+++++++++++++++++++++++++

+++++++++++++++++++++++++ BSI Information Security

+++++++++++++++++++++++++
+++++++++++++++++++++++++ A guide to ISO 27001
+++++++++++++++++++++++++
BSI Information Security Management Systems
BSI
Introduction

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Information assets
Managing information is vital to an organization's future.

Information is the lifeblood of all Furthermore, there has been a marked

organizations and can exist in many increase in pressure from legal and
forms. It can be printed or written on regulatory authorities. Information
paper, stored electronically, transmitted security is more than a simple matter of
by mail or by electronic means, shown in technology; its a major governance issue
films, or spoken in conversation. and can directly affect an organization's
reputation and ultimately its survival. It is
In today's competitive business therefore vital that an organization takes
environment, such information is steps to protect its information assets.
constantly under threat from many
sources. These can be internal, external, A proven solution is the adoption of an
accidental, or malicious. With the Information Security Management System
increased use of new technology to store, (ISMS), which meets the requirements of
transmit, and retrieve information, there ISO/IEC 27001.
has been a subsequent increase in the
numbers and types of threats.

> The security of information assets is crucial

to all organizations and requires effective
management.

02 | BSI Information Security

 BSI
ISO 27001 model

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Information
security Plan Act Information
requirements Maintain & improve security
Establish the
and documented ISMS
the effectiveness of
managed as
the ISMS
expectations expected
(eg: legal, regulatory
and commercial)

Interested
parties Do Check Interested
(eg: senior parties
Implement and Monitor and review
management, (eg: customers)
operate the ISMS the ISMS
customers and
partners)

In order to effectively manage your It also incorporates the proven Plan-Do-

organization's information risks and Check-Act (PDCA) cycle, which enables
threats, you should establish an Information your organization to continually improve
Security Management Systems (ISMS). An its information security management and
ISMS, based on ISO 27001, will help you meet the changing legal and regulatory
manage these issues while continually requirements for information security.
improving the security of your information.
ISO/IEC 17799 CODE OF PRACTICE FOR
ISO 27001 (previously BS 7799) is the INFORMATION SECURITY MANAGEMENT
internationally recognized standard for
setting out the requirements for an ISMS. It An international standard that
helps identify, manage and minimize the provides guidance on information
range of threats to which information is security management based on
regularly subjected. industry best practice. It aligns with,
and expands on, the controls of ISO
The standard is designed to ensure the me
selection of adequate and proportionate 27001 but it is not an auditable
security controls that protect information standard. ISO 17799 is due to become
assets and give confidence to interested ISO 27002 in 2007.
parties including an organization’s
customers and suppliers. > Establishing an ISMS based on ISO 27001
enables your organization to protect its
It uses a risk-based approach to managing
information security, which ensures that information assets.
results are both appropriate and
affordable for your organization.
BSI Information Security | 03
BSI
Getting Started

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establishing an ISMS
The steps you should follow.

Establishing an ISMS, which meets the

requirements of ISO 27001, is an ideal Step 1
ISMS
platform for building effective security for Define the scope Scope
your business information. This process and boundaries of Statement
can be complex and is made much easier the ISMS
by grouping it into a number of steps.

Steps 1 and 2 involve establishing the

scope, boundaries and policy of the ISMS. Step 2
These should be defined on the basis of Define an ISMS An ISMS
the organization’s specific characteristics policy policy
such as size, assets and types of
information systems while legal,
regulatory and contractual requirements
must also be taken into account. These
steps require management direction and Step 3 Documented
support while being crucial to the overall Define the risk risk
assessment approach assessment
success of implementing an ISMS.
approach
Steps 3 to 5 involve assessing the security
risks to the organization's information.
A risk assessment approach and
methodology need to be defined to Step 4 List of
facilitate these steps. The key outputs are Identify risks threats,
the identification of the risks along with vulnerabilities
and impacts
the undertaking of a risk assessment.

> Expenditure on controls to protect

information and information systems
Step 5 Report on
needs to be balanced against the
Undertake a risk business
business harm likely to result from assessment impacts and
security failures. likelihoods

04 | BSI Information Security

 BSI
Getting Started

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Steps 6 and 7 involve evaluating the

Step 6 treatment options for business risks and
Risk
Evaluate risk treatment selecting the relevant control objectives
treatment options plan and controls. Where risks are deemed to be
unacceptable, an organization needs to
choose how to manage them as part of a
risk treatment plan. This plan will involve
applying appropriate controls, accepting or
Step 7 List of transferring the risks to other parties.
Select control control
Alternatively, avoiding action can be taken.
objectives & controls objectives
and controls In line with the decision on how risks are
treated, appropriate control objectives and
controls need to be selected from Annex A
of the standard. Additional controls can be
introduced to address an organization's
Step 8 Record of specific risks.
Obtain management approved
approval of proposed residual
Steps 8 and 9 require management to
residual risks risks
approve the proposed residual risks and
authorize the implementation the ISMS.
The residual risks are those that
management accept on behalf of the
Management
Step 9 business as not being treated. Examples
authorization
Obtain management to include risks which would be very costly to
approval to implement treat, but have a low impact to the business.
implement the ISMS the ISMS
Step 10 involves the preparation of a
Statement of Applicability. This describes
and documents the selected control
Step 10 objectives, controls and the reasons for their
Statement
Prepare statement of selection or exclusion.
of applicability applicability

BSI Information Security | 05

BSI
Security Controls

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

The Security Control Areas

Control objectives and controls to help protect your
organization’s information.
Within the ISO 27001 standard, there 3. Asset Management
are numerous control objectives and Managing both physical and intellectual
controls, which are categorized in the assets are important to maintaining
following sections: appropriate protection. It determines
ownership, accountability and protection
of information assets.
1. Security Policy
The documented policy helps 4. Human Resources Security
communicate an organization’s The assessing and assigning of employee
information security goals. It should be security responsibilities and awareness
clearly written and understandable to its enables more effective human resource
readers. The policy helps management management. Security responsibilities
provide direction and support for should be determined during the
information security throughout the recruitment of all personnel and
organization. throughout their employment.

2. Organization of Information Security 5. Physical and Environmental Security

This security control outlines how Securing physical areas and work
management ensures implementation of environments within the organization
information security within an contributes significantly toward
organization. It provides a forum for information security management.
reviewing and approving security policies Anyone who deals with your physical
and assigning security roles and premises, whether they are employees,
responsibilities. suppliers or customers, play a key role in
determining organizational security
protection.

06 | BSI Information Security

 BSI
Security Controls

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

6. Communications and Operations 10. Business Continuity Management

Management Using controls against natural disasters,
Covers the secure delivery and operational disruptions and potential
management of the daily operations of security failures helps the continuity of
information processing facilities and business functions.
networks.
11. Compliance
7. Access Control To assist organizations with the
Managing access levels of all employees identification and compliance with
helps to control information security in contractual obligations, legal and
an organization. Controlling levels of regulatory requirements.
systems and network access can become a
critical success factor when protecting
data or information network systems.

8. Information Systems Acquisition,

Development and Maintenance
Involves the secure development,
maintenance and acceptance of business
applications, products and services into
the operational environment.

9. Incident Management
Facilitates the identification and
management of information security
events and weaknesses and allows for > Control objectives and controls are
their appropriate and timely resolution selected as part of the ISMS risk process.
and communication.

BSI Information Security | 07

BSI
Benefits

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

The benefits of an ISO 27001 based ISMS

Implementing an ISMS certified to ISO 27001 is the clearest demonstration
of commitment to good information security governance.

Adopting ISO 27001 can bring significant BENEFITS OF CERTIFICATION

benefits including:
+ Demonstrates independent assurance
• Providing a common framework of an organization’s internal controls
enabling organizations to develop, therefore meeting corporate
implement, and effectively measure governance and business continuity
information security management requirements.
practices + Provides third-party assurance that
applicable laws and regulations are
• Providing a risk-based approach that is observed.
structured and proactive to help plan + Provides a competitive edge, e.g.,
and implement an ISMS resulting in a by meeting contractual requirements
level of organizational security that is and demonstrating to customers that
appropriate and affordable the security of their information is
paramount.
• Ensuring the right people, processes, + Independently verifies that
procedures and technologies are in organizational risks are properly
place to protect information assets identified, assessed and managed
while formalizing information security
• Protecting information in terms of processes, procedures and
confidentiality, integrity and availability documentation.
• Aligns with other management + Proves senior management’s
commitment to the security of an
standards such as ISO 9001
organization’s information.
However, accredited certification to ISO + The regular assessment process helps
27001 is a powerful independent an organization continually monitor
demonstration of an organization’s and improve.
commitment to managing information
security.
>The above benefits are not realized by
Being certified will provide a number of
organizations who simply comply with
specific benefits which are described:
ISO 27001 or the recommendations in the
Code of Practice standard, ISO 17799.
08 | BSI Information Security
 BSI
Route to Registration

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

The BSI Route to Registration

There are eight steps to achieving and maintaining your
ISO 27001 certificate.

Contact BSI Management Systems. BSI will undertake a desk top

Step 1 We will consider your business Step 5 review of the Risk Assessment,
Initial requirements, then arrange the Undertake Policy, Scope, Statement of
enquiry services that best suit your needs. a review Applicability and Procedures. This
will then identify any weaknesses
and omissions in your management
system that need to be resolved.

Upon contacting BSI, we will BSI will then conduct an on-site

Step 2 provide an estimate of costs and Step 6 assessment and make
timescales for formal assessment. recommendations.
Quotation Undertake a
provided full audit

Submit a formal application for On successful completion of the

Step 3 Step 7
registration services to BSI. audit, a certificate of registration is
Application Registration issued which clearly identifies the
submitted scope of the ISMS. It remains valid
for three years and is supported by
routine assessment visits.

On return of your completed

Step 4 application form, we will assign you
Assessment to a Lead Assessor. They will be your
team principal contact throughout the
registration process and beyond,
appointed
have knowledge concerning the
nature of your business, and will After registration your assessor will
Step 8 visit your organization at regular
offer support while you develop
your systems. Continual intervals each year to facilitate
improvement and ensure that you
assessment
continue to meet the requirements
of ISO 27001.

BSI Information Security | 09

BSI
Services and tools

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

ISO 27001 Services and Tools from BSI

Everything you need from one convenient and reputable source.

The standards TRAINING COURSES

Before you can begin preparing for the
certification process, you will require a INFORMATION SECURITY COURSES:
copy of the ISO 27001 standard. www.bsi-emea.com/isms-training
You should read this and make yourself
familiar with it. Other related standards ALL BSI COURSES:
are also available from BSI. www.bsi-emea.com/training
Purchase standards from:
www.bsi-global.com/bsonline
Training
Free guidance documents,
There is a wide range of ISO 27001 and
publications and software
information security management related
There is a wide range of free training courses to suit various
guidance documents on the BSI website requirements. These include: ISO 27001
www.bsi-emea.com. You can also Introduction; Implementation; Internal
purchase support publications and auditor and Lead auditor courses. Courses
software tools designed to help you can be delivered in-company, at public
understand, implement and become venues or online via e-learning. These
certified to an ISO 27001 based courses are highly regarded and well
Information Security Management attended.
System. These are available from:
www.bsi-global.com/ict/security > Implementing an ISO 27001 ISMS can
Implementation and improvement tools be complex but BSI tools and services can
Various BSI tools are available to help
simplify and reduce the process cost.
you implement and improve your ISMS.
They cover subjects such as Risk
Assessments, Risk Methodologies, Gap
Analysis and Benchmarking.

10 | BSI Information Security

 BSI
Your ISO 27001 partner

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Partner with the global ISO 27001 leader

Key reasons for choosing BSI as your partner.

BSI has over 40,000 registered clients, Global network of delivery

making BSI one of the largest and most When you choose BSI as your business
experienced certification bodies in the partner, you are also choosing our
world. This places BSI in an unrivalled international reputation for excellence
position of experience and knowledge and delivery. BSI operates in over 90
about companies' needs, irrespective of countries and we have the flexibility and
size and industry sector. Furthermore, capability to provide a first class service
BSI is the clear global market leader in anywhere around the world.
ISO 27001 certification and pioneered the
To find your nearest office, please visit:
development of BS 7799, its British
www.bsi-emea.com/locations
Standard predecessor.
THE ISO 27000 FAMILY OF STANDARDS
Independent accreditation
BSI's ISO 27001 certification service is ISO 27000 Vocabulary Planned Release
accredited by the United Kingdom and Definitions 2008/2009
Accreditation Service (UKAS).
Accreditation is a valuable indicator for ISO/IEC 27001:2005 Released
you to use to verify that your certification Specification October 2005
body is competent to be carrying out Document
assessment services at your facility. It
provides assurances to you that BSI
ISO 27002 (ISO17799) Planned Release
continues to operate according to
internationally accepted criteria. Code of Practice April 2007
(number change only)

Added value auditing ISO 27003, Planned Release

BSI is one of the few certification bodies Implementation 2008/2009
to employ full-time auditors with Guidance
information security expertise. BSI
employs very strict auditor qualification ISO 27004, Metrics Planned Release
criteria and auditors are regularly and Measurement 2008/2009
assessed. BSI carefully matches the
auditor's industry experience with an
ISO 27005, (BS 7799-3) Planned Release
organization’s activities enabling the
assessment to add real value with Risk Management 2008/2009
minimum disruption and cost to your
BSI Information Security | 11
operation.
BSI Management Systems
389 Chiswick High Road
London
W4 4AL
Tel: +44 (0) 20 8996 6325
Fax: +44 (0) 20 8996 7852
international@bsi-global.com
www.bsi-emea.com

raising standards worldwide™

BSI Group: Standards • Information • Training • Inspection • Testing • Assessment • Certification

MC3280/ISSUE2/SA/0606/CM/CW