ISO/IEC 27001 is an internationally recognized standard for Information Security Management Systems (ISMS). It helps organizations and businesses build a structured approach to managing information security, reducing risks, and increasing trust. For any organization, achieving ISO/IEC 27001 certification is an important milestone, showing that its information security management meets international standards.
Before you start applying for ISO/IEC 27001 certification, itโs helpful to understand a few key organizations involved in the process:
- ISO๏ผdevelop standards (such as ISO/IEC 27001).ใ
- IAF (International Accreditation Forum): Sets global accreditation rules to ensure that certification systems from different countries are mutually recognized.
- AB (Accreditation Body): National or regional bodies that accredit Certification Bodies (CBs). Examples include:
Taiwan: TAF (Taiwan Accreditation Foundation)
USA: ANAB (ANSI National Accreditation Board)
Japan๏ผTAD๏ผThe Japan Accreditation Board for Conformity Assessment๏ผ
Germany: DAkkS (Deutsche Akkreditierungsstelle)
UK: UKAS (United Kingdom Accreditation Service)
France: COFRAC (Comitรฉ Franรงais dโAccrรฉditation) - CB (Certification Body): These are the organizations that, once accredited by an AB, can perform ISO 27001 audits and issue certificates. Examples: SGS, AโLIGN, BSI, TรV.,JQA
The role of an AB in ISO/IEC 27001 is to ensure that the CBs are credible and internationally recognizedโbut the AB itself does not issue certificates.
In simple terms:
ISO sets the standard โ IAF sets accreditation rules โ AB accredits CB โ CB audits โ Organization receives ISO 27001 certificate
Before going for ISO/IEC 27001 certification, itโs helpful to have a basic understanding of how the standardโs clauses, documented procedures, and actual implementation relate to each other.
ISO 27001 Standard Clauses
The standard is mainly divided into two parts:
1. Management System Requirements (Clauses 4โ10)
- Clause 4 โ Context of the Organization: Define the scope, stakeholders, and ISMS boundaries.
- Clause 5 โ Leadership: Top management commitment and information security policy.
- Clause 6 โ Planning: Risk assessment and risk treatment plan.
- Clause 7 โ Support: Resources, personnel competence, documented information.
- Clause 8 โ Operation: Implement risk treatment measures.
- Clause 9 โ Performance Evaluation: Monitoring, internal audits, management review.
- Clause 10 โ Improvement: Continual improvement and corrective actions.
2. Annex A โ Control Objectives and Controls
- 93 controls in the 2022 version, covering areas like:
- Information security policies
- Human resource security
- Asset management
- Access control
- Cryptography
- Supplier relationships
- Incident management
- Business continuity
- Compliance with legal requirements
Key Documents to Prepare
- ISMS Scope Statement
- Information Security Policy
- Risk Assessment Report
- Risk Treatment Plan
- Statement of Applicability (SoA) โ lists which controls are applicable or excluded
- Procedure documents โ e.g., access control, backups, incident management
- Records โ e.g., internal audit reports, management review minutes, evidence of process execution
How Implementation Works
- Risk Management: Identify assets, threats, and vulnerabilities, then define controls.
- Technical Controls: Firewalls, encryption, access permissions.
- Organizational Controls: Employee training, roles and responsibilities.
- Continual Improvement: Regular audits and corrective actions.
In simple terms:
ISO/IEC 27001 clauses โ organization creates corresponding procedures โ execute processes and keep records
(Say it, write it, do it โ all consistent)
About the โFour-Level Documentsโ
Some people ask if you must create the classic four-level documents (Policy โ Procedure โ Work Instruction โ Records).
The short answer: ISO/IEC 27001 does not require a strict four-level structure.
Itโs not mandatory, but many organizations adopt a similar hierarchy for clarity and ease of implementation.
