ISO 27001 - SGS
ISO 27001the Standard in InformationSecurity Management
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemFOREWORD“Today, business is driven by information. It is your most valuableasset.Some information is public knowledge; some is private and of noreal interest to others. But every organisation has some informationwhich is confidential and of interest to others.Confidential information can involve research, design, prototypes,key technologies, manufacturing methods, processes, marketinginformation, plans, forecasts, strategies and negotiating positions .Information such as this could cause considerable damage if it fellinto the wrong hands. This could have an immediate impact – forexample, loss of a key contract. Or it could be more gradual, asyou are overtaken by competitors which have short-circuited costlyparts of the development process.You may never realise that your information has been compromised.You simply find that you are inexplicably losing out.”Extract from: Protecting business information – Understandingthe risks - DTI publication - URN 96/939.BackgroundThis paper draws on the experience gained in working withpublic and private sector organisations successfully seeking tomeet the demanding requirements for security in informationand IT systems.PurposeSGS’ objective is to inform and to summarise the principalrequirements for guiding and establishing an information securitypolicy and system.This paper uses as a framework ISO27001:2005 series Specifications for information security systems. Copyright SGS United Kingdom Ltd 2004All rights reserved. No part of this publication may be copied, reproducedor transmitted in any form by any means without the written permission ofSGS United Kingdom Ltd. Published by Systems and Services Certification. 2004-2-
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemAn Introduction to ISO 27001:2005In October 2005, the code of best practices outlined in BS 7799 wereformally adopted by the International Standards Organisation as ISO/IEC 27001:2005. It is fast becoming internationally recognised as thestandard for Information Security Management.A number of changes have been made during this transition, inorder that ISO 27001 dovetails more effectively with other existingstandards e.g. ISO 9001 and ISO 20000 (an IT Service Managementstandard – formerly BS 15000). Greater emphasis has been givento key areas such as management commitment and measurementof ISMS effectiveness, in order to encourage organisations toimplement ISO 27001 within an overall strategy rather thanin isolation.The standard is currently in two parts:ISO/IEC 17799:2005 (Part 1) provides a standard of goodpractices which may be applied to security of information andrelated assets.ISO/IEC 27001(Part 2) is the formal standard specification for anInformation Security Management System (ISMS), against whichan organisation seeking certification will be audited. The mainbody of the document provides a mandatory set of requirementsthat an organisation must meet for certification. An Appendix(Annex A) provides a list of control objectives that an organisationmight use to measure information security. Controls relevant toan organisation should be selected based on a comprehensiverisk assessment of the information security risks.The standard adheres to a Plan – Do – Check – Act process model.This enforces the view that Information Security Management is acontinuous process rather than a one-off project.-3-
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemTransition from BS 7799 to ISO 27001For organisations already certified to BS 7799, the process oftransition should be relatively straightforward. Existing certificateswill be replaced as part of the normal audit cycle, unlessspecifically requested. No certificates to BS 7799 will be issuedafter May 2006, and all certificates must have been transferred tothe new standard by June 2007.Who should read this document?The intended readership is:n E xecutive management having responsibility for developing orleading information security policyn Senior managers tasked with preparing or establishinginformation systems n Professional advisors considering the relevance ofinformation security to their own organisations or providinggeneral advice to othersn IT service professionals involved in specifying andmaintaining processing facilities and guidingapplications developmentn Medical professionals and managersn Senior managers in central and local government andexecutive agencies.Conventions used in this document:1. Extracts or quotations are source identified and printed initalic type face.2. “SGS’ comments, based on client experience, are set out initalic type face and are contained within quotation marks.”-4-
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemThe Case for Information SecurityTechnological development now means that globally based servicescan appear to be both national and local to the customer. Forexample, look no further than airline ticket reservations and BT’stelephone enquiry service. These trends are not confined to theprivate sector.The UK is substantially a service based economy where designskills, knowledge of markets and information resources haveconsiderable value.Competitors, enabled by the adoption of e-commerce, areincreasing the speed of response required and the value of knowhow, in today’s and tomorrow’s market place.Organisations which are not taking steps to safeguard theirinvestment in information are at risk.Many organisations have established controls,recognising vulnerabilities and good practice,in such activities as:n Individual log-on and passwords for access to IT facilitiesn Virus checking and IT back-up routines and off-site storagen Tables of authorities – often financial or pressstatement relatedn HR practicesn Complaints handlingn Business planning & disaster recovery/continuity arrangementsn IT fault reportingn Guidelines for the use of e-mail, fax, internetand photocopiersn Limitations to document or file access.-5-
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemSuch management actions represent a good start but arefrequently compromised by poor discipline.“We have seen frequent examples of passwords being writtendown and freely available to casual observers, insecure screensavers and laptop computers being used for quite sensitiveprocessing on trains and in public places. How often have youoverheard inappropriate mobile telephone conversations andhave almost been able to guess the other half of the dialogue?”CIAOrganisational activity is rarely free from risk – this is certainly truewhen considering security of information. Information securityis not about spy wars; but a disciplined management approachto preserving:Confidentiality:preventing unauthorised access or disclosureIntegrity:safeguarding the accuracy and completeness of information andprocessing methodsAvailability:ensuring that authorised users have access to information andassociated processing methods when required Loss of any of theseattributes could, in certain circumstances, occasion commercialharm, embarrassment or serious business damage.not all equally valuable, or vulnerableInformation security is not attained by paranoia, nor does it resultfrom incomplete or partial thinking. The starting point, as in manymanagement disciplines, is a comprehensive analysis andRisk Assessment.-6-
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemRisk has three components:AssetThreatVulnerabilityThe ‘quantity’ of risk is represented by: degree of vulnerability xseverity of threat x asset value.ISO 27001 – 3rd party certificationDemonstrates clear evidence that an organisation may beconsidered a ‘trusted trading partner’ in matters of informationsecurity. It also encourages the suppliers to ensure continuedcompliance with the Information Security needs of their customers,and gives a framework for continual improvement.Risk assessmentRequires consideration of the organisational damage flowing frombreach of confidentiality, integrity or availability and the likelihoodthat such a breach will occur and be exploited.Comprehensive risk assessments are challenging tasks. There aresophisticated proprietary products available to assist these tasksbut none is a substitute for top-level commitment, involvement ofrelevant staff and clarity of business objectives.Establishing a consistent basis for asset values, threats – such astheft, fire, flood or corruption of data, and the probability of theseevents occurring may require external facilitation and expertise,particularly in complex IT issues.-7-
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemThe Risk Assessment is a dynamic tool which shouldbe reviewed regularly as a minimum once per yearor on a business change.Remember a documented Risk Assessment is a risk initself and must be treated securely.Risk managementInvolves avoiding, reducing, accepting or transferring risks byadopting appropriate controls. The selection of controls needs tobalance the costs and practicalities of operation, with the degree ofrisk reduction achieved.ISO 27001 certification requires that a written “Statement ofApplicability” shall identify and critique the controls selected andexplain any exclusion.Our experience is that currently, few organisations haveaddressed these requirements with sufficient rigour to meet 3rdparty certification requirements.Establishing a management frameworkNecessitates defining the:n Information security policy objectivesn Boundaries of the system, areas, assets, technology orother characteristicsn Conclusions of risk assessmentsn Selection of controlsn Management responsibilities.-8-
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemDocumentation and control requirementsComprise:n Evidence of the risk assessment processn Summary of the management frameworkn Policy statements – e.g. clear desk, internet access,cryptography, access control etcn Specific operational and procedural documentationn Management responsibilities and reviews.Appropriate retention period, retrieval, version control, authorisationand ownership or accountability issues should be addressed.“These requirements should present few difficulties toorganisations familiar with ISO 9000 Quality AssuranceManagement disciplines.”Authorising information processing facilities andchanges to operational files or configurationThe standard seeks formal technical and information securityappraisal and authorisation for all new or changed operations.“Many organisations will have in place procedures partially or fullyaddressing this requirement – particularly in IT areas. Review andstrengthening may be required in non-IT functions.”Security forum, co-ordination, specialist advice andindependent reviewThe standard proposes establishing, where appropriate, a crossfunctional forum, led by senior management, to provide co-ordinationand visible support for information security.Additionally, ISO 27001 requires that specialist advice (in-house orexternal) shall be sought and that implementation of informationsecurity policy shall be independently reviewed.-9-
The Route to 27001Issues to be considered when establishing anInformation Security Management System“For most organisations the requirement for independent adviceand review, beyond the role of the legal and accountancyprofessions, will be new. With the pace of technologicaldevelopment, access to expert and independent views makes agood deal of sense.Many organisations would need to address this issue.”3rd party access to information systemsMost organisations set limitations to systems access, but howmany will have considered the risks to information security arisingfrom, say, cleaning staff and waste disposal methods?All contracts with service providers, including IT maintenance andoutsourcing, should be assessed for risks and suitable controlsand defined, operated, and clear responsibilities incorporated intocontract terms.“A review of information security obligations in existingcontractual terms should be considered.”Information processing asset inventories andclassificationInventories of physical assets indicating location and ownershipare routine. Inventories of databases, processing methods andtechnologies are rarer.“In our experience, information database inventories are rarelyaccompanied by classification and labelling indicating importanceand handling sensitivity.These disciplines are central to the production of a validBusiness Contingency/Disaster Recovery Plan and to consideredrisk assessments.”- 10 -
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemPersonnel issuesISO 27001 seeks to build on current good recruitment practices, byensuring that information security responsibilities are incorporatedin Terms & Conditions of Employment and that security educationforms part of all employee and temporary staff inductionprogrammes.“For sensitive information handling, consideration should be givento screening of potential employees, checking of CVs and thedesirability of enforceable Confidentiality Agreements.”Detection, reporting and handling security incidentsand processing malfunctionsClearly not all incidents are harmful. Some will arise from theidentification of weaknesses or of potential threats. Others willarise from breakdown or fault with hardware. Procedures shouldbe developed for classification and handling incidents and forcontainment, corrective action and damage limitation.Disciplinary codeShould be invoked for wilful violation of security policy. This mayrequire re-negotiation of existing disciplinary practices.Physical, environmental & equipment securityThere are many important and practical issues to be considered:n Isolated delivery areasn Multiple power suppliesn Physical perimetersn Office/room securityn Equipment sitingn Cabling securityn Equipment maintenancen Access control devicesn Disposal or re-use of media or equipment- 11 -
The Route to 27001Issues to be considered when establishing anInformation Security Management Systemn Off-site equipmentn Cleaning/canteenn Location identificationn Working in secure areasn Duress alarmsn Separation of development and operational activitiesn Segregation of power and data cabling.“Specialist advice may be required when considering the riskreduction and management benefits of implementing several ofthese control options.”General controlsThe standard includes good practice general controls such as:n Secure screen savers and clear desk policiesn Regular virus checking and authorised software auditsn Property removal authorisation and controln Segregation of duties and authoritiesn Review and authorisation of operational change – facilities,software versions or processing venuesn Regular back-up disciplines with off-site storage and othergood housekeeping disciplines.- 12 -
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemSystems planning, specification and acceptanceA readily understood risk of security compromise arises throughinadequately or inappropriately specified hardware or applicationsoftware. Systems which regularly ‘crash’ place strains on staff,promote extra and usually hurried work and encourage the takingof short-cuts, with inevitable risks.“ISO 27001 requires systems capacity planning, formal specificationand acceptance criteria to be established for all new or upgradedhard/software.”Media handling and securityApplies to items such as paper, tapes, disks, cassettes, dictationtapes, lists of assets, systems documentation and procedures.Compliance is largely a matter of common sense in preservingsuch items free from corruption, unauthorised change and readilyavailable when required.“It is surprising how many important items continue to gomissing through inadequate storage and handling disciplines.Newspaper stories of confidential files found on diskettes andsurplus or old equipment underline the need for controls in bothhandling and disposal.”Information or software exchangesThe number of partnership, joint ventures or shared data accesstrading relationships has increased rapidly. E-commerce ispromoted at every turn by central government and serviceproviders. E-mail is virtually the standard way of communicating inmany organisations. Internet access, via public telephone at homeand at work, is rapidly increasing. Voice-mail, mobile phones, faxand video conferencing are available almost everywhere.These developments have one thing in common: the sharing ofinformation and, sometimes, software or access to software anddata, within your networks.It would be consoling to think that the 3rd parties involved inthese transactions share your concerns for information security, or- 13 -
The Route to 27001Issues to be considered when establishing anInformation Security Management Systemare aware of the risks of external interception, eavesdropping ormessage re-direction. Even in the closest of trading relationships,duplication or change of data can occur – possibly arising throughthe use of temporary staff.“Standard office software contains powerful code writingfeatures and other capabilities which the inquisitive can invoke.Have these features been disabled in your organisation?In our view and that of ISO 27001, all exchanges of information orsoftware access should be regulated by written agreements, andexternal network access should be subject to guidance and control.”User access management and responsibilitiesIssues to be addressed include:n Documenting an access control policy which is aligned toorganisational business needsn Formal user registration & de-registration proceduresn Log-on & privilege restriction routinesn Password disciplines – using regularly changed high qualitypasswords (minimum 6 character length)n U ser adherence to password protection andchange proceduren Regular review of access rights“It is commonplace that passwords are:Easily guessedOften written down and readily retrievableNot changed frequently”- 14 -
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemAccess to network controlsAny review of information security would be incomplete withoutconsidering controls on:n U ser authentication for all remote users – electronicsecurity tokensn Remote diagnostic port access restrictionsn Node authentication – connection to remote facilitiesn Segregation in networks – groups of users, information andprocessing capabilitiesn Routing control – limiting access and information flowsacross networks.“A documented Network Security policy should be preparedaddressing these and related issues.”Operating system controlsThese are linked to network access controls and are intended toprevent unauthorised access to operational systems. They include:n Automatic terminal identification to specific locations, usersand portable equipmentn Tight restriction of access to system utilitiesn Terminal time-out when inactive for defined periods – shortforhigh risk systemsn Limited connection time – a further control on both internaland external service accessn Rigorous operating system change authorisation and control.“Unregulated change is one of the largest causes of compromiseto an initially sound system security control.”- 15 -
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemSystem monitoringAutomated event logging provides a means of tracking:1. User access and application requests granted and denied2. Capacity utilisation3. Other system environment attributesWhen integrated with ‘clock synchronisation’ such logs providevaluable audit trails for review and evidence of effectiveoperation.Mobile computing, teleworking and mobile phonesThe growth of out-of-office working and tele-working createsadditional information security risks which should be considered in aformal policy covering:n Guidance on use of file or message contentn Protection against theft of hardware and median Back-up disciplines for mobile computingn Access to public networksn Access to organisation networks with additional controls forremote location accessn Restrictions on file downloadingn Security at fixed tele-working locationsn Encryption of transmissions.“Technology supports the practicality of a mobile office.Unfortunately security is much harder to ensure and monitor inoff-site conditions.”- 16 -
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemInformation data and processing controlISO 27001 consolidates good management practices such as:n Data entry and cleansing control proceduresn Data input validation checks – batch & hash totals, sampleand automatic checkingn Processing checking – is processing corrupting data?n Output data validation – range, field type & accuracyn A uthentication of processing instruction or messagesource and authority.Encryption as a security measureCryptographic techniques are the subject of legal and proprietaryregulation. A distinction should be drawn between the widelyused e-mail file transmission encoding techniques and fullcryptographic security controls.Cryptography use should be set out in a policy which safeguardsthe organisation’s:n Legal usen Encryption algorithmsn ‘Key’ management and securityn Use of Digital signatures authenticating informationtransmissionsn Contractual implications of Digital signatures and ofinformation transmission and receipt acknowledgementn Internal fiduciary authorities/accountabilities.“This is an aspect of information security that, in our experience,requires inputs from professional advisors and specialistcryptology advice.”- 17 -
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemBusiness continuity managementContinuity of business is self-evidently a core organisationalrequirement. Procedures for developing and maintaining continuityshould be established taking account of organisational objectivesand appropriate risk assessments.Physical Disaster Recovery plans come in many shapes and sizes– some of which have been tested and found wanting.Estimating the consequences and duration of disruption to normalbusiness activity following fire, flood, building damage or securityalert is a significant task. A greater challenge is posed in estimatingthe effects of a major breach of information security which couldhave implications for:n Safety of personneln Financial penaltyn Breach of legislation or regulationn Loss of business confidence and reputation.“We have reviewed and commented upon a number of BusinessContinuity and Disaster Recovery plans which have beendeveloped in a piecemeal manner. These plans generally lack thesingle co-ordinating framework required to be effective and tomeet ISO 27001 requirements.”Legal and regulatory complianceOrganisations operate within a background of legislation andspecific regulation by trade and professional associations.A fewexamples of general legislation are:n Data Protection Act (1998)n Criminal Justice and Public Order Act (1994) – electronicmedia storagen Computer Misuse Act (1990)n Copyright, Designs and Patents Act (1988)n Obscene Publications Act (1959).- 18 -
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemComplying with all relevant law is an inescapable obligation on alland is intrinsic to meeting the obligations of ISO 27001.Procedures should be operated to authorise the use of informationprocessing and storage facilities and to prevent misuse. Suchprocedures should be supported by regular audits of all softwareand data stored on system networks and free standing equipmentboth on and off-site.Where actions against persons or the organisation involve possiblecriminal, civil or regulatory hearings, evidence should be collected inaccordance with relevant law or codes of practice, for admission.Compliance with security policy and proceduresIrrespective of a decision to seek 3rd party ISO 27001certification, audit of adherence to the organisation’s securitypolicy is an essential discipline. Internal audit, independentexternal review and advice are fundamental to any effectivesystem. It also gives a means of providing evidence ofcompliance and identifying improvement opportunities.Essential components of demonstrating compliance are:n Safeguarding and readily retrievable recordsn Secure keeping of test data used to verify operational integrityand assess acceptance criteria for new or upgraded systemsn Records dealing with security incidentsn Technical specification and risk assessmentsn Protection of system audit toolsn The stature, training and independence of internal auditorsand their access to senior managementn Information security procedure documentation including listsof system assets and operational configuration.“Many of the compliance evidencing issues will be familiartoorganisations already meeting ISO 9000 requirements, althoughthe extension to security audit tools may be new.”- 19 -
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemRequests for additional copies of this paper, or for furtherinformation on ISO 27001 certification, should be directed toSGS United Kingdom Ltd.Achieving Accredited CertificationAfter implementing an Information Security Management System,many organisations then go through the process of obtainingaccredited certification. This enables them to make a publicstatement that they are serious about the confidentiality, integrityand availability of their and, their information and that of their clients.The certification also enables organisations to provide evidence inresponse to security questions in tenders and other commercialcontracts without the need to divulge confidential security policyand procedures.In the UK the accreditation body for certification bodies is UKAS.The United Kingdom Accreditation Service is the sole nationalaccreditation body recognised by government. For more informationvisit: www.ukas.co.uk.If you are considering obtaining certification it is worth contactingSGS at the early stages of the project. One of SGS’ core beliefs isto understand the needs and objectives of its clients so that thebest possible service can be provided and to develop longterm relationships.In an initial consultation SGS can give you budget costingfor achieving certification, advise on scope and statement ofapplicability as well as ensuring its certification audits fit withinyour project plan.It’s worth noting that the SGS code of ethics forbids SGS fromundertaking consultancy where it also provides certificationservices. This ensures that SGS’ opinions are unbiased.- 20 -
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemStages1. Initial consultation to develop budget costs and timescales2. Formal proposal3. Application4. Pre-assessment: an optional audit to ascertain the client’sreadiness to move towards certification5. Desk Study - an appraisal of the client’s Information SecurityManual/Procedures, Risk Assessment and Statement ofApplicability to measure compliance with the Standard andprepare working documentation for the on-site assessment.Any identified areas of non-compliance at this stage will benotified to the client so that where possible corrective actionscan be taken before the on-site audit6. On-Site certification audit - an assessment to verify theimplementation of your documented Information SecurityManagement System7. Reporting and closing of any corrective action requests8. Certification - The client is notified of formal certificationagainst ISO27001, and a certificate is issued.9. Continuous Assessment - The certificate is valid for for threeyears, during which time SGS will undertake regular assessmentaudits. The timing and frequency of these will be detailed in theinitial proposal. Towards the end of the 3-year period SGS willundertake a certification renewal. This is a more detailed auditthan an assessment audit and takes account of systemschangesGreater detail on the process, reporting and corrective actionrequests, can be found in SGS’ document “Certification Processexplained”, which can be obtained by contacting SGS.SGS can also offer a number of training courses to assist anorganisation throughout the process: visit www.uk.sgs.com/training.- 21 -
The Route to 27001Issues to be considered when establishing anInformation Security Management System- 22 -
The Route to 27001Issues to be considered when establishing anInformation Security Management SystemThe SGS GroupThe SGS Group is the clear global leader and innovator in inspection,verification, assessment and certification services. The Groupcomprises more than 300 affiliated companies, each separatelyorganised and managed in accordance with the laws and localpractices of the countries in which it does business.Founded in 1878, SGS is recognised as the global benchmark for thehighest standards of expertise and integrity. With more than 70,000employees worldwide, we operate a network of more than 1,350offices and laboratories around the world. Since it was establishedthe SGS Group has remained dedicated to its independence asa guarantee of its total impartiality. SGS does not engage in anymanufacturing, trading or financial activities which might compromiseits independence and neutrality.For more information, please conta
the rOute tO 27001 Issues to be considered when establishing an Information Security Management System - 3 - an IntrOductIOn tO ISO 27001:2005 In October 2005, the code of best practices outlined in BS 7799 were formally adopted by the International Standards Organisation as ISO/ IEC 27001:20
ISO 27001:2013 published All ISO 27001:2005 certificates to have transitioned to ISO 27001:2013 30th September 2016 30th September 2015 No new ISO 27001:2005 certificates to be issued Initial audit to ISO 27001:2005 available Initial audit to ISO 27001:2013 available Transition to ISO 27001:2013 may be mandated by CB
toy.korea@sgs.com SGS MALAYSIA SDN BHD Shah Alam Malaysia t 60 - 03 - 51218019 kienlen.chong@sgs.com Colombo 2 Sri Lanka t 94 11 5376 280 lanka.toylab@sgs.com SGS TAIWAN Ltd. Taipei Taiwan t 886 2 2299 3939 tw.mhd.hy@sgs.com SGS THAILAND Ltd. Bangkok Thailand t 66 2 683 0541 lab.thailand@sgs.com SGS SERvICES Product development .
1. Overview of ISO/IEC 27001:2022Information Security Management System 22 2. ISO/IEC 27001:2022 requirements 45 3. ISO/IEC 27001:2022Terms and Definitions 07 4. ISMS Documented information 18 5. ISO 27001 ISMS Internal auditing process 40 6. Steps for ISO 27001 certification 18 7. Risk management 18 8. Risk Assessment& Treatment 25 9.
11 in ISO 27001:2005, to 14 in ISO 27001:2013. The number of controls has decreased, from 133 in ISO 27001:2005, to 114 in ISO 27001:2013. User defined controls can also be used, in addition to Annex A controls. ISO/IEC 27002 provides a standard of good practice that may be applied to security of information and related assets.
ISO/IEC 27001:2005 has been superseded by ISO/IEC 27001:2013. The International Accreditation Forum (IAF) has announced that, as of 1 October 2014, no more accredited certificates to ISO 27001:2005 will be issued. From that date, certification bodies may only issue certificates to the new version of the Standard, ISO 27001:2013.
ISO 27001:2022. The new standard is more streamlined and easier to follow. What Happens to Organisations that Are Already Certified to ISO 27001:2013? Any current ISO 27001:2013 certificates are valid until they expire their 3-year lifetime. After it has expired, you will be assessed against ISO 27001:2022. For most, there is no rush to update
ISO/IEC 27001:2005 ISO/IEC 27002:2005 . ISMS Standards ISO/IEC 27001, 27002 . 23 / VSE-Gruppe 2013 . Standardization under ISO/IEC 27000 Standards Series in Cooperation with Additional Consortia . ISO/IEC 27001: Information Security Management System (ISMS) ISO/IEC 27002: Implementation Guidelines for ISO/IEC 27001 Con
Agile software development therefore has a focus on: . Scrum is one of the most popular agile development methodologies. Scrum is a lightweight framework designed to help small, close-knit teams of people to create complex software products. The key features of the scrum methodology are as follows: Scrum team: A team of people using this methodology are called a “scrum”. Scrums usually .
