FAQs

Question: What really changed when ISO/IEC 27001:2005 was updated as ISO/IEC 27002:2013? Answer: Plenty! Reduced the controls from 133 to 114 through combining controls and deleting redundancies. Added more focus on control effectiveness measures, security objectives and the context of the organization. There are numerous free posts about the changes made.

Question: What is ISO/IEC 27001? Answer: ISO/IEC 27001:2013 was released in October 2013 and updated ISO/IEC 27001:2005. It is the new international standard that provides a requirements specification for an Information Security Management System (ISMS) and the foundation for third-party audit and certification. The standard is complementary to the new standard ISO/IEC 27002:2013. The basic objective of the standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements a PDCA, Plan-Do-Check-Act process when establishing an ISMS.

Question: Is ISO/IEC 27001 “harmonized” with the other ISO Management systems? Answer: The standard provides a specification for ISMS and the foundation for third-party audit and certification. It is harmonized to work with other management system standards such as ISO 9001, ISO 2000 and ISO 14001 and will assist in the integration and operation of an organization’s overall management system.

Question: What does ISO/IEC 27001 mean for IT security officers? Answer: ISO/IEC 27001 should be used to guide the implementation of security policy and procedures in alignment with recognized best practices. Compliance to the standard will reassure customers and suppliers that information security is a senior management priority and a systematic process has been implemented to address information security risks.

Question: What are some of the benefits of 27001 certification? Answer: The benefits of certification are numerous and iclude: *Policies & procedures will be in accordance with internationally recognized criteria, structure and methodology *Assured continued due diligence to maintain certification through bi-annual surveillance visits *Evaluations will be conducted by qualified, impartial and monitored assessors using an accredited methodology (Certified Bodies) *Your ISMS will be audited to a internationally harmonized criteria resulting  in mutual recognition of the evaluation results *Certifiable, Proven, Defensible, Cost-Effective, Recognition of Best Practices in information security *Assists organizational compliance with legal, regulatory, and statutory requirements including HIPAA, Gramm-Leach-Bliley (GLBA), Sarbanes-Oxley, California SB1386, CFR21:Part 11, EU-Directive etc… *Provides market differentiation due to positive influence on company image, prestige and external goodwill and value of the company *Demonstrates credibility and trust – satisfaction and confidence of stakeholders, partners, citizens and customers *Reduced liability risk; demonstrates due diligence; lower rates on cyber-insurance premiums *Increase in overall organizational efficiency *Minimizes internal and external risks to business continuity *An ISMS provides your organization with a security & privacy “Umbrella”, a Holistic, quality-based security and privacy posture supporting Corporate Governance *ISO 27001 certification is recognized worldwide as a security and privacy competitive advantage *Ensures that a commitment to security and privacy exists at all levels and that all employees are educated on security and privacy *Reduces operational risk; vulnerabilities are mitigated *Provides your organization with continuous protection that allows for a flexible, effective, and defensible approach to security and privacy

Question: What if my organization is already ISO 9001 or ISO 20000 certified? Answer: If you are already 9001 or ISO 20000 certified you have an excellent head start towards 27001 certification. Many of the elements of 9001 and 20000 certification are required by 27001. There should be no need to duplicate these systems. If you are advised to create a separate or redundant management system, STOP and call SQM-Advisors. The two standards have been designed to compliment each other not compete.