Dale Johnstone

19 May 2009

ISO/IEC
ISMSFamilyofStandards

27000 Overview&Vocabulary
27001 Requirements
27002 CodeofPractice
27003 ImplementationGuidance
27004 Measurements
27005 InformationSecurityRiskMgt.
27006 GuidelinesforaccreditationofBodies
27007 AuditorGuidelines
27008 GuidanceforAuditorsonISMSControls

ISO/IEC
ISMSFamilyofStandards

27009 tobeassigned

27010 ISMforInterSectorCommunications

27011 ISMGuidelinesforTelecommunications
OrganizationsBasedonISO/IEC27002

27012 tobeassigned

27013 GuidanceontheIntegratedImplementationof
200001&27001

27014 InformationSecurityGovernanceFramework

27015 ISMGuidelinesforFinancial&InsuranceServices

WhatisISMS?
To establish policy
and objectives for
information security
within the context
of the organisations
overall business risk
and the means by
which these
objectives can be
achieved

PLAN
Establish
ISMS

DO
Implement &
Operate ISMS

CHECK
Monitor &
Review ISMS

ACT
Maintain &
Improve ISMS

HowISO27001Evolved

27000 Overview&Vocabulary

SCOPE
Overview,statusandrelationshipsofthe
ISO/IEC27000ISMSfamilyofstandards
VocabularyrelatingtotheISO/IEC27000ISMS
family

================

Status:Published
Status:CommencingStudyforReview
Target:Current

ISO/IEC27001 Requirements

Specifiesrequirementsfor
establishing,implementing,
operating,monitoring,reviewing,
maintainingandimprovinga
documentedISMSwithinthe
contextofanorganizationsoverall
businessrisks

ISO/IEC27001 Requirements

SpecifiesRequirements for:

Establishing
Implementing
Operating
Monitoring
Reviewing
Maintaining
Improving

1. Security Controls as Part of a Documented ISMS Within the

Context of the Organisations Overall Business Risks
2. Customized to Needs of Individual Organizations or Parts
Thereof
3. Select Adequate and Proportionate Security Controls to Protect
Information Assets and Give Confidence to Interested Parties

ISO/IEC27001 Requirements

ReplacesBS77992
ModificationsApplied
AccreditationConfirmed

Status:Published15th October2005
Current:RevisionCommenced

ISO/IEC27002 CodeofPractice
Establishesguidelines&generalprinciples
forinitiating,implementing,maintaining,
andimprovinginformationsecurity
managementinanorganization.The
objectivesoutlinedinthisInternational
Standardprovidegeneralguidanceonthe
commonlyacceptedgoalsofinformation
securitymanagement

ISO 27002 ISM Code of Practice

Establishesguidelinesandgeneralprinciplesfor:
Initiating
Implementing
Maintaining
Improving

1. Organizational security standards and effective information

security management practices within an organization
2. Objectives provide guidance on commonly accepted goals of
information security management
3. Control objectives and controls implemented based on
requirements identified by a risk assessment
4. Assist to build confidence in inter-organizational activities

ISO/IEC27002 CodeofPractice

ReplacesISO/IEC17799(April2007)
WhichReplacedBS77991(Dec2000)
ModificationsApplied

Status:Published/Republished
Current:RevisionCommenced

ISO/IEC27002 SecurityCategories

ISO/IEC27002 ControlObjectives
ISO/IEC
27002:2007

Security Policy
Organizing Information Security
Asset Management
Human Resources Security
Physical & Environmental Security
Communications & Operations Mgt
Access Control
System Acquisition, Develop & Maint
Security Incident Management
Business Continuity Management
Compliance

ISO/IEC27002 ControlObjectives
ISO/IEC
27002:2007

Information Security Policy (1)

Security Policy

ISO/IEC27002 ControlObjectives
ISO/IEC
27002:2007

Internal Organization (2)

Organizing Information Security
External Parties (3)

ISO/IEC27002 ControlObjectives
ISO/IEC
27002:2007

Responsibility for Assets (4)

Asset Management
Information Classification (5)

ISO/IEC27002 ControlObjectives
ISO/IEC
27002:2007

Prior to Employment (6)

During Employment (7)
Termination or Change of Employment (8)

Human Resources Security

ISO/IEC27002 ControlObjectives
ISO/IEC
27002:2007

Secure Areas (9)

Physical & Environmental Security
Equipment Security (10)

ISO/IEC27002 ControlObjectives
ISO/IEC
27002:2007

Operational Procedures & Responsibilities (11)

Third Party Service Delivery Management (12)
System Planning and Acceptance (13)
Protection Against Malicious Code (14)
Back-up (15)
Network Security Management (16)
Media Handling (17)
Exchange of Information (18)
Electronic Commerce Services (19)
Monitoring (20)

Communications & Operations Mgt

ISO/IEC27002 ControlObjectives
ISO/IEC
27002:2007

Business Requirements for A/C (21)

User Access Management (22)
User Responsibilities (23)
Network Access Control (24)
Operating System Access Control (25)
Application and Information A/C (26)
Mobile Computing and Teleworking (27)

Access Control

ISO/IEC27002 ControlObjectives
ISO/IEC
27002:2007

Security Requirements of Info Systems (28)

Correct Processing in Applications (29)
Cryptographic Controls (30)
Security of System Files (31)
Security Develop & Support Processes (32)
Technical Vulnerability Management (33)

System Acquisition, Develop & Maint

ISO/IEC27002 ControlObjectives
ISO/IEC
27002:2007

Reporting Information Security Events

/ Weaknesses (34)
Security Incident Management
Management of Information Security
Incidents and Improvements (35)

ISO/IEC27002 ControlObjectives
ISO/IEC
27002:2007

INFORMATION SECURITY ASPECTS OF BUSINESS

CONTINUITY MANAGEMENT (36)

Information Security Aspects of

Business Continuity Management (36)

Business Continuity Management

ISO/IEC27002 ControlObjectives
ISO/IEC
27002:2007

Compliance with Legal

Requirements (37)
Security Policies, Standards and
Technical Compliance (38)
Information Systems Audit (39)

Compliance

ISO/IEC27003 Guidance

Scope
ImplementingInformationSecurityManagement
System(ISMS)requirements
InformationaboutusingthePDCAmodel
RequirementsofthedifferentstagesonthePDCA
processtoestablish,implementandoperate,monitor
andreviewandimprovetheISMS

Status:FinalDraftInternationalStandard
Status:ExpectedPublicationLate2009

ISO/IEC27004 Measurements

SCOPE
Specifymetrics/guidancere.measurementtechniques
applicabletodetermining&describingeffectivenessof
informationsecuritycontrols,informationsecurityprocesses,
andISMS
Applicabletoanyorganisationprotectingassets
Tobeusedinconjunctionwithstandardsspecifying
requirementsfor:informationsecuritymanagementsystems,
informationsecurityprocessreferencemodels,and
managementofinformationsecurityrisks

Status:FinalDraftInternationalStandard
Status:ExpectedPublicationLate2009

ISO/IEC27005 RiskManagement

SCOPE

Provides guidelines for information security risk

management
Supports the general concepts specified in
ISO/IEC 27001 and is designed to assist the
satisfactory implementation of information
securitybasedonariskmanagementapproach
Knowledge of the concepts, models, processes
andterminologiesdescribedinISO/IEC27001and
ISO/IEC 27002 is important for a complete
understandingofthisInternationalStandard.

Status:Published June2008

ISO/IEC27006 Accreditation

Scope
Specifiesrequirements&providesguidancefor
bodiesprovidingauditandcertificationofan
InformationSecurityManagementsystem(ISMS),
inadditiontotherequirementscontainedwithin
ISO/IEC17021andISO/IEC27001
Primarilyintendedtosupportaccreditationof
certificationbodiesprovidingISMScertification

Published February2007

ISO/IEC27007 ISMSAuditorGuidance
Scope
Providesguidanceonconductinginformationsecurity
managementsystem(ISMS)audits,aswellasguidanceon
thecompetenceofISMSauditors,inadditiontotheguidance
containedinISO19011.
Applicabletothoseneedingtounderstandorconduct
internalorexternalauditsofanISMSortomanageanISMS
auditprogramme

Status CommitteeDraft
Status ExpectedPublication2012

ISO/IEC27008 AuditorGuidanceISMS
Controls
Scope
ProvidesguidanceforassessingtheimplementationofISMS
controlsselectedthroughariskbasedapproachfor
informationsecuritymanagement
Supportstheinformationsecurityriskmanagementprocess
andassessmentofISMScontrolsbyexplainingthe
relationshipbetweentheISMSanditssupportingcontrols.
Providesguidanceonhowtoverifytheextenttowhich
requiredISMScontrolsareimplemented.

Status 2nd WorkingDraft

Status ExpectedPublication2013

ISO/IEC27010 ISMGuidelinesfor
InterSectorCommunications
Scope
Providesguidanceforsecuringcommunications
withinandexternaltoanorganisation

Status FindingitswayafterProjectApproval
Status 1st WorkingDraft
Status ExpectedPublication2013

ISO/IEC27011 ISMGuidelinesfor
telecommunicationsorganizations
basedonISO/IEC27002
Scope

Providesguidelinessupportingtheimplementationof
InformationSecurityManagementin
telecommunicationsorganizations

Allowstelecommunicationsorganizationstomeet
baselineinformationsecuritymanagement
requirementsofconfidentiality,integrity,availability
andanyotherrelevantsecurityproperty

Status PublishedApril2009

ISO/IEC27013 ISMGuidelinesonthe
integratedimplementation200001and27001
Scope

ProvidesGuidanceontheintegrated
implementationofISO/IEC200001andISO/IEC
27001

Status NewlyApprovedProject
Status ExpectedCompletion2012

ISO/IEC27014 InformationSecurity
GovernanceFramework
Scope

Providesguidanceonthedevelopmentanduse
ofaninformationsecuritygovernance
frameworktohelporganizationsdirectand
controltheInformationSecurityManagement
System(ISMS)processasspecifiedinISO/IEC
27001.

Status NewlyApprovedProject
Status ExpectedCompletion2012

ISO/IEC27015 ISMGuidelinesfor
FinancialandInsuranceServices
Scope

Providesguidancetothefinancialandinsuranceservices
sectorsonhowtoadaptthe2700xInformationSecurity
ManagementSystem(ISMS)Framework.

Supportsthosesectorsinfulfillingsectorspecific
informationsecurityrelatedlegalandregulatory
requirementsthroughaninternationallyagreedand
wellacceptedframework.

Status NewlyApprovedProject
Status ExpectedCompletion2012

Alignment of ISMS
Family of Standards

ISO/IEC27000ISMSFamily

ISO/IEC27000 Overview&Vocabulary
ISO 27000 Overview and Vocabulary

(Provides a risk assessment methodology

for use within the ISMS (27001))

ISO 27005 Risk Management

(Provides terminology for, and shows relationships between, the 27000 ISMS Family of Standards)

ISO 27001 Information Security Management System

(Provides the fundamentals of an ISMS)

ISO 27002 Code of Practice

(Provides best practice security controls for implementation
with the ISMS (27001))

ISO 27003 Implementation Guidance

(Provides detailed guidance on the implementation of an ISMS (27001)
through the use of examples and case studies ISMS)

ISO 27004 Management Measurement

(Provides a methodology to measure the effectiveness of the ISMS (27001)
and associated security controls (27002))

ISO 27006 Requirements for the accreditation of bodies providing certification of

information security management systems
(Provides requirements for accreditation bodies and auditors who aim to provide ISMS (27001) certification services)

ISO/IEC 27001
Certification

Certificate:1
Certificate:71500
Certificate:520
Certificate:>500
Certificate:34
Certificate:2
Certificate:2170
ArgentinaArmenia
MexicoUSATurkey
India
BulgariaGibraltar
Bangladesh
HungaryItaly
BelgiumKyrgyzstan
GreeceRomania
UK
NorwayQatar
Canada
PolandSpain
LebanonLithuania
NetherlandsFrance
Taiwan
SriLankaChileEgypt
IsleofMan
HongKong
Total=2999
LuxemburgMacedonia
IcelandPakistan
China
IranMacauOmanPeru
Kazakhstan
Austria
Australia
BelarusMauritius
Philippines
Germany
PortugalVietnam
Morocco
IrelandMalaysia
Moldova
RussianFederation
Korea
Ukraine
BrazilThailand
NewZealandUruguay
Total=44
SaudiArabiaSlovenia
USA
Yemen
Total=12
SwedenSouthAfrica
CzechRepublic
Total=384
SwitzerlandBahrain
Total=1645
ColombiaCroatia
Total=14
IndonesiaKuwait

Japan

Total=238

Jap an

29 9 9

Fra nc e

1 2

M a ca u

I n d ia

4 4 1

I c e la n d

1 2

O m an

UK

3 9 5

P a k ist a n

1 2

Peru

T a iw a n

2 4 8

P h il ip p in e s

1 1

P o rt u g a l

C h in a

1 9 1

S i n g a p o re

1 1

V ie t n a m

G erm an y

1 2 4

R u s si a n

1 0

B a n g la d e s h

1 0

C an ad a

F e d e r a t io n

K ore a

8 9

S a u d i A r a b ia

US A

8 6

S l o v e n ia

Is l e o f M a n

C z e c h R e p u b l ic
Hu n ga ry

7 1

S w ed en

K az ak hs tan

6 4

S lov akia

M o roc c o

It a l y

5 9

S o uth

U k r a in e

P o la n d

3 9

S w it z e r la n d

A r g e n t in a

S p a in

3 5

B a h r a in

A r m e n ia

Ho n g K on g

3 1

C o lo m b i a

B elgium

A u s t r ia

3 0

C r o a t ia

K y r g y z s ta n

A u s t r a li a

2 9

I n d o n e s ia

Leb an on

I r e la n d

2 9

K u w a it

L it h u a n ia

M a la y s ia

2 6

B u lg a r i a

Lux em b ou rg

B r a z il

2 1

G ib r a l t a r

M a c e d o n ia

T h a i la n d

2 1

N orw ay

B elaru s

M e x ic o

2 0

Q a ta r

M a u r i ti u s

UA E

1 8

S ri Lan ka

M o ld o v a

Tu rke y

1 8

C h il e

Ne w

G reec e

1 5

E gy pt

Uru gu a y

R om a nia

1 5

Iran

Ye m e n

N e th e r l a n d s

1 3

A fr i ca

Z ealan d

A r g e n t in a

Iran

A r m e n ia

Irelan d

A u s t r a li a

2 9

I s le

A u s t r ia

3 0

I t a ly

3
of

2 9
M a n

5 9

B ah rain

Jap a n

B a n g la d e s h

K a z a k h s ta n

B elaru s

K o rea

B elgium

K u w a it

B r a z il

2 1

2
2 99 9
2
8 9

P h i lip p in e s

1 1

P o la n d

3 9

P o r tu g a l

Q a ta r

R o m a n ia
R u s sia n

1 5
F e d e r a t io n

1 0

S a u d i A r a b ia

1 0

S ing ap o re

1 1

K y r g y zs t a n

S lov ak ia

B u l g a r ia

L eb an o n

S l o v e n ia

C an ad a

L it h u a n i a

S o uth

C h ile

L u x em b ou rg

S p ain

M ac au

S ri L an k a

S w ed en

S w it z e r la n d

C h in a

1 9 1

C o l o m b ia

M a c e d o n ia

C r o a ti a

M a la y s ia

C z e c h R e p u b l ic
Eg y p t

7 1

F ran c e

1 2

M oldo v a

1 2 4

M o r o cc o

G e rm an y
G ib r a lt a r

M a u r it iu s
M ex ic o

N e t h e r la n d s

G reec e

1 5

N e w

H o n g K on g

3 1

H u n ga ry
I c e la n d
I n d ia
In d o n e s i a

1
2 0

T a iw a n

3 5

2 4 8

T h a ila n d

2 1

T urk ey

1 8

U A E

1 8

1 3

U K

3 9 5

U kraine

N orw ay

U rug u ay

6 4

O m an

U S A

1 2

P a k ist a n

4 4 1
5

Pe ru

Z e a la n d

2 6

A fr i ca

1 2
3

8 6

V iet na m

Y em en

ISO/IEC27001 Trend
Number
Of
Certificates

Year

AEONCreditService(Asia)Co.,Ltd.,System
Division
BankConsortiumTrustCompanyLimited Data
CentreforBankConsortiumHoldingLimited
groupofcompanies
CascadeLtdNetvigatorInternetService
OperationCenter(iCenter)
CascadeLtd.e.Center
CIGNAWorldwideLifeInsuranceCo.,Ltd./
CIGNAWorldwideGeneralInsuranceCo.,Ltd.
ComputerForensicLaboratory,Officeof
InformationTechnology,Customs&Excise
Department
CPCNet HongKongLimited
DoctorASecuritySystems(HK)Ltd
HoganDataCenterShanghaiLtd.
HongKongCyberportManagementCompany
Ltd
HutchisonGlobalCentre Limited
JointElectronicTellerServicesLtd.
JointElectronicTellerServicesLtd.

NECHongKongLimited,BusinessSolutions&
Services
NetDimensions Limited
Novation SolutionsLimited
OrientOverseasContainerLineLtdGlobalData
Centre
PacificBechtelCo.LTD
PCCWPowerbaseDataCenterServices
PCCWSolutionsLimited
PricewaterhouseCoopers
ReutersHongKongLimited(HongKongData
Center)
TaiFookSecuritiesGroupLimited
TaifookSecuritiesCompanyLimited
TheDairyFarmCompanyLtd.I.T.Department
ToppanForms(HK)Ltd.
ToppanFormsCardTechnologiesLtd.
ToppanFormsComputerSystemsLtd.
TQMConsultantsLtd
TseungKwanOHospital,Departmentof
Radiology

Companhia deTelecomunicacoes deMacau

S.A.R.L. ITDepartment

GovernmentoftheMacaoSpecialAdministrative
RegionofthePeople'sRepublicofChina,
IdentificationServicesBureau

Sociedade deLotarias eApostas Mutuar deMacau

Ltd

ABeam SystemsInformationTechnology(Shenzhen)
Co.,Ltd.
AccentureDCNBPOChinaCenter
AccentureTechnologySolutions(Dalian)Co.,Ltd
AceMoldIndustrial(Shenzhen)CompanyLimtied
Achievo InformationTechnologyCo.,Ltd.(Shenzhen,
Beijing,Shanghai,Dalian,Japan)
AdvancedSemiconductorManufacturingCorporation
Limited
AffiliatedComputerService(TIANJIN)CO,Ltd
ArcherMind Technology(Nanjing)Co.,Ltd.
Arvato Systems(Shanghai)Co.Ltd.EnterpriseIT
Service Datacentre
Arvoto Systems(Shanghai)Co.Ltd.
ATOSORIGININFORMATIONTECHNOLOGY
(SHANGHAI)CO.,LTD
AtosOrigin InformationTechnology(Shanghai)Co.,Ltd.
ShanghaiBranchOffice
Bachieve International(Xi'an)Inc.
BankofCommunicationsCo.,Ltd.
BankofDalianCo.,Ltd.InformationTechnology
Department
BankofShanghaicompanylimited,Information
TechnologyDepartment
BearingPointInformationTechnologies(Shanghai)Ltd.
BEIJINGITOWNETCYBERTECHNOLOGYLTD.

BeijingCoreSoftwareCo.,Ltd
BeijingInfohold Information&Technology Co.,Ltd.Infohold
CCDC
BEIJINGITOWNETCYBERTECHNOLOGYLTD.
BeijingJn Tass TechnologyCo.,Ltd.
BeijingNorthKingTechnologyCo.,Ltd.
BeijingShenzhou Lvmeng ScienceandTechnologyCo.,
Ltd;.NSFOCUS InformationTechnology(Beijing)Co.,Ltd.
BeijingSymbio SystemsInc.ITDivisionandShareService
Beyondsoft (Beijing)Co.,Ltd.
Bleum Software(Shanghai)Co.,Ltd.
BroadenGate SoftwareServiceCo.,Ltd.
BroadenGate SoftwareServiceCo.,Ltd.
BusinessCallCenter,GuangzhouBranch,ChinaTelecomCo
Ltd.
Butone InformationCorporationXi'an
BYDCompanyLimited
Centaline ChinaPropertyConsultantsLtd.
ChinaCinda AssetManagementCorporation
ChinaConstructionBankShandongBr
ChinaCreditInformationTechnologyCo.,Ltd
ChinaDataGroup(Beijing)Limited.
ChinaEverbright BankCreditCardCenter
ChinaExport&CreditInsuranceCorporation(SINOSURE)
InformationResourceManagementDepartment

ChinaInternationalElectronicCommerceCenter(Co.,
Ltd)
ChinaMobileGroupBeijingCo.,Ltd
ChinaMobileGroupLiaoningCo.,Ltd
ChinaMobileGroupTianjinCo.,Ltd
ChinaNationalOffshoreOilCorporationInformation
TechnologyCenter
ChinaNetcom(Group)CompanyLtd.TianjinBranch
ChinaNetcome (Group)Co.,Ltd.BeijingBranch,CNC
IDC
ChinaOrientAssetManagementCorporation,
InformationTechnologyDepartment
ChinaTelecomCo.,Ltd.ShanghaiBranch
ChinaTelecomCorporationLimitedShanghai
TelecommunicationsBillingCenter
ChinaTelecomGroupBeijingCorporation
ChinaVanke Co.,Ltd.
CIeNET Communication(Beijing)Co.,Ltd
CIeNET Technologies(Beijing)Co.,Ltd.
CIGNA&CMCLifeInsuranceCompanyLimited
COMPUPACIFICINTERNATIONAL(XI'AN)LTD.
CompuPacific InternationalLtd.
COSCOContainerLinesComputerCenter
CSMCTechnologiesFAB1Co.,Ltd.

DalianHiThinkComputerTechnologyCorp.
DalianHuojin InformationScience&TechnologyCo.,
Ltd.
DalianPreSoft CompanyLimited
DalianSoftwareParkConsultantCo.Ltd.
DalianXinhuaInfotech Co.,Ltd.
DigitalChinaAdvancedSystemsServicesLimited
DigitalChinaFinancialSoftwareCo.,Ltd,Outsourcing
Business
DigitalPrintingCenterofShanghaiMatsuokaPrinting
Co.,Ltd.
EmersonNetworkPowerCo.,Ltd.
flextronics (china)electronicstechnologyco.,ltd.
FlextronicsTechnology(Shanghai)Co.Ltd
Formax BPOBeijingInc.
Freeborders SoftwareDevelopment(Shenzhen)Co.,
Ltd.
FujiXeroxofShanghaiLtd.
FujiXeroxofShenzhenLtd.
GDADHAKUHODOAdvertisingCo.,Ltd.
Genpact (Dalian)Co.,Ltd
GIANTNETWORKTECHNOLOGYLIMITED,SHANGHAI
ZHENGTUNETWORKTECHOLOGYCO.,LTD,
SHANGHAIZHENGTUINFORMATIONTECHNOLOGY
CO.,LTD

GlobalDataSolutionsLTD
GraceSemiconductorManufacturingCorporation
GuangdongMobileCommunicationCo.,Ltd.
GuangdongSANTAIElectronicTechnologyCo.,Ltd.
GuangdongTelecomCo.,Ltd.GuangzhouBranch
GuangdongTelecomjCo.,Ltd.ShenzhenBranch/
ShenzhenLongGang IDC
GuangzhouSANTAIELEC.Co.,Ltd.
Han'sLaserTechnologyCo.,Ltd.
HarbinJiahong TechnologyDevelopmentCo.,Ltd.
HeJian Technology(Suzhou)Co.,Ltd
HenanPeaceFilterCo.,Ltd.
Hisoft InternationalTechnologyLtd
Hu ZhouElectricPowerBureau
Huangdao PowerPlantofShandong
Huawei TechnologiesCo.,Ltd.
HUNDSUNTechnologiesInc.
Huzhou ElectricPowerBeaura
IBMGLOBALSERVICES(CHINA)COMPANYLIMITED
Infodeliver TechnologyService(Dalian)Co.,Ltd
Insigma Hengtian SoftwareLtd.
ISIChinaCo.,Ltd.
ISOFTSTONEINFORMATIONSERVICECORPORATION

Jiaxing ElectricPowerBeaura
JingHua ElectricPowerBeaura
KHI(Dalian)ComputerTechnologyCo.,Ltd.
KingdomFineMetalLimited
LeoPaperBagsManufacturingLimited
LinkageSoftwareCo.,Ltd.
Lionbridge (Beijing)Technologies,Inc.
Longtop FinancialTechnologiesLimited
M&YCHINALTD
MITACComputer(ShunDe)Ltd
ModernHighTechDevelopmentCo.,Ltd.(Dalian)
NanjingFujitsuNandaSoftwareTechnologyCo.,Ltd.
NanjingSinosoft TechnologyCo.,Ltd.
NantongCOSCOKHIShipEngineeringCo.,Ltd.
NationalHealthResearchInstitutes
Neusoft Corporation
NSFOCUSINFORMATIONTECHNOLOGY(BEIJING)
CO.,LTD.BEIJINGSHENZHOULVMENGSCIENCEAND
TECHNOLOGYCO.,LTD.
OKISoftwareTechnologyCo.,Ltd. SoftwarePublic
TestCenter
OperationsBranchofShenzhenMetroCo
ORid(China)InformationTechnologyCo.,Ltd.

PAYEASE(Beijing)Co.Ltd.
PearlDigitalSoftwareDevelopment(Shanghai)Co.,
Ltd.
PICC,XiamenBranch
PingAnInsurance(Group)CompanyofChinaLtd
PreciseTechnologyCo.,Ltd.
PricewaterhouseCoopersZhong Tian CPAs
QingdaoFubo SystemEngineeringCo.,Ltd.
Qingyi PrecisionMaskmaking(Shenzhen)Ltd.
Qu ZhouElectricPowerBureau
Quzhou ElectricPowerBeaura
RicohAsiaIndustry(Shenzhen)Ltd
RICOHELEMEX(SHENZHEN)CO.,LTD.
RICOHEXPRESS(SHENZHEN)WAREHOUSELTD.
RICOHIMAGINGTECHNOLOGY(SHANGHAI)CO.,
LTD.
RICOHIMAGINGTECHNOLOGY(SHENZHEN)CO.,
LTD.
RICOHINTERNATIONALLOGISTICS(SZ)LIMITED
RicohSoftwareResearchCenterBeijingCo.,Ltd.
SatyamComputerServicesLimited Shangai
SecurityOperatorCenter,DMXTechnologiesGroup
(China)
SemiconductorManufacturingInternational(Shanghai)
Corporation

ShanghaiBaosight SoftwareCo.,Ltd.
ShanghaiDaishowaCo.,Ltd.
ShanghaiEvenDataProcessingCo.,Ltd.
ShanghaiGreatWallIdealCo.,Ltd.
ShanghaiHewlettPackardCo.Ltd.DalianBranch,HPS
APJOutsourcingServices
ShanghaiHewlettPackardCo.,Ltd.
ShanghaiHua HongNECElectronicsCompanyLimited
ShanghaiHyron SoftwareCo.,Ltd.
ShanghaiJiulong ElectricPowerScience&Technology
Co.,Ltd.
ShanghaiMicroElectronicsEquipmentCo.,Ltd.
ShanghaiPeopleNet SecurityTechnologyCo.,Ltd.
ShanghaiRicohDigitalEquipmentCo.,Ltd.
SHANGHAIRICOHFACSIMILECO.,LTD
ShanghaiRicohOfficeEquipmentCo.,Ltd.
ShanghaiSupercomputerCenter
ShanghaiTelecomAccountCenter
ShanghaiZhengtu InformationTechnologyCo.,Ltd.
Shao XingElectricPowerBureau
Shaoxin ElectricPowerBeaura
ShenyangKimotoIndustriesCo.,Ltd.
ShenyangNeusoft Co.,Ltd
ShenyangNeusoft ITServiceCo.,Ltd

ShenzhenELink InformationTechnologyCo.,Ltd.
ShenzhenKingdomDataServiceCo.,Ltd
ShenzhenSangFei ConsumerCommunicationsCo.,
Ltd.
ShenzhenSangFei ConsumerCommunicationsCo.,
Ltd.
ShenzhenSangFei ConsumerCommunicationsCo.,
Ltd.
ShenzhenSecuritiesCommunicationCo.,Ltd.
ShenzhenStockExchange
SichuanPublicInformationIndustryCo.Ltd.(A
SubsidiaryofSiChuan TelecomCompanyLimited)
SiemensAG
Suhou Gopha TechnologyCo.,Ltd.
Sunyard SystemEngineeringCo.,Ltd. BPOCause
Dept./Sunyard (Hangzhou)ComputerServiceCo.,Ltd.
SuzhouShengyi Sci.TechCo.,Ltd
SYNNEXInformationTechnologiesCo.Ltd.
TianjinMitsumiElectricCo.,Ltd
TNTDirectMarketingServices(Shanghai)Company
TransCosmosInformationCreative(China)Co.,Ltd.
TRANSCOSMOSINFORMATIONCREATIVE(CHINA)
CO.,LTD.
UFIDASoftwareEngineeringCo.,Ltd.

UnionLifeInsuranceCo.,Ltd.InformationManagement
Centre
Unisys(Shanghai)InformationTechnologyCompany
Limited
VeriSilicon Microelectronics(Shanghai)Co.,Ltd.
Wicresoft (Shanghai)Co.,Ltd.
Wicresoft (Shanghai)Co.,Ltd.
WuxiHuaxia ComputerTechnologyCo.,Ltd
YAMAGATAINTECH(Shanghai)Co.,Ltd.
YangMingMarineTransportCorp.
YSPAY(Beijing)TechnologyCo.,Ltd.PersonalFinance
Department
YSPAY(Beijing)TechnologyCo.,Ltd.PersonalFinance
Department
ZFFasterPropulsionSystemCo.,Ltd.
Zhuhai PreciseBPOTechnologyCo.,Ltd.
ZTECorporationCo.,Ltd

ISO27000ISMSFamily Benefits

InternationalRecognisedProcessModel(PDCA)
Identify&Appreciate
InformationAssetValue(IAV)
ApplicableRisks

ApplyControlsCommensurateWithRisk/IAV
GreaterStaffAwarenessofInformationSecurity
RecognitionbyIndustryPeers/Regulators
Benchmark BusinessPartners/Suppliers
EdgeOverCompetitors

ISO/IEC JTC1 SC27

Other Working Group (WG)
Projects

ISO/IECJTC1SC27WG2
SecurityTechniques&Mechanisms

7064 CheckCharacterSystems
9796 DigitalSignatureSchemesGivingMessageRecovery
9797 Messageauthenticationcodes(MACs)
9798 EntityAuthentication
10116 ModesofOperationforanNBitCipher
10118 HashFunctions
11770 KeyManagement
13888 NonRepudiation
14888 DigitalSignatureswithAppendix
15946 CryptographicTechniquesBasedonEllipticCurves
18014 TimeStampingServices
18031 Randombitgeneration DraftTechnicalCorrigendum1
18032 PrimeNumberGeneration
18033 EncryptionAlgorithms
19772 AuthenticatedEncryption
29150 Signcryption
29192 LightweightCryptography

ISO/IECJTC1SC27WG3
SecurityEvaluationCriteria

11889 TrustedPlatformModule
15292 ProtectionProfileRegistrationProcedures
15408 EvaluationCriteriaforITSecurity
15443 AframeworkforITsecurityassurance
15446 GuidefortheproductionofProtectionProfiles&SecurityTargets
18045 MethodologyforITSecurityEvaluation
19790 SecurityRequirementsforCryptographicModules(FIPS1402)
19791 SecurityAssessmentofOperationalSystems
19792 Securityevaluationofbiometrics
21827 SystemsSecurityEngineering CapabilityMaturityModel
24759 TestRequirementsforCryptographicModules
29128 VerificationofCryptographicProtocols
29147 ResponsibleVulnerabilityDisclosure
29193 Securesystemengineeringprinciplesandtechniques

ISO/IECJTC1SC27WG4
ImplementationofInformationSecurity
ControlObjectivesandControls

14516 GuidelinesontheUse&ManagementofTTPServices
15816 SecurityInformationObjectsforAccessControl
15945 SpecificationofTTPServicestoSupporttheApplicationofDigitalSignatures
18028 ITNetworkSecurity
18043 SelectionDeployment&OperationsofIDS
18044 InformationSecurityIncidentManagement
24762 Guidelines Information&CommunicationsTechnologyDisasterRecoveryServices
27031 GuidelinesforICTReadinessforBusinessContinuity
27032 GuidelinesforCybersecurity
27033 NetworkSecurity
27034 Applicationsecurity
27035 InformationSecurityIncidentManagement
27036 GuidelinesforSecurityofOutsourcing
27037 GuidelinesforIdentificationCollectionAcquisitionPreservationofDigitalEvidence
29149 BestPracticeontheProvisionofTimeStampingServices

ISO/IECJTC1SC27WG5
IdentityManagement&Privacy
Technologies
24745 Biometrictemplateprotection

24760 FrameworkforIdentityManagement

24761 BiometricAuthenticationContext

29100 PrivacyFramework

29101 PrivacyReferenceArchitecture

29115 EntityAuthenticationAssurance

29146 FrameworkforAccessManagement

29190 PrivacyCapabilityMaturityModels

29191 RequirementsforRelativeAnonymitywithIdentityEscrow

ISMS Family of Standards

Roadmap

ISMSFamilyofStandards Roadmap

ISMS Family of Standards Current Approach

ISMS Family of Standards Emerging Direction

27000
Overview and Vocabulary
Provides background, terms and definitions applicable to the ISMS Family of Standards

27006
Certification Body
Requirements

27001
Requirements

27007
Audit Guidelines

27002
Code of Practice
27003
Implementation
Guidance

27005
Risk Management
27004
Measurements

27031
Business Continuity

27033
Network Security

27034
Application Security

27035
Incident Management

27036
Outsourcing

27037
Digital Evidence

27011
Telecommunications
27799
Health

Key:

Normative
(Requirements)
Standard

Informative
(Guidelines)
Standard

Fixed line:
Supports

DaleJohnstone
DeputyConvenorWGSC27WG1
ChiefSecurityOfficer,RiskManagement,PCCW
ChairmanISMSInternationalUserGroup
(HK&MacauChapter)
(dale.johnstone@pccw.com)