ISO 27001 and 27002 accreditation

If I understand what you are saying the potential client requires it's suppliers to be working towards 27001 accreditation if they don't already have it.

First off, you don't get certified against ISO 27002, only 27001. 27001 is the actual standard. 27002 is simply a code of practice that provides guidance on the selection and implementation of controls in the standard.

In order to attain that certification you must show that you have assessed the risks to your companies information assets in a methodical manner and implemented controls appropriately as a result of that risk assessment. This process should be formally documented and maintained.

You can get to the point of being ready for your 1st certification audit in around 3 months given sufficient time and resources. They key is not just to have the policy paperwork in place but to have the supporting evidence to show that the controls you have selected are being operated correctly.

The 27001 standard covers a lot more than just server hosting and if you intend to put yourself forward for certification you will need to come up with a lot more than just a secure hosting solution.

There are 133 controls in 11 domains in the current version of the standard and even if you decide some of these are not applicable you will still have to show justification for that decision and support it with appropriate evidence. All the controls need to be assessed using a defined risk assessment methodology that you also have to show evidence of.

You also need to show a defined PDCA cycle for the maintenance and improvement of your ISMS going forward.

On top of that if you do manage to get certified you will have to undergo regular 6 monthly audits of your ISMS to ensure continuing compliance with the standard, all of which has to be carried out at your own expense.

It is a lot of time and effort for what is possibly a single piece of work and I'd think long and hard about the time and effort needed before committing to it.

If you really want to go ahead with it then a good starting point are the ISMS guidance series of books published by the BSi. They will take you though implementation, audit and certification requirements to the standard the certification bodies will be looking for.

As a rule of thumb the process usually goes like this :

• Identification of Information Assets and creation of an Asset Register.
  
• Risk assessment of each asset and selection of appropriate controls from the standard to mitigate or otherwise control those risks.
  
• Create your Statement of Applicability to identify the controls selected and justify where controls have not been selected.
  
• Define and implement policies appropriate for the controls you have selected.
  
• Define and document your overall ISMS based on the policies above and the required structure for ISO 27001 compliance. This includes review and audit processes and continual improvement.
  
• Implement, operate and gather evidence of operation of the ISMS for a period of time.
  
• Submit the ISMS and supporting evidence for certification

.

Toolkits etc are probably not worth it for a one man band. You can track your control selection and implementation easily enough using simple spreadsheets. The key is the design of your risk management methodology, your asset register and the documentation of your controls and policies with evidence of operation.

Thanks Dave!

Something told me I'd get a learned response on this board...

I probably need to reread the requirements a few more time, as it appears that in my panic I may have over-egged the interpretation.

After readong your explanation, and then the tender documents again, it seems that the need is to build an "accreditable" "security plan" for the services provided and the "system" against ISO 27001 according to the best practice described in ISO 27002. But I don't need to actually go and get the accreditation.

So of the PDCA cycle, it appears that I only need to do the "P" in order to bid (the security plan), then do the "D" as part of my practice. The "C" will be done by the client when the client deems it necessary, and the "A" is my commitment to rectify anything found.

So it appears not to be a whole ISMS after all, not for every aspect of my business, and maybe not quite as scary.

In which case it should be perfectly possible to bulltulip your way through the tender process by quoting chunks of the standard at them where required. If it is never going to be audited for certification then you can basically do what you like as long as it works and it looks good

Not quite - the plan must be submitted to and approved by the client, and tested once a year in their presence. They also reserve the right to audit when they want (within reason). But it certainly isn't as onerous as I initially thought!