Information Security Blog

ISO 27001 to ISO 27003 Standards

17 Flares

Comparing the ISO 27001 Roadmap to the ISO 27003 Guidance for Implementation

One of the most frequently asked questions Pivot Point Security gets when speaking with clients about implementing ISO 27001 is, “What do we need to do to implement security policies and procedures for certification?”

The Pivot Point Security ISO 27001 Implementation Roadmap outlines the steps we take to implement an Information Security Management System for ISO 27001 certification. The ISO organization provides its own guidance in the ISO 27003 standard. According to the ISO body, “This International Standard focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005.”

A prospective client recently asked how the Pivot Point Security ISO 27001 Implementation Roadmap aligned with ISO 27003. The Implementation Roadmap outlines four phases to implement the ISMS:

Assess Short-Term Attestation Requirements
Assess Gaps
Develop & Execute the Roadmap
Operate the Environment

The ISO 27003 standard outlines five phases in its five clauses:

Obtaining management approval for initiating an ISMS project (Clause 5)
Defining ISMS Scope and ISMS Policy (Clause 6)
Conducting Organization Analysis (Clause 7)
Conducting Risk Assessment and Risk Treatment planning (Clause 8)
Designing the ISMS (Clause 9)

A high-level review shows that the Implementation Roadmap is consistent with ISO 27003 and aligns with the standard very well, as illustrated in the table below. So if you’re concerned about whether or not your organization is taking the right steps toward ISO 27001 certification, then a comparison to Pivot Point’s ISO 27001 Implementation Roadmap will let you know whether you’re going in the right direction.

ISO 27003 ISMS Guidance	ISO 27001 Implementation Roadmap	Alignment
Clause 5 Obtaining management approval for initiating an ISMS project	Address Near Term Attestation Requirements	The vulnerability assessments and penetration tests conducted in this phase illustrate the need for an ISMS to management and the findings help clarify an organization’s security priorities.The Secure Data Flow Diagram (SDFD) and Preliminary 27001 Project Plan delivered in this phase define the preliminary scope of the ISMS and outline the business case and project plan for management approval.
Clause 6 Defining ISMS scope, boundaries and ISMS policy	Assess Gaps	The first deliverable for this phase of the Roadmap is an ISMS scope defined in an ISMS Policy based on the work done for the SDFD.
Clause 7 Conducting information security requirements analysis	Assess Gaps	Information security requirements and assets for the ISMS scope were identified in the SDFD. This phase includes a Security Assessment to evaluate gaps between the inherent security risks and ideal security controls.
Clause 8 Conducting risk assessment and planning risk treatment	Assess Gaps	This phase uses the SDFD to deliver a: Rapid Risk Assessment that identifies the major security risks and business impacts Risk Treatment Plan that establishes acceptance criteria for risk and a response plan (i.e. avoid, control, transfer, accept) Statement of Applicability that selects the controls approved by management to mitigate the identified risks
Clause 9 Designing the ISMS	Develop and Execute the Roadmap	This phase delivers a prioritized work plan for: Designing organizational information security Designing IT and physical security Designing ISMS-specific information security

28
FEB

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

Simplify compliance monitoring/reporting
Vastly improve Incident Detection & Incident Response
Contextualize event information with other business relevant information

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

Substantiate the net effectiveness of a mature control environment
Prove to a third party that an environment is secure/trustworthy
Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

How to deal with increasing threats
How to manage multiple regulatory requirements
How to handle client requests for attestation
To validate that significant changes did not have unanticipated results

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.