ISO 27000 Demystified

ISO 2700 Blog Post

ISO what?

The ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) provide a globally recognized framework for best-practice information security management: the ISO/IEC 27000 family of mutually supporting information security standards (also known as the ISO 27000 series).

The most well-known of the series is ISO 27001, which sets out the specification for an ISMS (information security management system).
The series is developed and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

Why use an ISO 27000-series standard?

Information security breaches are one of the most significant risks that organizations face. Sensitive data is used across all areas of businesses these days, increasing its value for legitimate and illegitimate use.

Wherever the data goes, the financial and reputational damage caused by a breach can be devastating.

That’s why organizations are increasingly investing heavily in their defenses, using ISO 27001 as a guideline for effective security. ISO 27001 can be applied to organizations of any size and in any sector, and the framework’s broadness means its implementation will always be appropriate to the size of the business. A recent study from Attivo Networks noted that 37% security professionals using some form of security framework, are using the ISO 27000 family of standards.

ISO 27000 Series

ISO 27001

ISO 27001 is the central standard in the ISO 27000 series, containing the implementation requirements for an ISMS. This is important to remember, as ISO 27001 is the only standard in the series that organizations can be audited and certified against.

That’s because it contains an overview of everything you must do to achieve compliance. 

ISO 27002

ISO 27002 is a supplementary standard that discusses the information security controls that organizations might choose to implement.

Organizations are only required to adopt controls that they deem relevant – something that will become apparent during a risk assessment.

The controls are outlined in Annex A of ISO 27001. Still, whereas this is essentially a quick rundown, ISO 27002 contains a more comprehensive overview, explaining how each control works, what its objective is, and how you can implement it.

ISO 27005

ISO 27005 is the international standard that describes how to conduct an information security risk assessment per the requirements of ISO 27001.

Risk assessments are one of the essential parts of an organization’s ISO 27001 compliance project. ISO 27001 requires you to demonstrate evidence of information security risk management, risk actions are taken, and how relevant controls from Annex A have been applied.

ISO 27005 applies to all organizations, regardless of size or sector. It supports the general concepts specified in ISO 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.

Comprehensive ISO 27000 Audit Services from Lazarus Alliance

The ISO 27000 Audit (27001, 27002, and 27005) provides a model for the full life-cycle of an Information Security Management System (ISMS). The organization’s needs and objectives drive the design and implementation of the ISMS, security requirements, processes employed, and its’ composition.

Once a company has decided to enlist a third party to provide a service, they want assurances that those services will be provided timely, accurately, and securely. An ISO 27000 audit (27001, 27002, or 27005) shows your commitment to maintaining a sound control environment that protects your client’s data and confidential information.

  • Lazarus Alliance’s ISO can provide an early-stage gap analysis to determine what pieces of your ISMS are in place or what parts are missing before you move forward to an informal pre-assessment or the formal certification audit. The gap analysis is ideal for organizations that are in the process of finalizing their ISMS.
  • Lazarus Alliance’s ISO can provide a review of your ISMS and its operation essentially as a preview for future audits. As part of this work, Lazarus Alliance will do a document review and interview employees and other key constituents. The pre-assessments objective is to seek the degree of conformance of your system to the ISO standard and provide a readiness level for the actual certification audit.

The Lazarus Alliance ISO 27000 Audit methodology

Through the successful completion of hundreds of audits around the world for organizations of all sizes, Lazarus Alliance has developed an efficient methodology and proprietary assessment protocols to evaluate the controls in place at your organization.

  • Lazarus Alliance’s ISO 27000 Audit (27001, 27002, and 27005) process initially takes just a few weeks from start to completion to baseline your organization depending on your team’s availability. The actual time to completion is typically well over six months following the conclusion of the performance period. We are aware that our clients have full time, everyday obligations in addition to dealing with auditors, so we are flexible to your needs and work around your schedule to provide a quality audit and report in the time frame you desire.
  • A significant differentiator you will immediately appreciate is our Proactive Cyber Security™ ISO 27000 Audit (27001, 27002, and 27005) methodology which takes a continuous audit approach rather than the end of the reporting period Audit Anarchy approach by other firms. We will also utilize our proprietary IT Audit Machine technology to set you up for success. The IT Audit Machine is a full-featured and highly collaborative assessment and reporting tool only available from Lazarus Alliance.
  • You will enjoy a reduction of expense on additional compliance efforts your organization may undertake. Common processes, procedures and controls implemented as part of ISO 27001, 27002, and 27005 conformance that would be leveraged for other compliance efforts such as SSAE 16 (SOC 1, SOC 2, SOC 3)PCI DSSHIPAA, and Sarbanes-Oxley (SOX).
  • Lazarus Alliance creates a sustainable ISO 27000 Audit (27001, 27002, and 27005) partnerships with our clients. We have a proven methodology and project plan that helps our clients achieve compliance, budget, and schedule. You will come to appreciate our Service, Integrity, and Reliability, which will be apparent to you from the very first call.

Conclusions

Leveraging the Continuum GRC IT Audit Machine, Security Trifecta methodology, and the Policy Machine, Lazarus Alliance provides international standards that are recognized as “Best Practices” for developing organizational security standards and controls that support ISO 27000 Audit (27001, 27002 and 27005) certifications.

The Cyber Security experts at Lazarus Alliance are completely committed to you and your business’ success. Regardless of whether you represent the private sector or the public sector, we stand ready to partner with your organizations.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Lazarus Alliance

Website: