| ISO27000 Series Compliance or Certification

photo

Over the past 6 months, we have been reading a number of articles and publications on the ISO27000 subset of guidance documents:

  • ISO/IEC 27017:2015 – Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services.
  • ISO/IEC 27018:2014 – Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
  • ISO/IEC TR 27019:2013 – Information technology – Security techniques – Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry.
  • ISO 27799:2008 – Health informatics – Information security management in health using ISO/IEC 27002.

Many Organisations have asked ‘…can we be certified to these standards…’ or ‘…we want to be certified to these ISO’s…’.

The GOOD news is that now you can. Two options exist, following a successful audit/review/verification on how the organisation has implemented and is managing the standard/guidance.
Option 1 – Non-Accredited Certificate
A non-accredited statement/certificate can be issued.

Option 2 – Appendices to the existing Certificate
All standards/guidelines audited in an appendix to the main ISO/IEC 27001 certificate.

Finally
Probably the best option’s is number 2, it would allow an organisation to list the standards/guidance series as they work on/under them and would allow minimum control of documentation and records

The Way Forward
If you require any help and assistance on how best to take this forward, please do not hesitate to contact us.