ISO 27001 FAQs

What training is required to be a ISO 27001 Certification Auditor?

The minimum training to become an accredited ISO 27001 Certification Auditor is:

1. PECB - ISO 27001 Lead Auditor Training
2. PECB - Certified Management System Auditor (CMSA)
3. 300 Management System Audit hours (per audit log).  Each Certification Body may recognize some audit hours from other related ISO management system standards, internal audit hours, certification audit hours, industry experience, etc.

Who should take ISO 27001 Training Classes?

Who should take ISO 27001 Training Classes?

1. Anyone auditing ISO 27001 management systems including ISO 27001 internal auditors and/or certification auditors.
2. Anyone implementing ISO 27001 management systems such as an ISO 27001 Consultant, Information Security Manager, ISMS Manager.
3. Anyone maintaining ISO 27001 management systems such as an ISMS Manager.
4. Anyone managing or performing ISO 27001 Risk Assessment Process.
5. Anyone managing or performing ISO 27001 Business Continuity Requirements (Availability) including Business Impact Analysis (BIA), Business Continuity Plan (BCP), Disaster recovery, etc within the Context of the Organization (Scope) of ISO 27001 registration.
6. Information Security students, consultants, managers, etc.

What ISO 27001 Training should I take?

There are three main training classes for ISO 27001 Management Systems including:

1. ISO 27001 Lead Auditor Training - How to "Audit" ISO 27001 Management Systems
2. ISO 27001 Lead Implementer Training  - How to "Implement" ISO 27001 Management Systems
3. ISO 27001 Lead Risk Manager Training - How to "Manage" the ISO 27001 Risk Assessment Process

Depending on your career path and job requirements, all PECB accredited training classes can be of great value to your experience, knowledge and resume / CV.  Each training course will help you understand the many options to meet the ISO 27001 clause 4-10 auditable generic requirements.

What is a information security management system (ISMS)?

Information security is defined as the "preservation of confidentiality, integrity and/or availability (CIA) for information in any form".  Thus, an information security management system (ISMS) is simply a Management System (plan, do, check, act) umbrella over the "preservation of CIA".

The international organization of standards (ISO) auditable requirements for information security management systems (ISMS) is known as ISO 270001.  The entire ISO 27000 series of standards are all focused on information security including:  vocabulary, definitions, implementation guidance for each ISO 27001 clause 4-10 generic requirements and specific controls for certain industries or types of assets.

What is the definition of Information Security?

Information security is defined as the "Preservation of Confidentiality, Integrity and/or Availability (CIA) of Information in any form".

What does ISO stand for?

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO standards are the result of collaboration and consensus among a group of more than 160 countries around the globe.

What is information?

Information is that which informs or resolves uncertainty. Information is a business asset that has a value to an organization and thus has to be protected. Information can be found in any form including:

• Electronic - email, data stored, websites, etc.
• Physical - paper files, cds, photos, USB drive, etc.
• Verbal - phone conversations, in-person conversations, meetings, etc.
• Knowledge - employee knowledge (in their heads)

What is information security?

Information Security is known as the process of protecting information assets against the loss of confidentiality, integrity and availability (CIA) or preservation of CIA.

What is an Information Security Management System (ISMS)?

A framework of processes and procedures used to protect against the loss of confidentiality, integrity and availability (CIA) of information in any form.

What is ISO 27001?

ISO 27001 is the international standardization of auditable requirements for an information security management system (ISMS). ISO 27001 has two main parts including Sections 4-10 and Annex A.

What are the ISO 27001 ISMS requirements?

The ISO 27001 ISMS requirements are found in Sections 4-10. These section 4-10 requirements are also known as the international standardization of information security management system (ISMS) requirements. These requirements are "generic" and intended to be applicable to any type and size of organization in the world. These generic requirements are very high level and allow for a wide variety of implementation options for how to build an ISMS. These generic requirements are why most organizations need help implementing ISO 27001 / ISMS.

What is Annex A?

Annex A is the international standardization of control objectives (14) and controls (114). It is a comprehensive minimum baseline of information security controls that all information security management systems shall consider when selecting controls to mitigate information security risks. ISO 27001 requires that organizations map which Annex A controls apply to them in the statement of applicability (SoA). Annex A is also somewhat generic in that it is only a mid-level control description. There is a wide variety of options regarding which low-level controls you actually choose and implement to reduce risk under the Annex A description, which is why you may seek guidance from an experienced ISO 27001 consultant.

What is the ISO 27000 series of standards?

All ISO standards consist of a series of standards that apply to a specific management system category. The ISO 27000 series of standards specifically address information security management systems (ISMS).

It is typically the first standard in each ISO series that contain the management system requirements. Thus, it is typically only the 1st standard in each series that is "certifiable" such as;

• ISO 27001 = Information Security Management Systems (ISMS)
• ISO 9001 = Quality Management Systems (QMS)
• ISO 22301 = Business Continuity Management Systems (BCMS)

*All of the other standards in each ISO series are typically reference / guidance to support one or more of the management system requirements. Some commonly used ISO 27000 reference standards include:

• ISO 27002 = reference / guidance for information security controls (code of practice)
• ISO 27004 = reference / guidance for information security measurement
• ISO 27005 = reference / guidance for risk assessment

*there are many more reference / guidance standards available in the 27000 series

What is ISO 27002?

ISO 27002 also known as "code of practice" is a low level reference / guide for implementing controls to mitigate information security risks. It exactly cross-references Annex A control objectives (14) and controls (114) without referencing the A in front of each control number. It is much lower level and descriptive than Annex A.

What is ISO 27001 Scope of Registration?

ISO 27001 scope of registration can be defined as "the information you want to protect". It is this information within scope that you build an information security management system (ISMS) around. The scope is derived from careful consideration of the documenation requirements defined within Section 4 - Context of the Organization. The scope should meet business requirements and give value to products and services. The scope will have a significant impact on the timeline and costs of implementation, certification and management of the ISMS.

Does ISO 27001 require legal and contractual compliance?

Yes! ISO 27001 requires compliance to any legal / regulatory or contractual obligation that is applicable to the scope of registration. The risk assessment process typically addresses this as the risk of non-compliance. Compliance requirements such as FISMA, HIPAA, PCI DSS, are often mapped to Annex A for audit and applicability purposes.

What is ISO 27001 Asset Inventory?

The asset inventory includes all the assets that exist within the scope. The scope statement typically includes all underlying assets which may include people, networks, cables, facilities, hardware, software, etc. These assets collect, store, access and distribute information within the scope. Thus, we must assess the risk to these assets and apply appropriate controls to mitigate the risk. The asset inventory also tells us where to apply controls including the asset owner and location.

What is ISO 27001 Risk Assessment?

ISO 27001 Risk Assessment requires an organization to measure the risk (threats and vulnerabilities) to assets within the scope. There are two types of risk assessed within ISO 27001.

1. Risk to the loss of confidentiality, integrity and availability (CIA) or preservation of CIA.
2. Risk of non-compliance including legal / regulatory and contractual compliance.

The outputs of risk assessment include the risk treatment plan (RTP), statement of applicability (SoA) and also populate the ISMS controls such as policies, processes, training and awareness, business continuity, etc.

How long does it take to become ISO 27001 Certified?

It typically takes anywhere from 3 - 12 months to implement and certify ISO 27001 requirements for an information security management system (ISMS). This can vary from organization to organization based on size of the scope of registration including number of locations, status of the current information security program, company size, internal resources and focus, etc. SecuraStar's ISO 27001 Software (ISMS Manager) can often speed the process by several months due to the efficiencies built into the risk management process and its automatic outputs including the risk treatment plan, statement of applicability, policy creation, compliance mapping and task management.

How much does it cost to Implement ISO 27001?

The cost to implement ISO 27001 can vary from organization to organization based on size of the scope of registration including number of locations and status of the current information security program. Total costs may also include hiring a consultant, buying software, employee time, salary benefits, control implementation, performing internal audits, etc. This can range as low as a few thousand dollars for a do-it-yourself implementation to well over $100,000+ for a large organization who hires a consultant.

How much does it cost to certify ISO 27001?

The cost to certify ISO 27001 after implementation can vary from organization to organization based on size of the scope of registration including number of locations. Most registrars calculate their costs based on audit days so the larger the scope and number of locations, the larger the cost. Quotes from certification bodies typically cover a 3 year period which includes a full audit (stage 1 and 2) the 1st year and a smaller annual surveillance audit in years 2 and 3. Costs can range as low as $6,000 for a small scope with one location to over $50,000+ for a large organization with a large scope and many locations worldwide. Surveillance audits in years 2 and 3 are typically around half to one-third the cost of the 1st year full audit.