What is the ISO 27001?
ISO 27001 is the international standard for information security. The ISO 27001 certificate is proof that your organization has taken the necessary precautions to protect sensitive information from unauthorized access and processing. The standard stands for a process-based approach to establish, implement, carry out, monitor, maintain and improve information security based on an Information Security Management System. With ISO 27001 certification you indicate to your clients that you control the information process and data of your clients is properly secured.
The standard ISO 27000 / 27001 is applicable to any organization with the exception of organizations in the healthcare sector. For the healthcare sector the NEN 7510 / NEN 7511 standard applies.
Introduction ISO 27001
ISO 27001 certification originated from the English "Code of Practice for Informations Security Management". This refers to a special management system for information security. It specifies how you can demonstrably manage security risks.
The ISO 27001 standard contains the following aspects relating to information security:
- Policy-related (management)
- Organizational (responsibilities)
- Business assets (infrastructure, network, systems and other business assets)
- Personnel (house rules, errors, theft, fraud, abuse)
- Physical (locks, fire protection)
- Communication and operation (management of systems, processes and procedures)
- Access control (password, biometrics)
- System and software development and maintenance (documentation, processes)
- Continuity (calamity provisions)
- Regulations (Computer Crimes Act, Personal Data Protection Act)
The ISO 27001 standard states that you define a scope and policy, perform a risk analysis, select measures for found risks and implement and manage them. This is a continuous process to achieve and maintain the ISO 27001 certification. With the ISO 27001 certification you are in control of your security risks.
ISO 27001 Content
The ISO 27001 is composed of a number of chapters. Each ISO standard released from 2017 will have the same formatn
Explains the purpose of the ISO 27001 and its comptability with other management standards.
- Subject matter and scope
- Declares that this standard is applicable to any organization.
- Normative references
- Refers to ISO/IEC 27000 as a standard where terms and definitions are given.
Terms and definitions
Again, it refers to ISO/IEC 27000.
Context of the organisation
This chapter is part of the Plan phase in the PDCA cycle and defines requirements for understanding external and internal issues, stakeholders and their requirements, and define the ISMS scope.
This section is part of the Plan phase in the PDCA cycle and defines executive responsibilities, setting roles and responsibilities, and content of the top-level Information Security Policy.
This section is also part of the Plan phase in the PDCA cycle and defines requirements for risk assessment, risk treatment, Statement of Applicability, and setting information security objectives.
This section is part of the Plan phase in the PDCA cycle and defines requirements for resource availability, competencies and awareness, communication, and document and record management.
This chapter part of the Do phase in the PDCA cycle and defines the implementation of risk assessment and treatment, as well as measures and other processes necessary to achieve information security objectives.
Evaluation of performance
This chapter is part of the Check phase of the PDCA cycle and defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and executive reviews.
This chapter is part of the Act phase of the PDCA cycle and defines requirements for deviations, corrections, corrective actions, and continuous improvement.
Audit protocol ISO 27001
Certification means that an external, independent party *certifying body establishes whether the organization's quality management system meets all standard requirements. To determine this, a certification body (CI) conducts an audit. This first (certification audit) consists of two phases.
The first phase serves;
- assess the documentation
- evaluate the site and the site-specific conditions and to have conversations with employees in order to determine whether the organization is prepared for phase two
- to assess the extent to which the organization meets the requirements of the standard and understands the requirements of the standard, in particular with respect to the identification of key performance and aspects, processes and operation of the management system
- gather necessary information regarding the scope of the management system, processes and locations, and relevant statutory and legal aspects
- to see what resources are available for the second phase and to reach agreement with the organization on the elaboration of the second phase audit
- to obtain a good understanding of the organization's management system, its activities and significant aspects involved
The purpose of the stage two audit is to assess the implementation and effectiveness of the management system. The stage two audit takes place at t he site(s) of the organization. The stage two audit shall include at least the following:
- information and evidence regarding conformance to all requirements of the standard
- performance evaluation, measurement, reporting and assessments done to determine the extent to which goals and objectives have been achieved
- the organization's management system and how it complies with
- legal requirements
- The control of the organization's processes
- Internal audits and management review
- involvement of management in the quality policy
- the connection and coherence between the standard requirements, the policy of the organization, goals and objectives, legal requirements, responsibilities, the competence of employees, the implementation, procedures, performance information and findings from internal audits.
Subsequently, in the 2 years thereafter, organizations are tested (semi) annually to assess whether they continue to meet the requirements of the standard. Recertification again consists of 2 phases and occurs in the third year of initial certification. This cycle is maintained.
If a non-conformity is noticed during an audit, these are registered in the audit report. The name may vary from one certification body to another, but it boils down to the following:
Major non-conformity (Category 1 deviation):
- The lack of an effective implementation with.b regard to one or more system requirements of the standard, or a situation where it is not or not sufficiently guaranteed that the product or service will meet requirements;
- Multiple category 2 non-conformities with .b a standard requirement that has been determined to lack effective implementation within the management system
- A category 2 non-conformity where the required corrective measures have not led to effective implementation will be upgraded to a category 1 finding
The correction, the root cause analysis and a corrective action plan, together with sufficient evidence of their implementation, must be submitted within 90 days of the last audit day. Assessment of deviations takes place by means of desk research. However, depending on the severity of the findings, the auditor may conduct a follow-up visit to confirm that the measures have been taken, evaluate their effectiveness, and determine whether nomination for certification or continuation of the certificate can take place.
Minor non-conformity (Category 2 derogation):
A lack of discipline or control in the implementation of system or procedural requirements, which does not affect the functioning of the system and/or the fulfilment of the requirements regarding the product/service.
The correction, root cause analysis and corrective action plan should be approved by the lead auditor and the verification of the implementation and assessment of the effectiveness of the corrective actions should take place at the next visit.
An observation is not a shortcoming in itself, but can indicate a possible future shortcoming if the situation receives too little attention; an observation may also relate to a situation where no appropriate evidence is found to support the finding of a deficiency
Recommendations for improvement
Recommendations for improvement relate to areas and/or processes where - minimum-standard requirements may be met, but where improvement is possible.