About ISO 27001 / ISO 22301 / BS 25999’2 standards

What is ISO 27001?

ISO 27001 is an international standard issued by the International Standardization Organization (ISO), which defines information security management systems. Its full title is ISO/IEC 27001:2013. This standard was developed from British standard BS 7799-2; it was first published as ISO/IEC 27001:2005 and has now become a leading international standard for information security. Learn more here…

What is achieved by implementing ISO 27001?

Implementation of ISO 27001 reduces risks related to confidentiality, availability, and integrity of information in an organization. It also helps the organization to achieve conformity with legislation regulating protection of confidential information, protection of information systems, personal data protection, etc., which are already in place in most countries. Finally, implementation of the standard should reduce business costs due to fewer incidents, and improve marketing because of the publicity that can be gained with the standard. Learn more here…

What is the difference between ISO 27001 and ISO 27002?

The international standard ISO 27002 (full name: ISO/IEC 27002:2013) defines guidelines for the implementation of controls listed in ISO 27001. ISO 27001 specifies 114 controls that can be used to reduce security risks, and ISO 27002 provides details on how to implement these controls. Organizations can become certified against ISO 27001, but not against ISO 27002. ISO 27002 was previously referred to as ISO/IEC 17799, and emerged from the British standard BS 7799-1. Learn more here…

What is BS 25999-2?

This was a British standard with the full name BS 25999-2:2007, which defined business continuity management systems. This standard was replaced by ISO 22301 in 2012. Learn more here…

Why do you mention ISO 27001 and ISO 22301 together?

ISO 27001 defines information security management, which also includes business continuity management. However, neither ISO 27001 nor ISO 27002 describes how business continuity management should be implemented, so it is best to use ISO 22301 (former BS 25999-2) for this purpose. Further, ISO 27001 and ISO 22301contain elements that are almost identical (documentation management, internal audits, management review, corrective and preventive actions), so these standards are fully compatible. Learn more here…

Is it possible to implement ISO 22301 without ISO 27001?

Yes – in that case, the emphasis will be on how to ensure availability of information and business processes in the case of disaster, etc., but not on ensuring confidentiality and integrity of information.

We have implemented ISO 9001; can some of it be used for ISO 27001/ISO 22301?

Absolutely! Some parts of ISO 27001/ISO 22301 (former BS 25999-2) and ISO 9001 are virtually the same – e.g., documentation management, internal audits, management review, and corrective actions. If the said procedures are already used for ISO 9001, they can also be used for ISO 27001/ISO 22301 with only minor changes. In other words, organizations that have already implemented ISO 9001 will have an easier job implementing ISO 27001/ISO 22301 (and vice versa). Learn more here…

How long does it take to implement ISO 27001/ISO 22301?

This really depends on a large number of factors, but generally, smaller organizations may need 3 to 6 months, organizations with up to 500 people will need 8 to 12 months, and larger organizations 12 months or more. Use this Implementation Duration Calculator to calculate the duration more precisely.

Does ISO 27001/ISO 22301 have to be implemented throughout the entire organization?

No. It is possible to set the scope of implementation for only one part of the organization, which makes sense in the case of larger organizations operating at a number of different locations and/or in different countries. For small organizations that do business at a smaller number of locations, it is better to implement the standard for the whole organization. Learn more here…

We heard that ISO 27001 is accompanied by extensive documentation that will only slow down our day-to-day business – is this true?

It is true that ISO 27001 requires some mandatory documents, but their number depends on the size and complexity of the organization – a small organization with no great security requirements will need only a dozen documents; a large bank may require several hundred documents. The important thing when drawing up the documentation is to define only the rules that are truly required for the organization, so as not to slow down the business operations. You can find a list of necessary documents here.

Are IT security and information security one and the same thing?

No. IT security is part of information security – IT security includes, for example, backup procedures or the use of a firewall, whereas information security also includes definition of security roles and responsibilities, operating procedures, training and awareness, legal relations with employees and suppliers, physical security, etc. IT security is usually 50% of information security. Learn more here…

How much does it cost to implement ISO 27001?

It is almost impossible to calculate the cost before completing the risk assessment and the Statement of Applicability. The majority of expenses are not usually related to hardware or software, but to developing procedures and getting them up and running, raising of employee awareness and training of employees, certification, etc. The costs also depend on the size of the company, but it is good to know that not all security controls have to be implemented immediately, and that implementation of some of them may be postponed. Learn more here…

Certification against ISO 27001 / ISO 22301 / BS 25999-2

Can we get certified against these three standards through your website?

No. 27001Academy only provides documentation, training and support in the implementation of information security and business continuity, and we can help you to successfully complete all the steps leading to certification. Certification, however, is in the hands of accredited certification bodies.

What is required to get certified against ISO 27001 or ISO 22301?

You must have all the documents prescribed by the standard, and conduct at least one internal audit and at least one management review. But most importantly, you really must implement the requirements of the standard and the requirements set out in your documentation – during certification, the auditor will check to what extent the information security and/or business continuity management system has really materialized in your company. Learn more here…

The auditor has found a major nonconformity during the certification audit. Does this mean that we’ve lost every chance to obtain a certificate?

No. If you resolve this nonconformity, the certification body will issue a certificate. It is essential that you resolve such nonconformity within the set deadline and in a way acceptable to the auditor. Learn more here…