Management Systems Certification Application Form
Transfer to Kalitest






ISO / IEC 27001 Information Security Management System

Advantage of establishing an ISMS:
• Awareness of information security risks
• Security of the assets according to the needs
• Establishing business continuity through effective incident management
• Competitiveness
• Profitability
• Corporate image
• Legal and statutory compliance

History of the ISO/IEC 27001 ISMS:
• BS7799:1995; part 1 issued
• BS7799-2:1998; part 2 issued
• BS7799-2:1999; part 2 revised
• ISO/IEC 17799:2000; issued
• BS7799-2:2001; part 2 improved
• BS 7799-2:2002 : harmonized with the other management system standards , Plan-Do-Check-
Act (PDCA) model intruduced (ISO 9001:2000 and ISO 14001:1996)
• ISO/IEC 27001:2005 ; Information security management system; replaced BS 7799-2
• ISO/IEC 27002:2005 ; Code of practice, replaced ISO/IEC 17799:2005

Principals of the ISO/IEC 27001 ISMS
ISO/IEC 27001 specifies the requirements for establishing,implementing, operating, monitoring,
reviewing, maintaining and improving a documented ISMS within thecontext of the organization’s
overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

The process approach for information security management presented in the Standard encourages companies to emphasize the importance of:
a) understanding an organization’s information security requirements and the need to establish policy and objectives for information security;
b) implementing and operating controls to manage an organization's information security risks in the
context of the organization’s overall business risks;
c) monitoring and reviewing the performance and effectiveness of the ISMS; and
d) continual improvement based on objective measurement.
ISO/IEC 27002:2005 provides implementation guidance that can be used when designing controls.

CONTENT OF THE ISO/IEC 27001:
0 Introduction
0.1 General
0.2 Process approach
0.3 Compatibility with other management systems
1 Scope
1.1 General
1.2 Application
2 Normative references
3 Terms and definitions
4 Information security management system
4.1 General requirements
4.2 Establishing and managing the ISMS
4.2.1 Establish the ISMS
4.2.2 Implement and operate the ISMS
4.2.3 Monitor and review the ISMS
4.2.4 Maintain and improve the ISMS
4.3 Documentation requirements
4.3.1 General
4.3.2 Control of documents
4.3.3 Control of records
5 Management responsibility
5.1 Management commitment
5.2 Resource management
5.2.1 Provision of resources
5.2.2 Training, awareness and competence
6 Internal ISMS
7 Management review of the ISMS
7.1 General
7.2 Review input
7.3 Review output
8 ISMS improvement
8.1 Continual improvement
8.2 Corrective action
8.3 Preventive action
Annex A (normative) Control objectives and controls
Annex B (informative) OECD principles and this International Standard
Annex C (informative) Correspondence between ISO 9001:2000, ISO 14001:2004 and this
International Standard

TERMS AND DEFINITIONS OF THE ISO/IEC 27001:

Information security management systemISMS: that part of the overall management system, based on a business risk approach, to establish, implement,operate, monitor, review, maintain and improve information security

Information security: preservation of confidentiality, integrity and availability of information; in addition, other properties such asauthenticity, accountability, non-repudiation and reliability can also be involved

Information security event: an identified occurrence of a system, service or network state indicating a possible breach of informationsecurity policy or failure of safeguards, or a previously unknown situation that may be security relevant

Information security incident: a single or a series of unwanted or unexpected information security events that have a significant probabilityof compromising business operations and threatening information security

Risk analysis: systematic use of information to identify sources and to estimate the risk

Risk assessment: overall process of risk analysis and risk evaluatio

Risk evaluation: process of comparing the estimated risk against given risk criteria to determine the significance of the risk

Risk management: coordinated activities to direct and control an organization with regard to risk

Risk treatment: process of selection and implementation of measures to modify risk

Residual risk: the risk remaining after risk treatment

Risk acceptance: decision to accept a risk

Asset: anything that has value to the organization

Availability: the property of being accessible and usable upon demand by an authorized entity

Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes

Integrity: the property of safeguarding the accuracy and completeness of assets

Statement of applicability: documented statement describing
 
Kalitest Certification and Traning Services Inc. / Phone: +90 212 269 37 41 Pbx   -   Fax: +90212 269 37 44
© 2008-2010 All Rights Reserved.		 Vr. 2.0