ISO Standards

  • Home
  • ISO Standards

IT Security Consulting ISO/BS

INFORMATION SECURITY MANAGEMENT SYSTEM

A standard is a document that provides requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose. Standards define best practice in many different areas. They’re put together by groups of experts, consumers, research organizations, government departments and more and come in a number of different kinds, from a set of definitions to a series of strict rules. Standards are agreed ways of doing something, written down as a set of precise criteria so they can be used as rules, guidelines or definitions. ISO International Standards ensure that products and services are safe, reliable and of good quality. For business, they are strategic tools that reduce costs by minimizing waste and errors, and increasing productivity. They help companies to access new markets, level the playing field for developing countries and facilitate free and fair global trade. Standards come in a number of different forms. Some tell you how to do something in great detail, others give more general information, others simply define terms.
ISMS : ISO 27001:2013 - Information Security Management

ISO/IEC 27001 Information Security Management

ISO/IEC 27001 is the international standard for information security management. By implementing the standard, organizations can identify security risks and put controls in place to manage or eliminate them, gain stakeholder and customer trust that their confidential data is protected, and help achieve preferred supplier status helping to win new business.

The ISO 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties. ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).

Securing informational assets are critical to an organization’s success. When properly managed it allows you to operate with confidence. Information security management gives you the freedom to grow, innovate, and broaden your customer-base with the knowledge that all of your confidential information will remain private.

Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed.

ISO 22301:2012-Business Continuity Management System

ISO 22301, the world’s first international standard for Business Continuity Management (BCM), has been developed to help organizations minimize the risk of such disruptions. ISO has officially launched ISO 22301- Business continuity management systems, the new international standard for Business Continuity Management System (BCMS). This standard will replace the current British standard BS25999.

ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to prepare for, respond to and recover from disruptive events when they arise. The requirements specified in ISO 22301 are generic and intended to be applicable to all organizations, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization’s operating environment and complexity.

Business continuity standardization evolves with ISO 22301 by adding:

• Greater emphasis on setting the objectives, monitoring performance and metrics.
• Clearer expectations on management.
• More careful planning for and preparing the resources needed for ensuring business continuity.

ISO 22301 applies to all types and sizes of organizations that wish to:

• establish, implement, maintain and improve a BCMS;
• assure conformity with the organization’s stated business continuity policy;
• demonstrate conformity to others;
•  seek certification/registration of its BCMS by an accredited third party certification body; or
• make a self-determination and self-declaration of conformity with this International Standard.

ISO 20000:2011 – Service Management System

ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.

ISO/IEC 20000-1:2011 can be used by:

• an organization seeking services from service providers and requiring assurance that their service requirements will be fulfilled.
• an organization that requires a consistent approach by all its service providers, including those in a supply chain.
• a service provider that intends to demonstrate its capability for the design, transition, delivery, and improvement of services that fulfill service requirements.
• a service provider to monitor, measure and review its service management processes and services.
• a service provider to improve the design, transition, delivery and improvement of services through the effective implementation and operation of the SMS.
• an assessor or auditor as the criteria for a conformity assessment of a service provider’s SMS to the requirements in ISO/IEC 20000-1:2011

ISO 31000:2009 – Risk Management Framework

ISO 31000:2009, Risk management – Principles and guidelines, provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector. Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment.

However, ISO 31000 cannot be used for certification purposes, but does provide guidance for internal or external audit programmers. Organizations using it can compare their risk management practices with an internationally recognized benchmark, providing sound principles for effective management and corporate governance.

ISO 31000:2009 can be used by any public, private or community enterprise, association, group or individual. Therefore, ISO 31000:2009 is not specific to any industry or sector. ISO 31000:2009 can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. ISO 31000:2009 can be applied to any type of risk, whatever its nature, whether having positive or negative consequences.

ISO 38500:2008 – IT Governance

ISO/IEC 38500:2008 provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.

ISO/IEC 38500:2008 applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.It also provides guidance to those advising, informing, or assisting directors.

They include:

• senior managers.

• members of groups monitoring the resources within the organization.

• external business or technical specialists, such as legal or accounting specialists, retail associations, or professional bodies.

• vendors of hardware, software, communications and other IT products.

• internal and external service providers (including consultants).

• IT auditors.

Enterprise Integration Architecture

The evolution of integration technologies is undergoing a major transformation with the introduction of new technology solutions as well as new methods, standards, and practices. The emergence of the Application Server Platform Suite and Web Services are poised to take the solutions focused on EAI one step closer to the dream of a complete enterprise integration model. By employing these new platforms and approaches while adhering to a set of guiding principles critical to any integration effort, the modern enterprise has its best tool set yet developed to reach its business and application integration goals. Enterprise Application Integration (EAI), aka “middleware,” provides the infrastructure to connect information sources, acting as a go-between for applications and their business processes.

In implementing EAI solutions, organizations have been able to realize various benefits, including:

• Reduced development and maintenance costs

• Enhanced performance and reliability

• Implementation of a centralized information bus

• Extension of the legacy system lifecycle

• Reduced time to market

ISO 24762:2008 – Disaster Recovery

ISO/IEC 24762:2008 provides guidelines on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management. This standard applies to both “in-house” and “outsourced” IT service providers (scope: disaster recovery) of physical facilities and services.

ISO/IEC 24762:2008 specifies:

• The requirements for implementing, operating, monitoring and maintaining ICT DR services and facilities.

• the capabilities which outsourced ICT DR service providers should possess and the practices they should follow, so as to provide basic secure operating environments and facilitate organizations’ recovery efforts.

• the guidance for the selection of recovery site; and

• the guidance for ICT DR service providers to continuously improve their ICT DR services.

ISO 14001:2004 – Environmental Management

The ISO 14000 family of standards provides practical tools for companies and organizations of all kinds looking to manage their environmental responsibilities.

ISO 14001:2004 and its supporting standards such as ISO 14006:2011 focus on environmental systems to achieve this. The other standards in the family focus on specific approaches such as audits, communications, labelling and life cycle analysis, as well as environmental challenges such as climate change.

ISO 14001:2004 ISO 14001:2004 sets out the criteria for an environmental management system and can be certified to. It maps out a framework that a company or organization can follow to set up an effective environmental management system. It can be used by any organization regardless of its activity or sector.

Using ISO 14001:2004 can provide assurance to company management and employees as well as external stakeholders that environmental impact is being measured and improved.


It has proven benefits. A survey of over 5000 users showed:

• 75% of users found it valuable for meeting legal requirements and improving the organization’s environmental performance

• Over 60% rated it highly for achieving management commitment and employee engagement

• Over half rated it as valuable for business management, most notably for meeting stakeholder requirements and improving public image

• Over 75% indicated that use of the standard gave them a competitive advantage and 63% gained a financial benefit

ISO 55000:2014 – Asset Management System

The International Organization for Standardization (ISO) released its first series of standards on asset management in January 2014. ISO 55000 defines Asset management as the “coordinated activity of an organization to realize value from assets”. In turn, Assets are defined as follows: “An asset is an item, thing or entity that has potential or actual value to an organization”. This is deliberately wider than physical assets but these form an important focus for more organizations.

(NB there are important qualifying Notes to these definitions, which are set out in ISO 55000).
Asset Management involves the balancing of costs, opportunities and risks against the desired performance of assets, to achieve the organizational objectives. This balancing might need to be considered over different timeframes.

Asset management also enables an organization to examine the need for, and performance of, assets and asset systems at different levels. Additionally, it enables the application of analytical approaches towards managing an asset over the different stages of its life cycle (which can start with the conception of the need for the asset, through to its disposal, and includes the managing of any potential post disposal liabilities).

Asset Management is the art and science of making the right decisions and optimizing the delivery of value. A common objective is to minimize the whole life cost of assets but there may be other critical factors such as risk or business continuity to be considered objectively in this decision making.

Occupational Health & Saftey System

OHSAS 18000 is an international occupational health and safety management system specification. It comprises two parts, 18001 and 18002 and embraces a number of other publications. It is intended to help an organizations to control occupational health and safety risks. It was devloped in response to widespread demand for a recognized standard against which to be certified and assessed.

The OHSAS specification is applicable to any organisation that wishes to:

• Establish an OH&S management system to eliminate or minimise risk to employees and other interested parties who may be exposed to OH&S risks associated with its activities

• Assure itself of its conformance with its stated OH&S policy

• Demonstrate such conformance to others

• Implement, maintain and continually improve an OH&S management system.

• Make a self-determination and declaration of conformance with this OHSAS specification.

• Seek certification/registration of its OH&S management system by an external organization.