ISO 27001 Information Security Management System

ISO 27001 Information Security Management System

Information – a precious resource

Business life today cannot be imagined without information technology. However, this IT blessing can rapidly become a curse for those who are not aware of the minimum requirements as regards the quality and security of IT systems.

Fulfilling these requirements is a prerequisite for efficient and legally compliant working with IT products and IT systems and provides the basis for reliable operation of organizations and industrial installations.

We will help you to identify your IT risks and to manage your system. With an ISO 27001 certificate from TÜV NORD CERT, you can demonstrate the effectiveness of your information security management system with the highest level of objectivity and credibility.

We certify an ISMS according to ISO 27001 based on international accreditation or perform audits for ISO 27001 based on the IT-Grundschutz system of the BSI (Federal Office for Information Security).

IT Security Act – TÜV NORD CERT is prepared

TÜV NORD CERT has developed an ISMS information model which can be used as a template for all sectors affected by the German IT Security Act. It also helps to relate the core concepts of information security management to the context of ISO 27001. TÜV NORD CERT provides this template free of charge.

Standard ISO 27001 serves:

  • to formulate requirements and targets for IT-security
  • to provide cost-efficient management of security risks
  • to define the management activities concerned with information security
  • to ensure fulfilment of specific information security targets

New issue of International Standard ISO 27001: Updated requirements for efficient Information management.

Since the year 2005, International Standard ISO 27001 has provided valuable support in the establishment and maintenance of an efficient information security management system (ISMS) – and so makes an effective contribution to the protection of valuable information. This standard has now been amended for the first time to take account of changed framework conditions and experience gathered to date.

ISO 27001:2013: Leaner form and Content

ISO 27001:2013 now consists of 22 pages and is therefore only one quarter as long as the original version. Reference to ISO 27000 means that some definitions could be excluded from the text, and the structure of the standard has been brought into line with the generally applicable ISO High Level Structure. This makes it more compatible with other management system requirements, such as ISO 9001, ISO 14001 and others.

The control elements have been restructured in Annex A of ISO 27001. New items include eight control objectives, which among other things are related to project management, supplier relations and use of mobile end devices - and there are also now dedicated sections on operations security, communications and cryptography. Further important changes include revised rules for the management of information security, including risk assessment and communication, and also revised requirements for planning, implementation, monitoring and continual optimisation of the ISMS.

Transitional period for certifications about to be completed

Certifications according to the new ISO 27001 are possible immediately. However, organizations which are about to complete certification according to the previous standard, ISO 27001:2005, can continue this process as planned for a transitional period. Changeover to the new ISO 27001 can then be carried out at any surveillance audit. The transitional period for existing certificates according to the previous standard ISO/IEC 27001:2005 ends on 1 October 2015. Already one year ago, in other words as from 1 October 2014, all certificates for initial and re-certification processes could only be issued on the basis of the new standard. The changeover is carried out on the basis of an on-site audit, see also http://www.dakks.de/content/informationssicherheits-management-umstellung-auf-die-neue-isoiec-270012013.

Mr. Danny XieSales Director
System Certification

Tel.: +8621-53855353-6358
dxie@tuv-nord.com