2

If a company wants to certify against some of ISO 27000-series standards (let's say ISO 27001 and ISO 27005), what could possibly be certified? I mean, is it IT processes in general in the organisation as a whole? Or is it more likely that only one/several system(s) used in that company is/are certified? OR does it depend on particular standard (let's say I am interested in the ones above)?

If a company has chosen some particular standard, can it be broken down somehow so that only a part of the standard is certified?

ZygD
  • 247
  • 1
  • 2
  • 10
  • First the Scope should be determined based on the requirement and enough discussions shall be made with the help of management on what services/branches are in scope. We wouldn't be able to take only the IT processes but this applies to complete processes. Standards cannot be broken down –  Apr 16 '15 at 09:10

2 Answers2

3

Of the ISO 27000 range of documents, only 27001 is a certifiable standard. The others in the range are guidance and advisory documents.

The first step of ISO 27001 implementation is defining the scope. In my experience it would be unusual to have "IT Processes" as a scope - it's usually defined by business area. So for example the Operations part of the business (excluding supporting business units, such as HR).

You can't be certified to part of ISO 27001. It's all or nothing.

hmallett
  • 193
  • 7
  • Thanks for the response. It's very valuable, as I'm just getting my feet wet. Could you please be so kind and give other examples of possible scope? Maybe there are web materials to read on initial steps for certification? – ZygD Mar 23 '15 at 16:53
  • Also, how can you exclude HR, e.g. if an auditor wants to assess the procedure of access rights granting to information resources, he might take a sample where he would see an employee in HR dept. being granted access. So how can the scope be defined on operations side and not on particular information systems? This stardard is about information security after all. – ZygD Mar 24 '15 at 00:12
  • @ZygD: You can exclude the HR function and processes from your ISO 27001 scope, that doesn't mean they cannot be part of a control activity (such as granting access-rights). These are two different things. – ack__ Nov 12 '15 at 10:10
1

The ISO 2700X series is about certifying the security management of a company. You are certified on the 27001 by the way.

The scope is to be defined by the company. To do so, you implement the requirements of the norm (chapters 4 to 8) without exception.

Chapter 4 revolves around the Deming circle (PDCA) and defines the ISMS set-up, implementation and exploitation, control and review, and enhancement.

Chapter 5 deals with management responsibility, Chapter 6 with internal audits, Chapter 7 with review and Chapter 8 with corrective and preventive actions.

Definition of the scope is driven by the chapter 4.2.1 a and 4.2.1 b of ISO27001. You have to look at the many aspects of the organisational perimeter, information system perimeter and physical perimeter.

Usually the norm gives guidelines, there is no precise definition of what must be in the scope and what is not. You can also refer to ISO27002 which gives good practices.

M'vy
  • 13,033
  • 3
  • 47
  • 69