Guidelines on Requirements and Preparation for ISMS Certification based on ISO/IEC 27001

Edward Humphreys

Published by






Reviewed by

Mehmet Hurer B.Sc (Hons) MBCS CITP CEng


7 out of 10

This is one in a series of five books published by the BSI to accompany the 2013 edition of the ISO/IEC 27001 standard. This series of books are designed to help the reader prepare for, and maintain, certification against this standard.

In this first book of the series, the author provides an overview of establishing, implementing, maintaining and continually improving an information security management system (ISMS), where an ISMS is, put simply, a set of policies and procedures to manage and protect an organisation’s sensitive information.

Each of the key clauses are mentioned, taken directly from the standard, but then usefully expanded by the author to provide a clearer understanding of the requirement and guidelines on how compliance could be achieved. This includes cross-referencing with other associated standards as appropriate, such as ISO 31000:2009.

With an ISMS established, the subject of audits and certification is then discussed. This includes a definition of accreditation and certification, parties involved in certification, preparation for certification, the audit process, surveillance activities, recertification and appeals.

Finally, a mapping from previous standards to the latest standards is provided; something that will be of use to those already with, or looking for, compliance, certification or recertification from previous versions.

If you have limited experience in this area and are looking to achieve compliance or certification against the latest standard you may struggle if using a copy of the standard and this book alone; I would highly recommend using this book with the other books in the series, Guide to the Implementation and Auditing of ISMS Controls based on ISO/IEC 27001 AND Are you ready for an ISMS audit based on ISO/IEC 27001 .

Further information: BSI

December 2013