ISO27001 scoping

Client name:

Flintshire County Council

Date published:

Wed, 14/10/2009

Flintshire County Council get on track to attain ISO27001 accreditation with Socitm Consulting help.

ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems -- Requirements but it is commonly known as "ISO 27001".

ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.

ISO/IEC 27001 requires that management:

Systematically examines the organization's information security risks, taking account of the threats, vulnerabilities and impacts;
Designs and implements a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that it deems unacceptable; and
Adopts an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

The ICT Department of Flintshire County Council (FCC) is committed to attaining ISO27001 accreditation and had already achieved the GCSX Code of Connection (CoCo) compliance with an action plan in place for Payment Card Industry Data Security Standard (PCI DSS) compliance. The Council recognised that they now needed to focus on scoping the ISO27001 compliance requirements.

FCC engaged Socitm Consulting to assist in setting the scope of the certification boundary including selecting the relevant parts of the standard. Our remit was to limit the scope to ICT. FCC would then expand this process throughout the Council.

Our Consultant recommended that FCC identify and list all the information assets. We then provided a template that was used in conjunction with this information to produce the first draft of the scoping document. After further consultation with FCC to agree and refine the document, the final ISO27001 scope document was completed.

By utilising our experience and guidance we enabled FCC to focus on the areas that needed to be within the scope of the information security management system for the purposes of their intended ISO27001 certification. This exercise has now enabled FCC to proceed with their plans for ISO27001 in a constructive and ordered manner and provides them with a process for mapping future working requirements – allocating resources to policy development and control implementation applicable to the identified assets and thus the identified risks.

Alun Kime, Information Security Manager at FCC commented “Obtaining the services of Soctim Consulting really helped us in setting clear boundaries for the ISO27001 project. Although we were always clear that the scope was initially to be limited to ICT we were struggling with transferring this vision onto paper in a way that would not only be acceptable to Auditors but more importantly in a way that was easy to understand for members of ICT”.

Project identification

Client organisation: Flintshire County Council

Client contact: Alun Kime, Information Security Manager, 01352 702802 Alun_Kime@Flintshire.gov.uk

Lead consultant: andrea.simmons@socitmconsulting.co.uk

Project no: 7213

Subscribe to our feed

Terms and Conditions

Privacy

Accessibility

Freedom of Information

ISO27001 scoping

Related items