Hardware Reference
In-Depth Information
is legitimate to evaluate how easily could ISO/IEC 27001 be deployed across SMEs.
This research work lies on the expertise that has been developed for several years in
CRP Henri Tudor in Information Security [8], assessment and improvement of proc-
esses using the ISO/IEC 15504 standard (Process assessment) in several sectors and
disciplines [9][10][11], downsizing standards for SMEs and transferring competences
to the market via the development of labels and/or certifications [12].
The particular underlying research project developing the ISMS implementation
guide for SMEs aims at helping them to go towards the implementation of a simpler
ISMS. The focus of this paper is thus based on the following research questions:
1.
What are the specific needs of SMEs regarding ISMS?
2.
How can we adapt ISO/IEC 27001 to best suit SMEs?
The paper is structured as follows: Section 2 presents the ISO/IEC 27001 standard.
Then, Section 3 presents our research method. Section 4 discusses the initial experi-
ment that triggered the definition of our particular objectives for an ISMS implemen-
tation guide adapted to SMEs. Section 5 reports the various steps of the elaboration of
the guide. Section 6 presents the future work required by the project. Finally, Section
7 concludes this paper and opens discussions regarding the research method and the
strengths and weaknesses of the results.
2 The ISO/IEC 27001 Standard
The outcome of an ISO/IEC 27001 certification is the effective establishment and
management of an ISMS. Relying upon quality management and ISO 9001 [13] prin-
ciples, it is built around a PDCA (Plan-Do-Check-Act) cycle, which objective is a
continual improvement of information security.
For an organisation to be certified, it is necessary to be compliant with the set of
normative requirements defined in the ISO/IEC 27001 standard. Those requirements
are expressed from Section 4 to Section 8 of the standard [4]. The other sections are
considered to be informative, and thus are not mandatory for the certification. The set
of normative requirements can be summarised as represented in Figure 1. This figure
presents the different parts of the standard, structured by sections.
First of all, it is necessary to establish and manage the ISMS by following the
PDCA cycle, composed of four iterative steps (described from Section 4.2.1 to Sec-
tion 4.2.4). These steps are supported by a specific documentation, whose require-
ments are explained in Section 4.3. Along with the documentation, they represent the
core requirements that one should satisfy to be certified. Additionally, some require-
ments are especially developed in a dedicated section, because of their importance or
complexity. The first one in this case is the management responsibility, describing
where it is necessary for the management to be specifically involved (Section 5). A
part is dedicated to the way to perform the internal ISMS audits, which are mandatory
(Section 6). Regular management reviews are also necessary in the cycle (Section 7).
Finally, the normative requirements sections end with requirements on how to per-
form the ISMS improvement (Section 8).
