1

I have recently came across ISO 27000. Basically what I learnt is that it is used for audit purpose in organizations. Can you tell what exactly it is, if I am wrong? What tools are available for ISO 27001 audit and how can I learn about it? Can simple penetration tools be used for the purpose?

ZygD
  • 247
  • 1
  • 2
  • 10
user162098
  • 41
  • 1
  • 5
  • In my opinion, where to obtain the standardization material and how to achieve it are far from being the same question. – kinunt Mar 24 '15 at 09:50

2 Answers2

3

ISO27000 has little to do with penetration testing. It's a collection of ISMS (Information Security Management Systems) standards that provide a list of controls which an organization should implement as it enables (or should enable) proper security governance.

It's more on a conceptual level and provides more a set of rules which can be used to create policies and processes.

The standards can be used for both implementation as well as auditing. Auditors will review if you have correctly implemented all concepts and acredit you with the certificate if it is deemed you have performed a correct implementation. They will request to see the defined policies and will test these against the actual situation. This is almost never technical.

One of the controls (there are several) requires the company to perform regular attack and penetration testing. The auditor will not perform a penetration himself but will request relevant reports. The policies often also define how problems should be tackled or how risks can be accepted or mitigated. The auditor will review the report and request how follow up is performed (and review if this is done correctly)

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Thanks for answering. I got it somewhat. Are their any tools or material to apply set of rules to a company. What are other controls and where one can learn about them? – user162098 Apr 25 '14 at 17:10
  • 1
    There are no IT tools involved as there are no technical implementations involed. Just get the ISO standards and read them. – Lucas Kauffman Apr 25 '14 at 17:11
  • Can someone tell me which standards are indispensable to buy when starting with the implementation? – Tobias Jan 24 '19 at 08:21
1

ISO/IEC 27001:2013 is an international standard promoted by ISO that establishes the requirements for an Information Security Management System (ISMS). The main purpouse of ISMS is to reduce the IT risk of your organization by identifying threats, implementing security controls, measuring their effectiveness and improving them continuously.

The ISO/IEC 27001:2013 is one standard of a family. For example, ISO 27000 has definitions, ISO 27002 best practices (best practices != requirements) and so on...

The main purpouse of ISO 27001 is not to be audited but to be implemented first in an organization. After that, it can be audited. Audits can be from first party, second or third party (certification). A passing a third party audit by an accreditted organization grants you the certification of you ISMS as ISO 27001 compliant.

If you just audit compliance with ISO 27001 without implementing it first, as for example to have a measure of your security posture, in my opinion, the result will be deceiving because ISO 27001 requieres some documentation and the lack of it does not implies that you are not secure (having it neither implies you are secure).

IMO, the best way to learn about ISO 27001 is to buy ISO 27001 and ISO 27002 standards from the ISO site and study them.

kinunt
  • 2,759
  • 2
  • 23
  • 30