Frequently Asked Questions, ISO / IEC 27001:
- What is an Information Security Management System (ISMS)?Through a risk assessment measures are taken to assure that information is
secure according to law. May basis can provide ISMS such as CoBIT, ISO / IEC 27001 and others, these provide a management tool that part of an overall
management system designed to establish, implement, operate, monitor, review, maintain and improve information security based on a business risk
approach. an ISMS enables an organization to prepare a risk assessment and from thereon implement controls that can be assessed for the purpose to attest, validate and certify.
- What is a System of Information (part of Information Security Management System)?This includes the collection of data and its processing in a system structure for the storage and use of data
and information. An ISMS includes personnel, devices, equipment, software, services, resources and factors that relate to the provision or distribution of the data and information.
- What is the Statement of Applicability (SOA)?A SOA is an explicit document to identify the controls chosen for a given organization's threats - risks
environment and equally justifies why are they appropriate. For the SOA the results of the risk assessment based ISO / IEC 27001 as a management tool for guidance. The SOA must directly relate the selected
controls back to the original risks they are intended to mitigate; the controls may normally selected from
ISO/IEC 27002, but it is possible to also include proprietary controls. A number of sector-specific schemes are being introduced which stipulate additional mandatory controls. The SOA should reference the nodes,
workflows, policies and the selected control that are implemented. Any exclusion of ISO / IEC 27001 controls and justification. Based ISO / IEC 27002 implementation is a next step after the Statement of
- What is risk assessment within ISMS?Risk assessment comprises of the activities to identify threats and to rank risks in accordance with the
ISMS. These includes the evaluation and classification of risks within the nodes, the effects, effect and the
likelihood of occurrence of an adverse event. The objective of the risk assessment is to provide a basis for selecting security control measures and countermeasures.
- What is a Business Continuity Plan, BCP?Business continuity is integral part of management of information security. The goal of business continuity
management is to protect business processes from the effect of failures or disasters whether man made or nature created. With control measures focusing on prevention and reactive plan, the effects of disruptions
are reduced to an acceptable limit with aims not to reaching the crisis stage. Further, BCP is an integral
part enabling the business to operate in their role within the supply chain. BCP includes categorization of
nodes and operations by relevance concurrent with effectively defined roles during contingencies, actions
to be performed in order that recoverability is timely. Simulations and drill are require to assure that the BCP is up-to-date an effective.
Business continuity plans are also called disaster or contingency plans.
- ISO / IEC 27001, ISO / IEC 27002 and ISO 9001..., what are these?These are european-based management schemes publications for market sector entities to opt for third
party attesting and certification. The BRS approach to ISMS is regulatory based management schemes to help client-organizations adhere to legal and regulatory obligations. ISO / IEC 27001 provides a
management tool within Information technology applying security techniques - refer to information security management systems. This management tool contains specifications for ISMS.
ISO/IEC 27002 is a management tool based information technology applying security techniques within a code of practice for implementation of information security management and sets stage for controls yet is
not a mandate unless set by law.
In Comparison, ISO 9001 is a publication - tool for quality management based system. This is a
management system encompassing contemporary quality management system based Annex SL.
- What is the ISO (International Organization for Standardization, European based)?Is the organization for the publication of technical specifications and management systems to help
organization to adopt voluntarily. The "ISO" does not involves nor has any jurisdiction over the business activities of certification or accreditation, as it is a non-governmental organization.
- What is Certification?Certification is a voluntary arrangement that attests and confirms, through a third part, that processes
based operating procedures meet an agreed criteria. An organization can achieve certification to a determined scope of the activities. Accredited certification implies that the certifying is valid through an
accreditation body which carries government recognition; E.g. of government - recognized accreditation entity is the GlobalNet Oversight Board (GOB), a Public Trust. BRS USA carry operational activities with
GOB accreditation and as chosen per world region local accreditation.
- What is accreditation? Accreditation is the instrument applied by a (government) recognized entity to assure the competence and
impartiality to perform particular activities as these relate to certification, validation and other including
such as inspection. Preference is that accreditation bears a purpose other than that of commercial nature (even when claiming non-profit status), within a free market economy.