ISO 27001/ISO 20000 Compliance
Can we help you achieve ISO 27001 Information Security Management System certification or ISO 20000 IT Service Management certification?
ISO 27001
The ISO 27001 standard was published in 2005. It is the specification for an Information Security Management System. The objective of the standard is to provide a model for establishing and implementing an Information Security Management System.
The five major “sections” or requirements of ISO 27001:2005 include:
- Information Security Management System
- Management Responsibility
- Internal ISMS audits
- Management review of the ISMS
- ISMS improvement
In addition to the five major requirements, any organization looking for certification will need to identify all assets related to the scope of registration, perform a risk assessment and develop a scope of applicability that describes which security controls will be utilized. Cumulatively, this provides the framework of the ISMS that will be provided to the registrar for certification.
In addition to the mandatory requirements each organization will need to implement security controls as defined in Annex A of ISO 27001 and whose detailed expectations are provided in ISO 27002. For each organization the selection of controls is based upon the risk assessment practices defined in the Information Security Management System.
ISO 20000
ISO 20000 was developed in 2005 to address IT service management and revised in 2011. It includes the following ten sections:
- Scope
- Terms and definitions
- Planning and implementing service management
- Requirements for a management system
- Planning and implementing new or changed services
- Service delivery processes
- Relationship processes
- Control processes
- Resolution processes
- Release process
For additional information, contact Frank Yazhari at frank@fyconsulting.com or call 908-875-7466 today.