive information, and to manage incidents correctly. It could be measured with stakeholder surveys, incident response times and such.
When setting objectives it is important to keep in mind that there is no such thing as zero risk. Objectives that seek to eliminate risk entirely will almost always be unrealistic and get the ISMS manager fired. Rather, it's about reducing risk to an acceptable level, and having incident response processes in place that are quick and effective, and enable the organization to defend itself (e.g. from regulators and penalties) with systems that are reasonable and continually improving.
Hope this helps,
Pat
Z
Zubin
Thanks Pat for the clarification. The other standards have this spelled out specifically . Like Clause 5.4.1 of 9001 is specific about Quality Objectives, similarly 4.3.3 of EMS. Thinking in that line, I was a bit confused. May be it is because the continual improvement part in ISMS is not revolving around the objectives. And there may be other parametes to be considered in this system.
Please correct me if I am wrong.
Thanks
Zubin
Please correct me if I am wrong.
Thanks
Zubin
P
pldey42
Continual improvement in an ISMS is certainly driven by the objectives for the ISMS as defined in the policy, but there are two dimensions: continual review of the risks (which change for a variety of reasons) and continual review of the effectiveness of the controls in mitigating the risks.
Arguably, ISO 9001 ought to have a similar approach. Continual improvement of processes, such as making them faster or more efficient, is a waste of time if risks to the business -- such as markets moving away from the product, evolving technologies making it out of date or redundant, copyright infringements -- have not been identified and mitigated. ISO 9001 says nothing about risk management, and IMHO it should.
Hope this helps,
Pat
Arguably, ISO 9001 ought to have a similar approach. Continual improvement of processes, such as making them faster or more efficient, is a waste of time if risks to the business -- such as markets moving away from the product, evolving technologies making it out of date or redundant, copyright infringements -- have not been identified and mitigated. ISO 9001 says nothing about risk management, and IMHO it should.
Hope this helps,
Pat
Richard Regalado
Trusted Information Resource
Not a requirement but the premise to ISO 9001 does...
ISO 31000 was published 2010. The latest iteration of ISO 9001 in 2008. I will be surprised if risk management is NOT included in the 2012 or 2013 revision of ISO 9001.
Similar threads
