0
1.4kviews
ISO 27001 in Organizational Context (Relation to ISO 17799)
1 Answer
0
42views

ISO 27001 (formerly BS 7799) describes a six-stage process:

  1. Define an InfoSec policy:
  2. Define the scope of the ISMS.
  3. Perform a security risk assessment.
  4. Manage the identified risk.
  5. Select controls to be implemented and applied.
  6. Prepare a 'statement of applicability' (SoA).

The Plan-Do-Check-Act (PDCA) approach described by ISO 27001 and its details in implementation context are depicted in Figure 1. In reference to this figure, the PDCA cycle can be explained in brief as follows:

enter image description here

1. PLAN-Establish Context:

  • Define ISMS scope.
  • Define policy.
  • Identify risks.
  • Assess risks.
  • Select control objectives.

2. DO - Implement and operate:

  • Implement risk treatment plan.
  • Deploy controls

3. CHECK-Monitor and Review:

  • Monitor processes
  • Regular reviews.
  • Internal audits.

4. ACT-Maintain and Improve

  • Implement improvements.
  • Corrective actions.
  • Preventative actions.
  • Communicate with stakeholders.

As can be seen, ISO 27001 is an ISMS development methodology and it explains how to create lSMS. However, it does not tell you what kind of elements make up ISMS. That is what ISO 17799 is all about. ,

ISO 17799 lists all the bits and pieces that combine to makes up ISMS. It presents a detailed list of generally accepted information security management practices. ISO 27001 asks you to select only those security practices that address your organization's unique security risks and requirements (see Figure 2).

The ISM practices that make up ISO 17799 are organized as follows:

  1. Security objectives (for ISO 27001).
  2. Security controls (for ISO 27001)-there are total 15 controls, each divided into subsections.
  3. Implementation guidance.
  4. Other information.

enter image description here

Thus, ISO 27001 asks you to select the security objectives and security controls that address your unique security risks and requirements, and then to use this information to prepare what ISO calls an SoA. This SoA is, in turn, used to prepare a detailed Risk Treatment Plan. Once you have implemented this Plan, you have established ISMS, one that meets your organization's unique InfoSec needs and requirements. Fortunately, the ISO 17799 security objectives and security controls are included with the ISO 27001 standard, so there is no need to purchase ISO 17799 in order to build the ISMS. However, for getting additional detailed implementation guidance and other related information one has to purchase ISO 17799 . It is to be noted that ISO 17799 will eventually become ISO 27002 .

Please log in to add an answer.