Wednesday, 13 April 2016

Planning for ISO 27001 - Part 2

Software application development companies

ISMS—Planning for ISO

ISO/IEC 27001 has detail 133 security measures, which are then organized into 11 sections and 39 control objectives. These sections specify the best practices for:
• Business continuity planning
• System access control
• System acquisition, development and maintenance
• Physical and environmental security
• Compliance
• Information security incident management
• Personnel security
• Security organization
• Communications and operation management
• Asset classification and control
• Security policies

The ISMS may be certified as compliant with ISO/IEC 27001 by a number of accredited registrars worldwide. Also the ISO/IEC 27001 certification, similar to other ISO management system certifications, that usually involves a three-stage audit process:

Stage 1—The Informal review of the ISMS that includes checking the existence and completeness of key documents such as the: – Organization’s security policy and the Risk treatment plan (RTP) and  Statement of applicability (SOA)

Stage 2—Independent tests of the ISMS against the requirements specified in ISO/IEC 27001. The certification audits are conducted by ISO/IEC 27001 lead auditors.

Stage 3—Follow-up reviews or periodic audits to confirm that the organization (eg. Software application development companies) remains in compliance with the given standard. And the certification maintenance requires periodic reassessment audits to confirm that the ISMS continue to operate as specified and intended. Independent assessment necessarily brings some rigor and formality to the implementation process, and it also must be approved by management. The ISO/IEC 27001 certification helps to assure most business partners of the organization’s status regarding information security without the business partners having to conduct their own security reviews.


As in all compliance and the certification initiatives, and the consideration of the organization’s size, nature of its business, and the maturity of the process in implementing ISO 27001 and commitment of senior management are essential. Most important departments and activities that will be vital to the
success of the project include:

Internal audit—In the initial planning phase, the input from internal audit will be useful in developing an implementation strategy, and early involvement of internal auditors will be useful during the later stages of certification that require review by management.

IT—The IT department will have to dedicate resources and time to the activities associated with the ISO 27001 initiatives. The inventory of existing IT compliance initiatives, the procedures and the policies, and maturity of existing IT processes and controls will be useful to gain an understanding of how the existing processes align with ISO 27001 requirements.

Although implementation of policies and procedures at software companies is largely perceived as an IT activity, the other departments play a very important role in the implementation. For e.g., facilities management is largely responsible for physical security and access controls.

Decision Making

The decision of when and how to implement the standard may be influenced by a number of factors such as:
         Business objectives and priorities
         Existing IT maturity levels
         User acceptability and awareness
         Internal audit capability
         Contractual obligations
         Customer requirements
         The firm’s ability to adapt to change
         Adherence to internal processes
         The existing compliance efforts and legal requirements
         Existing training programs

Author Signature: Shreyans Agrawal (

No comments:

Post a Comment