Brief introduction
As in the world, continues to develop the level of information, information security has become the focus of attention, the various institutions worldwide, organizations and individuals are exploring how information security issues. Britain, the United States, Norway, Sweden, Finland, Australia and other countries have developed national standards related to information security, the International Organization for Standardization (ISO) has published ISO17799, ISO13335, ISO15408 and information security and other relevant international standards and technical reports. Information security management, the British Standard ISO27000: 2005 has become the world's most widely used and typical information security management standard, which is worked out in the BSI / DISC of BDD / 2 Information Security Management Committee guidance.
The main content of the standard


ISO / IEC17799-2000 (BS7799-1) give advice on information security management, is responsible for its organization started implementing or maintaining security personnel use. The standard provides a basis for common safety standards development organizations and effective security management practices, and to provide for the exchanges of trust between organizations.
Standard that "like other important business assets, the information is also an asset." It has the value of an organization, and therefore needs to be suitably protected. Prevent the risk of information security threats of information received, in order to ensure business continuity, so that business to minimize damage, so the maximum return on investment and business opportunities.
Information security is by implementing a suitable set of controls available. Control strategy can be, practices, procedures, organizational structures and software functions. The need to establish these controls to ensure that the specific security objectives of the organization.
 
ISO27001 certification requirements
 
ISO27001 standard is to, such as ISO9000 and ISO14001, etc. compatible with other management standards and design, the standard numbering system and file management needs is designed, it is to provide good compatibility, enabling organizations to establish such a sets management system: the ability to integrate any other management system of the organization is being used to the maximum extent. In general, organizations often use to provide certification services for ISO9000 certification or other management system certification bodies, to provide ISO27001 certification services. It is for this reason, in the process of establishing the ISMS system, quality management experience important.
But one thing to note, if an organization does not use any form of prior ownership and management system, does not mean that the organization could not be ISO27001 certified. In this case, the organization should consider the economic benefits, certification bodies choose a suitable management system to provide certification services. The certification body must be entrusted to a national accreditation body authorized to provide certification services for certification organizations and issue certificates. Most countries have their own national accreditation bodies (eg: UK UKAS), any agency of the institution authorized to obtain ISMS certification are documented.
Risk assessment response plan


The establishment and development of any one of ISMS system should meet the unique needs of your organization. Each organization not only has its own unique business model, operational objectives, image characteristics and internal culture, their attitude toward risk propensity is also very different. In other words, the same things, one must be wary of institutions and organizations considered to be a threat, in another organization it may seem a must seize the opportunity. Likewise, various institutions and organizations for the protection of both risk investment is also uneven. For these or other reasons, each running ISMS organization, whose members must have a consensus on the risk assessment, the risk assessment methodology, the results of discovery and recommendation solution must obtain the approval of the Board of Directors.
ISMS project and PDCA process


ISMS project is very complex, it may last several months or even years, involving the entire organization and every member of the organization to send and receive from management department. ISO27001 certification was born a short time, relatively few successful cases. From a pragmatic point of view, which shows that in the project planning process as early as possible to be the only guiding these books and case analysis and research.
ISO27001 standard guidance on how to proceed to carry out a business ISMS project and attention throughout the course of the project several important elements.
1950 W. Edwards Deming PDCA process proposed that the plan (Plan) - Executive (Do) - Check (Check) - upgrade (Act) process, intended to explain the business process should be continuous improvement, which makes the functional managers can identify those links need to be amended and corrected. The processes and process improvements, must follow such a procedure: first plan, and then execute, then evaluate its operating results, followed by the assessment in accordance with the specific requirements of the plan for review, and then find any results inconsistent with the plan deviation (ie the possibility of potential improvements), and concludes with a final report to management how to run.
ISO27001 certification audit costs and cycle


In addition to investment outside the organization itself, ISO27001 certification audit costs are mainly reflected in the hiring third-party certification bodies and auditors aspects of the. After the organization to apply to the certification bodies, certification bodies will organize a preliminary understanding of the status quo, to determine the scope of the audit, the audit proposed offer. Quote of the certification body is usually based on their investment of time and personnel to determine, the decision factors include:
1, the number of employees subject to audit organizations;
2, the amount of information included in the scope of the audit;
3, the number of places;
4, associated organizations with the outside world;
5, the complexity of the IT organization;
6, tissue type and nature of business and the like.
In addition to costs, certification audit cycle usually more concerned about the organization. In general, the construction project from start ISMS organizations began to eventually be approved, at least six months (not including acquisition time certificate). For many organizations because the external driving force committed to implementing ISO27001 certification program, the advance planning is necessary.