ISO 27001

For various reasons, ISO certification is increasingly being considered by US-based organizations seeking to demonstrate their information security acumen to customers and business partners. In most cases, these organizations have already achieved one or more certifications and/or attestations and are simply looking to further bolster their organizational credentials and satisfy any inquiring third parties. While commendable, the effort can be hindered by thinking that ISO is just one more security framework against which existing policies, procedures, and controls can be applied. The simple truth is that if you think successes in other compliance endeavors provides some assurance of ISO certification, then you need to think again.

适用于任何考虑ISO认证的组织, LBMC is here answer common questions, dispelling common myths, and, most importantly, 为读者提供有价值的信息,以启动成功的ISO认证之旅.

What is ISO 27001?

The International Standards Organization is an independent body with the objective of publishing standards for any organization, irrespective of industry, to follow. As defined on their website, standards are “a formula that describes the best way of doing something.其中包括质量和环境管理标准, health and safety standards, food safety standards and, of course, information security standards. Standards are published in numbered series and each series contains multiple individual documents that pertain to some aspect of the subject matter. 在大多数情况下,每个系列中的“01”文档e.g. 9001、14001、27001是组织可以通过认证的标准. 该系列中的所有其他文档都是认证标准的支持文档.

ISO 27000系列是信息安全管理体系的既定系列.  Management systems are the policies, procedures, 以及用于保密的资源, integrity, and availability of information. The 27001 standard, ISO/IEC 27001:2013 在撰写本文时,是组织可以通过认证的标准. This ISO certification demonstrates to interested parties an organization’s dedication to effectively managing risk and the security of critical information systems.

Incidentally, IEC in the document title refers to the International Electrotechnical Commission, a similar standards organization that contributes to ISO standards involving technical activities.

Why is ISO 27001 important?

While US-based organizations are subject to a number of industry and regulatory frameworks that guide cybersecurity and compliance efforts, ISO 27001是美国以外事实上的信息安全标准. 适用于与美国以外的客户和其他业务关系的组织, ISO certification is commonly expected to demonstrate an organization’s commitment to effective risk management and information security. The core of the ISO standard is the establishment of a formal management structure around the ISMS to ensure its continual effectiveness. 必须证明这种有效性才能获得和保持认证. ISO is not a “checkbox security” framework.

Organizations frequently leverage the Information Security Management System established for ISO certification to manage other compliance initiatives such as SOC, PCI, and HITRUST. For example, 同时进行年度ISO内部审核, they take the opportunity to validate whether controls are still meeting the requirements of other compliance standards. Then, 作为ISO认证管理评审程序的一部分, 他们利用这个机会审查他们的其他合规计划,以确定范围的变化, changes in the risk or threat landscape, and any associated internal audit findings. 为寻求高层管理批准的安全管理人员寻求ISO认证, this is an effective tool to justify the resources needed to establish and maintain an ISO compliance program.

What are the ISO 27001 requirements?

ISO标准文档遵循一种通用格式,其中内容分为编号子句. 条款规定了给定标准的范围, 提供其他支持或相关标准的参考, 定义标准中使用的术语和定义, 并建立标准的要求或期望. Standards often include annexes or appendices providing supporting guidelines for requirements and expectations contained in the preceding clauses.

ISO 27001标准由26条条款和114项控制要求组成. The clauses establish the foundational elements of the information security management system (ISMS) that the organization must have in place to manage risk and secure information. 这些要求是ISO 27001标准所独有的. 与其他信息安全遵从性框架不同, 这些条款为ISMS的持续指导和监督建立了要求. 这些包括组织风险评估等活动 and 治疗分析,ISMS定期执行管理评审,每年一次 internal audit of the ISMS, and ongoing monitoring and measurement of the effectiveness of security controls.

The second half of the standard, titled Annex A,由ISO 27001控制要求组成. The control requirements will be more familiar to information security practitioners in that they are the tactical requirements to be utilized by the organization to treat security risks and threats. These include access and authentication, logging, encryption, incident response, and other control categories that organizations implement as part of their various security and compliance initiatives. 与某些网络安全框架不同,ISO控制要求不是规定性的. In other words, ISO 27001没有建立最低密码设置, log retention periods, or cryptographic key lengths.  相反,ISO建立了必须的控制 considered by the organization. The organization then determines which controls are applicable to the environment and that sufficiently treat the identified risks. The auditor’s role, therefore, is to determine whether the controls are implemented as defined and whether they sufficiently address the risks for which they are implemented.

Is ISO 27001 a legal requirement? ISO 27001 is not a legal requirement per se. Organizations may, however, establish contractual obligations for earning and/or maintaining ISO 27001 certification as part of their business relationships. ISO 27001 certification may be utilized and/or accepted by organizations as a means to demonstrate adherence to industry and regulatory information security requirements.

ISO 27001关注哪三个方面的信息?

While an organization’s ISMS addresses the security of multiple aspects of the organization’s hardware, software, and data assets, ISO 27001标准注重保密性, integrity, and availability of information.

  1. 机密性是保护信息免受未经授权的访问.
  2. 完整性是保护信息免受未经授权的修改.
  3. 可用性是指信息在需要时可被访问的保证.

获得ISO 27001认证的最终结果是组织向其客户保证, business partners, and other interested parties that information for which the organization is responsible is at minimal risk of compromise.

What are the current ISO 27001 standards?

ISO/IEC 27001:2013 is one of many standards and supporting documents in the 27000 series for Information Security Management Systems. 虽然在27000系列中有一些相关的指导方针和支持文档, 27001是目前该系列中唯一一个组织可以通过认证的标准.


How do you get ISO 27001 certified?

组织必须由独立的第三方进行审计. 任何审核员都可以颁发认证,但建议聘请一名审核员 accredited 由ISO 27001认证机构进行审核. Accredited Certifying Bodies are themselves subject to regular independent audits to validate that they are reputable, competent, and trustworthy. This provides assurance to the organization, and any interested parties, that the audit was conducted, 并根据所有相关的ISO标准颁发证书.

成功通过ISO 27001初始认证审核, 组织必须证明他们的ISMS是完全实施和有效的. To do this, the organization will need to have implemented all requirements established in the ISO 27001 clauses and Annex A controls. To demonstrate this effectiveness, ISO审核员通常会寻找PDCA(计划-执行-检查-行动)循环的完整迭代. 对于已经建立了ISMS组件和控制的成熟组织, 这可能只需要四到六个月的时间来准备初始认证. For others, a minimum of one year may be necessary to establish the ISMS and associated controls to be ready for their initial certification audit.

由于准备初步审计需要作出重大努力, 许多组织聘请第三方来协助建立他们的ISMS. Third parties may simply oversee and provide guidance while the organization implements their ISMS, 或者他们可能会全部或部分地参与到工作中. 不管他们有多投入, 提供执行协助的第三方不应, in accordance with some accreditors, 也不能进行组织的认证审核. 这有助于避免实现和审计实体之间的利益冲突.

Contact Us

Brian Willis, CISSP, CCSK, PCI QSA, ISO 27001 Senior Lead Auditor, 是LBMC网络安全部门的高级经理, PC. He can be reached at or (615) 309-2607.