CERTIFICATION

If an organisation says they are compliant with ISO/IEC 27002 does this mean they have been certified?

1. •NO. 
   

2. •ISO/IEC 27002 is not a certification standard.
   

3. •The only standard that can used for certification is ISO/IEC 27001.
   

Who is allowed to undertake ISO/IEC 27001 certification audits and award certificates?

1. •Certification audits are carried out by an accredited certification body.
   

2. •To become accredited the certification body needs to be assessed by a national accreditation body examples being UKAS (UK), SWEDAC (Sweden), KBA (South Korea), JIPDEC or JAB (Japan) and RBA (USA).
   

3. •Certificates awarded by the certification upon successful completion of a certification audit.
   

How long is a ISO/IEC 27001 certificate valid for?

1. •An accredited certificate is valid for three years after which the organisation can choose to have its ISMS re-certified.
   

2. •During the three year period the certification body will under take a number of surveillance audits to check that the ISMS is being maintain and updated to an effective level of information security.
   

WHAT ARE THE ISMS STANDARDS

Are ISO/IEC 27001 and ISO/IEC 27002 IT security Standards?

1. •NO they are both information security standards.
   

What does ISO/IEC 27001 cover?

1. •This standard covers the processes needed to establish, implement and deploy, monitor and review, and maintain and improve an ISMS.
   

2. •It covers processes such as risk assessment, risk treatment, selection of information security controls, monitoring activities, management reviews, measuring the effectiveness of information security, incident handing process, corrective and preventive activities.
   

3. •An Annex (A) contains a range of controls that can be selected to manage the risks identified through the risk assessment and treatment processes.
   

4. 
   

What does ISO/IEC 27002 cover?

1. •This standard is a code of practice which means it contains a set of best practice controls that are used throughout the business world.
   

2. •In addition to defining the control it also provides implementation guidance regarding the control.
   

3. •The controls given in ISO/IEC 27002 are expressed in terms of “should” statements which makes them non-compliant statements.  Whereas the controls in Annex A of ISO/IEC 27001, which are the same set of controls, are expressed in terms of “shall” statements which makes them formal compliance statements which is why this standard can be used for certification purposes.
   

4. 
   

Can an organisation get a certificate by just implementing the controls in ISO/IEC 27001?

1. •NO 
   

2. •An organisation needs to have implemented all the requirements specified in ISO/IEC 27001 relating to the processes defined in this standard.  So, for example, they must have undertaken a risk assessment in order to decide which controls they should select from Annex A.
   

3. 
   

Can ISO/IEC 27001 and ISO/IEC 27002 be used by small businesses?

1. •YES. 
   

2. •These standards are very flexible to suit all business needs irrespective of size of business or the nature of the business.
   

3. 
   

Can ISO/IEC 27001 and ISO/IEC 27002 be used by all types of organisation: commercial, government s and not-for-profit?

1. •YES. 
   

2. •There are many examples of organisations in all these categories that have been certified.