CHAPTER 3: SPECIFICATION VS CODE OF PRACTICE

ISO/IEC 27001:2013 is a specification for an information security management system. It uses words like ‘shall’. It sets out requirements. It is the specification against which first-, second- and third-party audits can be carried out.

A first-party audit is an audit of an organisation’s own practices that is carried out by that organisation. A second-party audit is carried out by a partner organisation, usually pursuant to a commercial relationship of some description. A third-party audit is one carried out by an independent third party, such as a certification body or external auditor.

A code of practice or a set of guidelines uses words like ‘should’ and ‘may’, allowing individual organisations to choose which elements of the standard to implement, and which not. This inbuilt element of choice means that ISO27002 is not capable of providing a firm standard against which an audit can be conducted. ISO27001, however, is prescriptive and does not provide any such latitude.

Any organisation that implements an ISMS which it wishes to have assessed against ISO27001 will have to follow the specification contained in that Standard.

As a general rule, organisations implementing an ISMS based on ISO/IEC 27001:2013 will do well to pay close attention to the wording of the standard itself, and to be aware of any revisions to it. Non-compliance with any official revisions, which usually occur on a three-year and a five-year cycle, will jeopardise an existing certification.

An appropriate first step is to obtain and read a copy of ISO/IEC 27001:2013. Copies can be purchased from the ISO website, from national standards bodies and from www.itgovernance.co.uk/standards.aspx. There should be a choice of hard copy and downloadable versions to suit individual needs.