|
|
|
ISO27001 and IS017799
These set out the standards for an Information Security Management System (ISMS).
They identify, manage and minimise the range of threats to which all commercial information is regularly subjected.
ITOPSEC staff are qualified to work as ISO27001 and ISO17799 implementers and lead auditors.
ISO27001 and ISO17799 identifies 10 key areas and controls:
Security Policy - To provide Management Direction and support for information security.
Organisation of Assets and Resources - to help you manage information security.
Asset classification and control – to help you identify and protect your assets.
Personnel security – to reduce the risks of human error, theft, fraud or misuse of facilities.
Physical and environmental security – to prevent unauthorised access, damage, and interference with premises and information.
Communications and operations management - to ensure the correct and secure operation of information processing facilities.
Access control – to control access to information.
Systems development and maintenance – to ensure that security is built into information systems.
Business continuity management – to counteract interruptions to business activities and protect critical processes from the effects of major failures or disasters.
Compliance – to avoid breaches of criminal and civil law, statutory, regulatory, or contractual obligations, and any security requirement.
An organisation using ISO27001 and ISO17799 as the basis for its ISMS and registered by BSI proves to stakeholders that it meets the required standard. ITOPSEC can help any organisation to achieve ISO27001 and ISO17799 certification. We also provide a preparatory or "current state" audit against the standards thus allowing you to introduce improvements where necessary. Accreditation is fundamental to the assurance and delivery of any ‘trusted’ system or service that underpins business.
It is a Continuous Process, throughout and beyond the life of the delivery project. | |
| So what does the process look like! Step 1 - Questionnaire Typically we will send out a questionnaire for you to fill in. The certification process starts when you complete a questionnaire giving details of your requirements. This provides us with the information needed to send you a quotation. Step 2 - Application for Assessment If you decide to proceed with certification, then you fill in an application form. Once this has been done it is returned to us. On receipt, an initial visit by a BS 7799 Auditor is arranged. An initial visit allows you to meet the Auditor who will assess the ISMS for BS 7799 certification. The Auditor will explain the assessment process and carry out a review of the existing documented management system. An assessment date and an audit programme will be agreed. Step 3 - Stage 0 Audit or could be called a ‘Pre-assessment Visit’ or a ‘Gap Analysis’. This is an optional stage, but if you can afford it, we recommend it. You should do this after you have implemented the Information Security Management System (ISMS) and developed the Statement of Applicability (SoA) and may have some controls in place and documented and may have some records available. If you are doing this in house, it is a way of demonstrating to your management that you are on track and doing the job correctly and that your management can have confidence in that. It also can show management where they fail as well, as non-conformances are written up as part of the audit. Whilst this audit cannot be relied on to support a Stage 1 or 2 CB Audit, it would be difficult for an Auditor to later find major non-conformances in the ISMS unless something dramatic had occurred in the organisation to warrant this. This step provides a sanity check. Step 4 – the Stage 1 Audit (otherwise called a ‘Document Review’) This is the first part of the audit proper This stage looks to see if the SoA has been implemented by selection of controls and documenting all the policies and procedures that surround their use. The auditor will also look to see that there is evidence of records being collected for implemented controls, though the full audit for this is the Stage 2 Audit. At this time also the auditor will plan the Stage 2 audit. Typically, the auditor reviews documented ISMS – looking at: l Roles and Responsibilities l Risk process/treatment and acceptance l Documented processes and procedures supporting the ISMS; l Compliance, contractual and other regulatory issues. If there are any audit failures, i.e. non-conformances then they will be written up on the Corrective Action Plan (CAP). It is then up to you, the client, to document how you are going to address these. Typically, you have 20 days to respond to the raising of a CAP, and once agreed, 3 months to address issues raised on a CAP. Failure to either respond or carry out the agreed work in the time limit can prejudice the granting (retaining) of a certificate. When the next audit occurs, the CAPs are the first items reviewed to ensure that they have been suitably addressed. | | You could stop here! Advisory and useful thus far or go to: Step 5 - Stage 2 Audit (otherwise called the ‘Compliance Audit’) During the Stage 2 Audit, an objective assessment of the organisational procedures and practice will be carried out against the documented ISMS (reviewed in the Stage 1 Audit).The Auditor will be looking for records (i.e. proof) that the ISMS is operated as the documented ISMS says it should be. On completion of the assessment the Auditor will present the findings of the assessment in a written report to you and CAPs will be raised if appropriate. Following a successful Stage 2 Audit and the decision to grant registration, a certificate of registration is awarded and the organisation is permitted to use the CB Certification Mark and the relevant BS 17799 certification mark. Step 6 – Ongoing audits A program of regular surveillance visits is agreed with you to verify that the requirements of the BS 7799 standard continue to be met and again CAPs will be raised if appropriate. There are two types of ongoing audits, each is covered in turn below: Surveillance Audit A programme of ‘surveillance audits’ is undertaken over a three year cycle to ensure that the ISMS is working properly. This is performed in addition to the internal audits and ongoing monitoring and management that you perform internally (4.2., 4.2.4, 6.2, 6.3, 6.4, 7.2, 7.3, A.4.1.7, A.12.2.1, .12.2.2 to name just some of the requirements you must meet on an ongoing basis).The actual frequency of these will vary on the CB, but typically the following will occur: l Surveillance audits are carried out regularly (either annually, 9 monthly or 6 monthly); l The first one is usually 3 months after the Stage 2 Audit to check for any CAPs outstanding since that audit; l At every audit any outstanding CAPs are audited for completeness; l Audit all mandatory requirements; l Audit a representative sample of all other controls (so that all controls in the ISMS are reviewed in the surveillance cycle). The Triennial audit, as the name suggests, is carried out every three years. This audit is similar to the original Stage 2 or Certification Audit, but it should take less time as the CB Auditor now knows your systems, unless a scope or other change has occurred. All controls are evaluated to ensure that the ISMS is operating properly and assuming it is, your certificate is renewed for another 3 years. If not, CAPs are raised and you have to address them. The three year surveillance audit process starts all over again. ITOPSEC will partner you throughout the process to ensure your continued success! We in turn will work to our Cetification Body (CB). So who can do this Certification? The only body who can carry out this certification is a CB that has been Accredited by the ‘national accreditation service’ (in the UK this is the United Kingdom Accreditation Service – UKAS). This ensures that CBs meet national and international standards for services they are offering. A CB uses auditors who are totally independent of the organisation being audited i.e ITOPSEC Ltd | |
|
|