Problems, related to information security, still exist at the moment. Availability of information security management system in compliance with the requirements of ISO 27001:2005 international standard shall help organizations save its assets and ensure its integrity, reliability and confidentiality of information.
Information security management system (ISMS) is a part of the overall management system, based on a business risk approach to establish, implement, operate, monitor, review, maintain and improve information security.
ISO 27001 determines requirements for organizations of any type, regardless of its size, area of activity and geographical location.
History of the standard
In response to increasing needs of the society, a working group devoted to the development of information security standards was first established in the early 1990s, resulting in a “Code of Practice for Information Security Management” published in 1993. This work evolved into the first version of British BS 7799 standard released in 1995. In 1998 BS 7799 standard was reviewed; by then the standard consisted of two parts, one of them included code of practice, and the other one – requirements for information security management systems.
In the process of further revisions the first part was published as BS 7799:1999, Part 1, and then as ISO 17999:2000 standard. ISO 17999 standard was then reviewed again and published as ISO 17999:2005; then its name was changed to ISO 27002:2005. New revision of the second part of the British standard was issued as BS 7799:2002, Part 2; and in June 2007 was published by ISO, International Organization for Standardization as ISO 27001:2005 standard.
Structure of the standard
International ISO 27001:2005 standards determines requirements for this system in compliance with which ISMS shall be based on the following key components:
Requirements, specified in ISO 27001 are general and designed to be applied to all organizations, regardless of their type, size and characteristics. ISO 27001 ensures:
- determination of objectives and concept of direction and principles of activity in respect of information security;
- determination of approaches to the organization’s risk assessment and management;
- information security management in compliance with applicable legislation and normative requirements;
- application of process approach in management system development, implementation, operation, monitoring, analysis, support and improvement so that objectives in respect of information security were met;
- determination of information security management system processes;
- determination of the status of arrangements on provision of information security;
- usage of internal and external audits to determine the level of information security management system’s compliance with the requirements of the standard;
- provision of adequate information on information security policy to the partners and other stakeholders.
Integration with other standards
Information security management system can be integrated with any other management system, e.g. with quality management system in compliance with ISO 9001, environmental management system in compliance with ISO 14001, service management system in compliance with ISO 20000 and other ones.
Currently, series of standards, describing information security management system model includes:
- ISO/IEC 27000:2009, Information technology. Security techniques. Information security management systems. Overview and vocabulary, provides glossary for information security management system;
- ISO/IEC 27001:2005, Information technology. Security techniques. Information security management systems. Requirements;
- ISO/IEC 27002:2005, Information technology. Security techniques. Code of practice for information security management, provides code of best practices in respect of information security management;
- ISO/IEC 27003:2010, Information technology. Security techniques. Information security management system implementation guidance;
- ISO/IEC 27004:2009, Information technology. Security techniques. Information security management. Measurement; deals with metrics and information security management system assessment;
- ISO/IEC 27005:2011, Information technology. Security techniques. Information security risk management;
- ISO/IEC 27006:2011, Information technology. Security techniques. Requirements for bodies providing audit and certification of information security management systems;
- ISO/IEC 27007:2011, Information technology. Security techniques. Guidelines for information security management systems auditing; which specifies the main requirements for auditors on information security in addition to ISO 19011 requirements;
- ISO/IEC TR 27008:2011, Information technology. Security techniques. Guidelines for auditors on information security controls, focused mainly on information security controls auditing and is closely related to ISO/IEC 27002;
- ISO/IEC 27011:2008, Information technology. Security techniques. Information security management guidelines for telecommunications organizations based on ISO/IEC 27002;
- ISO/IEC 27031:2011, Information technology. Security techniques. Guidelines for information and communication technology readiness for business continuity;
- ISO/IEC 27799:2008, Health informatics. Information security management in health using ISO/IEC 27002; provides guidance on ISO/IEC 27002 implementation in medical sphere.
Benefits from implementation and certification
- enhancement of customer, partner and other stakeholders’ trust, receiving international recognition and promotion of company’s image on internal and external market;
- demonstration of defined level of information security to ensure confidentiality of all the stakeholders’ information;
- cost increase of intangible assets, decrease of insurance premiums, which adds value to the company;
- decrease of operating costs and exclusion of cross-financing within the frameworks of unified ISMS;
- broadening company’s options for participation in government contract.
Why Russian Register?
Certification of information security management system in Russian Register, allows You to obtain:
- Confirmation of information security management system conformity from leading Russian certification body with the international accreditation of ANAB,
- Certificate of conformity to the requirements of ISO/IEC 27001-1:2005 of IQNet, International Certification Bodies Association,
- Opportunity to certify integrated management system for compliance with the requirements of 2 or more standards,
- Opportunity to use transfer procedure,
- Opportunity to reduce service costs through engagement of qualified auditors from the nearest branch-office or representative office, located not only on the territory of the Russian Federation and the CIS, but also abroad,
- Wide range of courses and seminars
Certification in Russian Register shall be Your contribution to global practice of information security management system and shall give You the chance to develop Your own unique system and join the ranks of top organizations.
Declaration Request for preliminary assessment / certification of management system
Annex to Declaration-Request for multi-sites organizations
Annex to Declaration-Request – Questionnaire on Information Security Management System
Criteria for applicant’s evaluation of management system integration level by completion of declaration-application