 |
||||||||
|
|
|
 |
|
|
| Home > FAQ > |
|
|
|
We are glad to publish an FAQ (Frequently Asked Questions) on the ISO 27000-series standards. If you have questions that you would like answered, please contact us and we’ll do our best to respond. We reserve the right to reproduce common questions and answers here for the benefit of all our visitors, although we will do so anonymously and in a generic sense. We are neither infallible nor all-knowing so please bear with us if we take a while to respond and are sometimes a bit vague. If you are experienced in this field and have better, more precise or more accurate answers to questions noted below, by all means get in touch. We’d appreciate the help!
Buying copies of the standardsQ: Where can I obtain [insert name of standard here]?
A: Official copies of ISO 17799, ISO 27001 and other published standards may normally be purchased from the various national standards bodies and/or a number of third party commercial organizations. One that we have used is IHS Technical Indexes (we have no commercial relationship with them apart from being happy customers. There are other sources - shop around). If money is tight, it is worth shopping around the world - Australia/New Zealand Standards, for example, was said to have offered the best price for the English language version of ISO 17799. Some national standards bodies release translated versions of the ISO standards in their local languages, but all of them go to great lengths to ensure that the translations remain true to the original. Both ISO 17799 and ISO 27001 can be purchased in electronic softcopy and hardcopy formats. Softcopies are ideal for online searching for specific controls and for cutting and pasting into your own policy documents etc. (subject to the copyright restrictions). The hardcopies are easier to read on the train.
Learning about the standardsQ: “I’m looking to find a book or college that teaches BS 7799 standard. I want to become certified pro to help or consult companies on how to develop certified products and procedure. Is there an exam that I have to take??? Any info will help.”
A: The best book on BS 7799 is BS 7799, or rather ISO 17799 and ISO 27001 - in other words, you should buy and read a copy of the standards. Being standards, they are quite formal in style but readable and useful. There are two parts: BS 7799 Part 1 is the 'Code of Practice', the main practical information security management standard, and is now known as ISO 17799. It was revised and re-issued in July 2005. The best way to learn ISO 17799 is to use it, which means going all the way through an implementation from planning to auditing. If you have no prior experience in information security, you should try to find an experienced mentor or guide. Professional organizations such as ISSA, ISF and ISACA can help. BS 7799 Part 2 is the audit/certification standard, the 'Specification for Information Security Management Systems' now known as ISO 27001. It might be useful if you intend to become a certified auditor - the usual way of doing that is to go through a training course run by one of the information security management system accredited audit and certification bodies such as the BSI, or various training and consultancy companies. They are generally called "BS7799 Lead Auditor" courses. As to becoming a consultant, I advise you to start by building a solid technical understanding of IT, risk and control concepts. Advice for people who want to become IT auditors in our own computer audit FAQ is also pretty relevant to becoming an information security specialist since the two fields are very closely related. Another excellent source is www.cccure.org, especially if you are considering becoming CISSP or SSCP qualified. There are no doubt books available on '7799 but, to be honest, I haven't read any of them myself. I took a quick look at a couple once but was not impressed. With the increasing level of interest in information security and '7799 in particular, maybe someone has already released a solid, well-written textbook or will do so soon. Sorry I can't personally recommend any at present but if any authors or publishers out there want to send me a sample copy for an honest review, be my guest.
“FDIS” and other ISO acronymsQ: What do “FDIS” and those other acronyms prepended to draft ISO standards really mean?
A: The acronyms indicate the stages reached by standards as they progress sequentially through the various committees and approvals:
|