If a company wants to certify against some of ISO 27000-series standards (let\'s

Question

If a company wants to certify against some of ISO 27000-series standards (let's say ISO 27001 and ISO 27005), what could possibly be certified? I mean, is it IT processes in general in the organisation as a whole? Or is it more likely that only one/several system(s) used in that company is/are certified? OR does it depend on particular standard (let's say I am interested in the ones above)?

If a company has chosen some particular standard, can it be broken down somehow so that only a part of the standard is certified?

Explanation / Answer

Of the ISO 27000 range of documents, only 27001 is a certifiable standard. The others in the range are guidance and advisory documents.

The first step of ISO 27001 implementation is defining the scope. In my experience it would be unusual to have "IT Processes" as a scope - it's usually defined by business area. So for example the Operations part of the business (excluding supporting business units, such as HR).

You can't be certified to part of ISO 27001. It's all or nothing.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.