means that it mandates specific requirements. Organizations that claim to have adopted ISO 27000 series can therefore be formally audited and certified compliant with the standard.
Though the ISO 27000 certification involves a three stage audit process, the standard itself consists of twelve (12) main sections:
- Risk assessment
- Security policy - management direction
- Organization of information security - governance of information security
- Asset management - inventory and classification of information assets
- Human resources security - security aspects for employees joining, moving and leaving an organization
- Physical and environmental security - protection of the computer facilities
- Communications and operations management - management of technical security controls in systems and networks
- Access control - restriction of access rights to networks, systems, applications, functions and data
- Information systems acquisition, development and maintenance - building security into applications
- Information security incident management - anticipating and responding appropriately to information security breaches
- Business continuity management - protecting, maintaining and recovering business-critical processes and systems
- Compliance - ensuring conformance with information security policies, standards, laws and regulations
Within each section, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as "best practice" means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated.
If you desire for your organization to obtain the ISO 27000 series certification, Contact CounterStrike for the best method to achieve this ISMS compliance.