ISO 27000 Central. ISO27001 and ISO27002 Guide


ISO 27000 Central is intended to be a launch pad for those seeking help with this international standard. It offers information, tips, guides and links to a range of resources.

About ISO 27000
Starting Point
The Glossary
The PDCA Cycle
Newsletter Archive

ISO 27001

Add ISO27000 Central
to Your Bookmarks

ISO 27000

The route forward with the standard, or even determination of whether there is a route forward, is often far from obvious. Hopefully this section will introduce a sensible approach, explaining one method of making progress.

A Strategy and Approach for ISO 27001 AND ISO 27002

There are actually a variety of way to approach the standard. The correct one for a specific organization will obviously depend upon the nature the organization itself. However, the following 'cycle' has been documented as one possible approach, and may be of use.

- Firstly, obtain a copy of the stand itself. Whilst this may seem rather obvious, it is surprising how often people attempt to judge suitability without actually every having studied the documents themselves. The documents can be obtained stand alone, or as part of the starter kit (The ISO 27000 Toolkit) from the sources given on the right hand panel.

- The merits of the standard itself are considered. Factors can include impact on confidence of new/existing customers/partners, enhancing the organization's security, etc.

- The decision is made to move forward with the standard. All options are available of course: from loose alignment with it, to compliance with it, to certification.

- The project is planned in terms of resourcing (ie: people and time). This could include external resources such as consultants.

- With the previous step the scope of the exercise is decided. In other words, the part(s) of the organization to be included are determined.

- A review of existing documentation is conducted. This will help establish extent and quality of th emeasures already in place (eg: security policies).

- An inventory is drawn up of all significant information assets.

- A 'gap analysis' is performed to identify the gaps between the existing situation, and those controls, processes and procedures documented in the standard.

- A risk analysis exercise is performed in order to determine the extent of risk to the organization through security breach. A Risk Assessment document is produced.

- The organization must determine how the identified risks are to be managed. Responsibilities for managing them assigned and documented.

- Controls to address the identified risks are slected, both from the standard and elsewhere. A "Statement of Applicability" is developed following selection.

- Security policies are created/adapted using the Statement of Applicability and other inputs. This is often based upon the template included in The ISO 17799 Toolkit.

- Appropriate policy based procedures are created.

- An awareness program is initiated to ensure employees and agents are familiar with the IS requirements of the organization.

- A method of compliance monitoring is introduced.

- At this point, the organization reviews its position. Commonly, certification is considered (which of course requires external audit by an accredited body).



ISO 27001 (and/or ISO27002) should always be obtained from an official source.

Standards Direct (BSI) provides the standard as an instant download from the following page: ISO 27000 Download


The standard (both ISO 27001 and ISO27002) can also be obtained as part of the ISO17799 Toolkit. This also comprises a series of support resources, such as aligned security policies, checklists, BIA questionnaires, presentations, etc.

It can be downloaded via the following website: ISO 27000 Toolkit


Please feel free to contact us

Your Guide To ISO 27000, ISO 27001 and ISO27002
Copyright © 2011. All Rights Reserved.