Thursday, October 9, 2008

ISO-27001 Quick Reference

I waffle on about this thing a lot - because I like it.

The fundamental triangle of all ISO business standards now rests upon ISO9001, ISO14001 and ISO27001. The documentation is meant to be structured in such a way that the “01″ document is the standard and the “02″ document is the guide. So ISO27001 is the standard and ISO27002 is the guide to that standard (neat).

Here’s a handy spider diagram that gives you all the headings from ISO27002. I use it as a quick tick list to guide people towards making a “scope of applicability” for their business security needs.

Note that the headings go from (4) to (15)…there is no (1) to (3)…this is one of the great unfathomable mysteries of ISO. We are unworthy of controls (1) to (3), perhaps in an afterlife these ultimate truths will be revealed to us…or maybe they just forget to include them, I dunno…

Anyway, I hope some folk find this useful



NoticeBored said...

Hi Fabio.

That's our spider diagram or mind-map, although I don't recall giving permission for it to be used on that website.

Anway there is an updated version of it at:

There are sections 0 through 3 in the standard, covering introduction, scope, references and that sort of thing. Section 4 on risk management is often ignored when people talk about the standard's main sections which is ironic really, since risk analysis is the recommended starting point when designing an Information Security Management System. Admittedly it is a short section in '27002, now significantly expanded in the recently released ISO/IEC 27005.

Keep up the good work Fabio. It's good to read about the organizations that are being ISO27k certified.

Kind regards,
Gary Hinson

ISO 27001 Certification said...

In case the quality of a product falls after gaining the certification then government can also take necessary action and cease the certification anytime. That is why manufacturer does not want to lose ISO certification tag and thus spend money in giving ISO 22000 to managers and auditors time to time.