The latest edition of this FAQ has been published, and contains the following additional frequently asked questions:
1) Why has ISO 17799 been renamed to ISO 27002?
The rename was initiated by ISO, who wanted to align the information security standards under a common naming structure (the 'ISO 27000 series').
2) Which ISO27002 controls are most important?
That largely depends upon the individual organization. However, ISO27002 does give some guidance, in the form of 'legislative essentials' and 'common best practice' under the IS "starting point" section. These are:
- intellectual property rights (12.1.2)
- safeguarding of organizational records (12.1.3)
- data protection and privacy of personal information (12.1.4)
- information security policy document (3.1.1)
- allocation of information security responsibilities (4.1.3)
- information security education and training (6.2.1)
- reporting security incidents (6.3.1)
- business continuity management (11.1)
3) What is a Certification body?
An accredited certification body is a third party organization that assesses/certifies the IS management system against the standard (BS7799-2 / ISO 27001).
4) Who are the Accredited Certification bodies for the standard?
There are a growing number of organizations accredited to grant certification against ISO27001. The following are amongst them: BSI, Certification Europe, DNV, JACO IS, KEMA, KPMG, SFS-Sertifiointi Oy, SGS, STQC, SAI Global Limited, UIMCert GmbH
5) How do I become a certified auditor?
The International Register for Certified Auditors operates a certification scheme for ISMS auditors.
6) How does this standard fit with ISO 9000?
ISO27001 is actually being "harmonized" with other management standards, including ISO 9000 and ISO 14000. Watch this space!
7) Who originally wrote the security standard?
Originally a BSI/DISC committee, which included representatives from a wide section of industry/commerce. It was reviewed subsequently by an ISO (International Standards Organization)committee and ultimately emerged through the ISO publication process.
8) What is the ISO 27000 Toolkit?
This is the main support resource for the standard, including the standard itself, ISO 27002 policy, etc. See top right panel for a more complete description.
9) What is ISO/IEC Guide 62?
This is largely for those bodies operating certification schemes and contains general requirements applicable to them.
10) What is ISO 27001?
BS7799-2, the original specification for an information security management system, was 'fast tracked' by ISO to become ISO 27001 in 2005.