ISO/ IEC 27001's Series

ISO/ IEC 27001's Series

ISO/IEC 27001 and ISO/IEC 27000

Information security, cybersecurity and privacy protection - Information security management systems - Requirements

About the Standard

Nowadays, information plays a crucial part in many business products and processes from payroll information to company secret. Management of information becomes intricate as organizations are surrounded by a wide range of confidential information which requires effective protection against the growing threat from cyber-thieves, hackers, and accidental breaches.

International Organization for Standardization (ISO) establishes a globally recognized ISO/IEC 27001 standard and defines the requirements for establishment, implementation, documentation, and improvement of ISMS. With ISMS, the organization implementing this standard could close loopholes within information securities related processes, people, technology, and organization, and reduce information securities risks. This consequentially strengthens information security in three key areas, i.e., confidentiality, integrity, and availability.

ISO/IEC 27000 Series

The ISO/IEC 27000 family of information security management standards (ISMS), also known as the 'ISO27K', is a series consisting of information security standards published together by ISO and the International Electrotechnical Commission (IEC). The series provides guidelines and recommendations on information security management through information security controls within the context of ISMS. The standards in the family can be integrated to deliver best-practice information security management to the organization that implements the standards.

Key Family Standards for Certification

  • ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection – information security controls.
  • ISO/IEC 27005:2022 - Information security, cybersecurity and privacy protection – Guidance on managing information security risks.
  • ISO/IEC 27009:2020 - Information security, cybersecurity and privacy protection – Sector-specific application of ISO/IEC 27001 – Requirements.
  • ISO/IEC 27017:2015 - Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services.
  • ISO/IEC 27018:2019 - Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
  • ISO/IEC 27032:2012 - Information technology — Security techniques — Guidelines for cybersecurity.
  • ISO/IEC 27701:2019 - Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines.
  • ISO/IEC 27799:2016 - Health informatics — Information security management in health using ISO/IEC 27002.

Type of audit

  • Certification Audit

Advantages of ISO/IEC 27001 and Its Series Certification

  • Systematic detection of vulnerabilities and reduction in risks and disruption caused by information security incidents.
  • Lower costs due to fewer information security incidents.
  • Effective protection for the organization's information, data, and business processes.
  • Identifying opportunities for continuous improvement of the organization's IT and its relevant processes.
  • Fulfillment of internationally recognized requirements, i.e., ISO and IEC.
  • Reduce the burden of contractually required customer audits.
  • Building confidence and trust with clients, business partners, and even staff in the organization.

Certification Audit Process

 

1.  Request for A Proposal

      a.  Company interested in certifying against ISO/IEC 20000-1 requests for a proposal from TUV NORD Thailand

2.  Certification Audit

      a.  Stage 1: Documentation Review

      b.  Stage 2: On-site Verification

3.  Issue of ISO/IEC 20000-1 Certificate

4.  Surveillance Audit 1 & 2 (within the next 2 years after the certificate is issued)

5.   Re-certification within the next 3 years after the certificate issued.

Highlights of 2022 Version

  • In 2022, the International Organization for Standardization (ISO) released the most recent version of ISO 27001 and ISO 27002. This impacts the ISO 27001 standard compliance and certification for all organizations around the globe. Key changes made to the standard are listed below.
  • A simpler version of security controls. The number of controls decreases from 114 to 93 controls and are re-grouped into only 4 main themes, consisting of Organizational, People, Physical, Technological themes.
  • Eleven new controls are added in the control list.
  • Slight changes are made to Clause 4 to 10 of the standard's requirements.
  • Harmonized writing structure (HS) is applied to the standard document to ensure uniform use of core texts, terms and definitions enabling greater integration with systems of different disciplines.
  • New requirements to establish criteria for operational processes and implementing control of the processes.
  • New requirements to monitor information security objectives.
  • New requirements to define organization's process needs and their interactions as part of ISMS.
  • New requirements to communicate organization roles relevant to information security within an organization.