Thursday, December 18, 2008

The growing accreditation of IT security tools and processes

Vincent Villers, Partner at PwC Luxembourg and Marc Sel, Director at PwC Belgium
Business review, December 2008

For a long time, Information Security has had many technical standards but has been lacking a minimal consensus in the area of management and responsibilities. The BSI (British Standards Institute) put forward their 7799 standards, which were well accepted and evolved into the ISO (International Standards Organisation) world. Fundamental to the ISMS (Information Security Management System) standard is the typical management organisation model ‘Plan-Do-Check-Act’:



ISO 27001 is commonly used as a term to refer to a family of interrelated standards:

• 27000 ISMS fundamentals and vocabulary
• 27001 ISMS requirements (absorbing parts of ISO 13335)
• 27002 Code of practice (based on the BSI 7799)
• 27003 ISMS implementation guidelines
• 27004 Information security management measurements
• 27005 ISMS risk management (absorbing parts of ISO 13335)


Structure of ISO 27001

The main standard document ISO 27001 addresses requirements for the Information Security Management System, as well as how to establish, manage and monitor the ISMS. It continues by addressing ISMS responsibilities, as well as audit and management review aspects.

The ISO 27001 certification process

In many countries, certification bodies have been established under the umbrella of accreditation bodies. For example, one of the authors, Marc Sel, is accredited Lead Auditor for PwC’s Certification Body ‘PwCC B.V.’ which is on a peer level with the BSI, TÜV and KEMA1 . PwCC B.V. is in turn accredited by the Dutch Accreditation Body (‘Raad voor Accreditatie’).

The International Register of ISMS accredited certificates lists those certificates that have been awarded to organisations that have gone through an accredited certification process in line with the ISMS standard BS 7799 Part 2:2002 and ISO/IEC 27001:2005 (i.e. the revised version of BS 7799 Part 2:2002).

This register has been produced in cooperation with the international network of certification bodies and is managed and maintained by the ISMS International User Group (IUG). It is updated on a regular basis in co-operation with the certification bodies. The entries in this register have been supplied by those certification bodies that have carried out the ISMS certification.

The increasing interest in ISO 27001 certification

In November 2008, almost 5.000 ISMS certificates have been issued (4.987 to be precise2) . The top five countries with the highest number of certificates today are Japan, India, the UK, Taiwan and China. They are followed by Germany and the USA.

The best advice to follow is to centralise core IT services in larger data centres. For example, the data centres of PwC Yemen, UK, Hong Kong, China, and USA have been secured by ourselves and accredited by the BSI against ISO 27001:2005. This gives us a strong background when helping customers prepare for such certification or improve their security posture.

In Luxembourg, only one company is registered as being accredited against the standard so far. However, considering the current trend of financial institutions to focus on their core business by considering outsourcing of several functions, coupled with the increasing need to embed trust in business relationship, all conditions are fulfilled to lead to a growing interest for this certification. Indeed, unlike current perception of other standards, the ISO 27001:2005 relies upon clear requirements and implementation guidelines that provides sufficient transparency to bring the required level comfort that an accredited company meets adequate level of security to build trust with its stakeholders. The implementation of an ISO 27001 ISMS is clearly becoming an optimal approach to help organisations tackle the current regulatory requirements with regards to Information Technology controls.

Finally, rather than individually answering each request for compliance, it is advised to look at the requirements holistically, and build a framework that allows demonstrating compliance against a broad set of regulations, re-using the same set of well-defined controls. The implementation of such a control framework makes demonstrating compliance significantly less expensive.

1 BSI British Standards is the National Standards Body of the UK, TÜV Rheinland Group is a leading provider of technical services worldwide, KEMA is a commercial enterprise, specializing in high-grade business and technical consultancy, inspections and measurement, testing and certification.
2 The status of the official ISO 27001 certificates is available at www.iso27001certificates.com

Source: PwC

30 comments:

Unknown said...

Good Explanation about ISO 27001 Certification and key strategies .This will definitely benefit all .

Iso 27001 Certification

Unknown said...

The concept of this blog is really deserve appreciating. I must say to the admin that you are doing very great work in this blog. Thanks for sharing and please keep posting.
ISO Certification in India

Unknown said...

Thanks for sharing the valuable information,This is useful information for online learners....Qadit offers ISO Lead Auditor Training for Information Security Management System (ISMS) in Telangana. An ISMS protected includes not simply that residing in electronic format on computer or network, but includes paper-based information.ISMS in Telangana

Unknown said...

This is the best blog on the blog which gives neat details to all users and also include the basic strategy to show the customer fulfillment. I really like to reading this post and thanks for sharing.
ISO Services in Lucknow | ISO 9001 Certification Lucknow

Loginfotech said...

qscert singapore is the leading iso certification bodies provider iso 9001, iso 9000, iso 18001, bs ohsas, iso 14001, iso training management system, iso certification,iso certification singapore,iso certification bodies,iso training,iso management in singapore,iso training in singapore,iso management in singapore,iso consultancy,iso 9001 certification in singapore,iso 9000 certification in singapore,iso 18001 certification in singapore,bs ohsas 18001 certification in singapore,iso consultancy in singapore,iso quality management in singapore,iso certification bodies,iso certification company in singapore,certification body singapore,iso 14001 singapore,iso consultants,iso singapore. Read More.

sanjeevkumar said...

Hi
Nice post. Thank you for sharing such informative information with us.
ISO 27001 – ISMS
ISO 27001 – ISMS was created to help manage information security, define expectations to mitigate risks and prevent negative consequences.
ISO 27001 – ISMS

Anonymous said...

Thanks for sharing the useful information.
ISO 27001 Certification
ISO 22000 Certification

Julia John said...

Good day. I was impressed with your article. Keep it up . You can also visit my site if you have time. Thank you and Bless you always.


iso 27001 lead auditor online training

Arya Rishi said...


Thanks for sharing the valuable information,This is useful information for online learners

ISO 27001 Lead Auditor Course

jesvindavid said...

Thank you so much for sharing this great blog. Very inspiring and helpful too.


ISO 27001 Certification

Michael Smith said...

It is really very helpful for us and I have gathered some important information from this blog.

ISO 27001 Certification

Arya Rishi said...

This post is really nice and informative. The explanation given is really comprehensive and informative..

ISO 27001 Certification

Inncrewin Technologies said...

Hey,
Useful information for SaaS Builder. We are also a SaaS Development Company and we have a certain track record in SaaS development. We have delivered 7 successful SaaS products.

Tanya Chua said...

My cousin recommended this blog and she was totally right keep up the fantastic work!

iso certifying body in the hong kong

Tanya Chua said...

My cousin recommended this blog and she was totally right keep up the fantastic work!

iso 45001 internal auditor training

James Williams said...

Hii , clear explanation keep it up

ISO 9001 Certification France

neumetric said...

Thanks for sharing such beautiful information with us.Please keep sharing!

ISO 27001 Compliant Companies In India

Managed Security Services

ISO 27001 Certification

Jessica said...

This post is really nice and informative. The explanation given is really comprehensive and informative..

iso 9000 malaysi

James Paul said...

This post will be very useful to us....i like your blog and helpful to me....nice thoughts for your great work....


iso 22000 certification

Anonymous said...


iso 27001 certification germany

very nice and usefull blog

Sana Shren said...

This is really interesting, you’re a very skilled blogger. I have bookmarked this article page as I received good information from this

ISO 27001 India

Neha said...

I recently came across your blog and have been reading along. I thought I would leave my first comment.
ISO certifying body in the hong kong

Shikha Kumari said...

Good day. I was impressed with your article. Keep it up . You can also visit my site if you have time. Thank you and Bless you always.
iso certifying body in the hong kong

Sharda Kumari said...

I believe there are many more pleasurable opportunities ahead for individuals that looked at your site
iso certifying body in the hong kong

ISO Consultant said...

I have been surfing online more than three hours today, yet I never found any interesting article like yours on ISO 27001 lead auditor training it is pretty worth enough for me. Get more information about ISO 27001 lead auditor training on https://www.punyamacademy.com/course/isms/iso-27001-lead-auditor-training

rajkumarias said...

International Organization for Standardization (ISO) is famous for creating standards for business in quality, safety, and environment management system. ISO 14001 Certification in Hong Kong| Short Audit and Reports | certificate in record time | Simple-Transparent | Contact:enquiry@iascertification.com. Call @+6531591803

jobinwason said...

Thanks for sharing.
iso 27001 certification

Aishah Mahsuri said...

Excellence blog!I read this article and I got far more about

isms certification

Rittu Mittal said...

I just want to thank you for sharing your information and your site or blog this is simple but nice Information I’ve ever seen i like it i learn something today. ISO 27001 Certification

Kanishka said...

Thanks for sharing such a great blog Keep posting..
iso 27001 certification