ISO27001

Question 1

What is the standard that 27001 is built on?

Answer 1

Annex SL. This defines the standard structure for all ISO management systems. All management systems end in a ‘001’.

Question 2

What is ISO27002

Answer 2

A set of guidelines around the implementation of controls. This is not mandatory, unlike the list in 27001 (Annex A), which are mandatory when they become part of the Statement of Applicability.

Question 3

What guidelines should auditors follow?

Answer 3

ISO19011. This is not mandatory.

Question 4

What are certifiers accredited against?

Answer 4

ISO17021 and the related auditor standard related to the MS. For 27000, this is ISO27006.

Question 5

What are the 7 sections of 27001?

Answer 5

1. Context of the organisation (organisation / scope).
2. Leadership (commitment / policy / roles).
3. Planning (risk planning / objectives).
4. Support (resources / competence / awareness / comms).
5. Operations (risk management).
6. Performance evaluation (monitoring / audit).
7. Improvement (corrective actions / improvement).

Question 6

What are the 14 control areas in Annex A?

Answer 6

1. Information security policy.
2. Organisation of information security.
3. Human resources.
4. Asset management.
5. Access control.
6. Cryptography.
7. Physical security.
8. Operations security
9. Communications security.
10. System acquisition, development and maintenance.
11. Supplier relationships.
12. Information security incident management.
13. Information security aspects of business continuity.
14. Compliance.

Question 7

What evidence should the auditor be looking for to verify the implementation of a requirement?

Answer 7

If the requirement is implemented, the auditor should seek evidence for it being Communicated, Executed, Understood and Effective.

Also, the auditor should seek evidence of it being Current, Coherent and Consistent.