ISO27000 certification, ISO certification

ISO27001, ISO27000 certification, ISO certification

   ISO27001 is the main standard of the ISO27000 series, similar to ISO9001 in the ISO9000 series, all kinds of organizations can establish their own information security management system (ISMS) in accordance with the requirements of ISO27001, and through certification.

   With the continuous development of information technology in the world, information security has gradually become the focus of people's attention, and various institutions, organizations and individuals around the world are exploring how to ensure information security. The United Kingdom, the United States, Norway, Sweden, Finland, Australia and other countries have developed their own standards for information security, and the International Organization for Standardization (ISO) has also released ISO17799, ISO13335, ISO15408 and other international standards and technical reports related to information security. At present, in terms of information security management, the British standard ISO27001:2005 has become the world's most widely used and typical information security management standard, which is developed under the guidance of BSI/DISC's BDD/2 Information Security Management Committee, and the latest version is ISO27001:2013.

The main content of ISO27001 standard

   ISO/IEC17799-2000 (BS7799-1) provides recommendations on information security management for use by those responsible for initiating, implementing or maintaining security in their organizations. The standard provides a common basis for developing an organization's safety standards and effective safety management practices, and provides trust for interactions between organizations.

The standard states that "information is an asset like any other important business asset." It has value to an organization and therefore needs to be properly protected. Information security protects against threats to information to ensure business continuity, minimize the risk of damage to your business, and maximize return on investment and business opportunities.

   ISO/IEC17799-2000 contains 127 security controls to help organizations identify elements that have an impact on information security during operations, which organizations can select and use in accordance with applicable laws, regulations and regulations, or add additional controls. The International Organization for Standardization (ISO) revised ISO 17799 in 2005, the revised standard as the first part of the ISO 27000 standard family - ISO/IEC 27001, the new standard removed 9 points of control measures, added 17 points of control measures, and reorganized some control measures and added a new chapter. Reorganization of some control measures, better correlation logic, more suitable for application; And modified the wording of some control measures. The revised standard consists of 11 chapters:

1. Security policy. Specify an information security policy, provide management guidance and support for information security, and review it regularly.

2. Organization of information security. Establish an information security management organization system to carry out and control the implementation of information security internally.

3. Asset management. Verify and classify all information assets to ensure that they are protected to an appropriate degree.

4. Human resource security. Ensure that all employees, contractors, and third parties are aware of information security threats and related matters and their respective responsibilities and obligations to reduce the risk of human error, theft, fraud, or misuse of the facility.

5. Physical and environmental security. Define safe areas to prevent unauthorized access, destruction, and interference with office premises and information; Protect the security of equipment against loss, damage or theft of information assets and interference with the business of the enterprise; At the same time, general control should be done to prevent damage and theft of information and information processing facilities.

6. Communication and operation management. Develop operational procedures and responsibilities to ensure the correct and safe operation of information processing facilities; Establish system planning and acceptance criteria to minimize the risk of system failure; Guard against malicious code and mobile code to protect the integrity of software and information; Do information backup and network security management to ensure the security of information in the network and ensure that its supporting infrastructure is protected; Establish media disposal and security procedures to prevent damage to assets and disruption of business activities; Prevent information and software from being lost, modified or misused when exchanged between organizations.

7. Access control. Develop access control policies to avoid unauthorized access to information systems, and inform users of their responsibilities and obligations, including network access control, operating system access control, application system and information access control, monitoring system access and use, and periodically detecting unauthorized activities; When using mobile office and remote control, it is also important to ensure information security.

8. System collection, development and maintenance. Identify the security requirements of the system, ensure that security becomes a built-in part of the information system, control the security of the application system, and prevent the loss, modification or misuse of user data in the application system; Protect the confidentiality, authenticity and integrity of information by means of encryption; Control access to system files, ensure the safety of system documents and source code; Strictly control the development and support process, maintain application system software and information security.

9. Information security incident management. Report information security incidents and weaknesses, take corrective action in a timely manner, ensure that information security incidents are managed using an ongoing and effective approach, and ensure timely remediation.

10. Business continuity management. The purpose is to reduce disruptions to business activities, to protect critical business processes from major failures or natural disasters, and to ensure timely recovery.

11. Compliance. The design, operation, use process and management of the information system shall comply with the requirements of laws and regulations, comply with the organization's security policy and standards, and also control the system audit to maximize the effectiveness of the information audit process and minimize interference.

ISO27001 Consulting certification

   Information security management system construction project is divided into five stages, and contains 25 key activities, if each related activities can be well completed, eventually can establish an effective ISMS, to achieve the overall blueprint of information security construction, to accept ISO27001 audit and certification is a natural thing.

1. Current situation investigation: Investigate the current situation of information security management in the organization from the aspects of daily operation and maintenance, management mechanism, system configuration, etc., and make relevant personnel of the organization fully understand the basic knowledge of information security management through training.

2. Risk assessment: Analyze the asset value, threat factors and vulnerability of the organization's information assets, so as to assess the organization's information security risks and select appropriate measures and methods to achieve the purpose of risk management.

3. Management planning: According to the organization's strategy for information security risks, formulate corresponding overall information security planning, management planning, technical planning, etc., to form a complete information security management system.

4. System implementation stage: After the establishment of ISMS (system documents are officially released and implemented), it is necessary to test its effectiveness and stability through a certain period of trial operation.

5, certification audit stage: After a certain period of operation, ISMS has reached a stable state, all documents and records have been established complete, at this time, you can apply for certification.

Benefits of ISO27001 certification

1, by defining, assessing and controlling risks, to ensure the continuity and ability of the business

2, reduce the liability caused by contract violations and direct violations of legal and regulatory requirements

3, through the third-party certification, comply with international standards, improve the competitiveness of enterprises, enhance the corporate image, and enhance the investment confidence of investors and other stakeholders

4, clearly define the internal and external information interface objectives of all organizations: beware of misuse and loss of data

5. Establish safety tool use policy

6. Beware of losing technical know-how

7. Enhance security awareness within the organization

8. It can be used as evidence for public accounting audit

ISO27001 certification costs and cycles

   In addition to the organization's own investment, the cost of ISO27001 certification audit is mainly reflected in the hiring of third-party certification bodies and auditors. After the organization makes an application to the certification body, the certification body will initially understand the status quo of the organization, determine the scope of the audit, and make an audit offer. A certification body's offer is usually based on the amount of time and personnel it has invested, and the determining factors include:

1. The number of employees of the audited organization;

2. The amount of information included in the scope of audit;

3. Number of venues;

4. Association between the organization and the outside world;

5. The complexity of organizational IT;

6. Organization type and business nature, etc.

In addition to the cost issue, the certification audit cycle is usually a concern for organizations. In general, it takes at least half a year from the start of an ISMS construction project to the final approval (not including the time to obtain a certificate). For many organizations determined to implement ISO27001 certification programs due to external drivers, early planning is necessary. If you want to know more about ISO27001 certification, please consult Tenglian consultant online. Shenzhen Tenglian Enterprise Management Consulting Co., LTD., established in 2005, is an old institution with independent legal personality in Guangdong Province. Specializing in ISO system certification, product certification, factory inspection counseling, high-tech enterprise identification, intellectual property implementation standards, government subsidy application, license agency and other qualification agents. Authoritative organization, experienced, full coaching. Senior certification counseling team, 15 years of experience, with exclusive approval channels, faster certification speed, pass rate is guaranteed! Since its establishment 15 years ago, Tenglian has served more than 7,000 enterprises and public institutions and government organizations.

Consulting telephone: 0755-27787866 13828761196 Mr. Chen 0755-27753399/19925332787 Miss Chen

ISO27000 certification, ISO certification wechat consultation: tliso168