In implementing ISO27000 (ISO27001&27002) I am wondering where I can download and review the standard? I wish to start implementing it but I am a bit stumped on where to start.
Some sites offer to sell some PDF's that supposedly includes best practices on implementing the standard, but right now I need to review the standard and make up my own opinions on how to start implementing it.
The official route for documentation is through ISO:IEC - and papers cost 134 Swiss Francs each.
Various bodies have guidance papers, for example ISACA provide a range of ISO27001 material on topics such as implementing ISMS, aligning Cobit, ITIL and ISO27001 - but you have to be an ISACA member (if you need to, ask me how :-)
Alternatively, you can engage consultants to go through your needs and gain an understanding of what you might need to do. As an example, I have helped many large organisations align their security function with ISO27001:2005 - not to gain accreditation, as that can often be expensive overkill, but to gain the advantages a governance and security framework based on ISO27001 gives you.
You can, however, get a lot of good information from some free sources:
27000 itself is free, but the other standards in the family cost money, I'm afraid.
They can be purchased as a printed book or ebook directly from the ISO and the IEC themselves, at http://www.iso.org/iso/home/store.htm or from http://webstore.iec.ch/
It's also usually available from your local countries standards body. For Norway that is Standards Norway, who you can find at http://www.standard.no/
You may like to look through the following:
To my knowledge, most ISO standard documents are not freely obtainable and have to be purchased from the ISO store (http://www.iso.org/iso/home/store.htm) or from the ISO member of one's own country, e.g. DIN in Germany. (For an eventual trick to save money, see my comment below.)
Considering the enormous amount involved in following the ISO27001 standard, especially if you go all the way to certification, I would tend to recommend following some form of training.
Some of the offered training (but not all) will provide you your own copy of the standards as part of the training fee (that is, you pay for it too, but you don't need to contact your local standards authority yourself).
Of course, this will be more expensive than just buying the standard, and maybe you'll prefer to at least read it by yourself before deciding if you really want to implement it, but I truly believe that if you do want to implement it, you'll need help to do so.
That said, it mostly depends on your company's goal - if you're going for full certification, have the company send you to an ISO27001 lead implementer training right away (by the way, one of the clauses of the standard mandates that your management should commit resources to the implementation and maintenance of your ISMS - that means investing in you), it will be worth it.
If you're just considering to implement the standard as a tool to improve your security, or merely curious about it, then yes, maybe just reading it will be a sufficient good start.
Of course, considering when you asked, it's likely you followed Rory's answer and bought it already - if so, I'm curious as to what your next steps have been. In particular, your own experience as starting with ISO27001 might prove invaluable to others stumbling on this question; what did you do to start, what would you recommend, and what not? Remember, it's ok to answer your own question.
Please follow this link for a free, legal copy of ISO27000:2012 off the ISO website http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
