In 2000, BS 7799, a de facto standard, was finally adopted by the International Standards Organization (ISO) and released as ISO 17799. BS 7799-2, however, has been replaced with ISO 27001. ISO 27001 defines the components of an information security management system, a plan for monitoring, measuring and controlling information security as a whole.
ISO 27001 also provides a methodology on how to create and certify a security program, but does not get into the specific, essential pieces that are needed for it – that level of granularity is provided by ISO 17799. So in layman's terms, ISO 27001 tells you "here is a way to build a security program and how to get certified" and ISO 17799 tells you "here are the necessary pieces for that security program."
The ISO 27001 standard requires an organization to select its own security objectives and controls. So the question of what needs should be addressed in a call center can only be answered by the organization itself. ISO 27001, like all standards, is high-level and has to apply to all types of organizations. The standard, therefore, will not dictate your controls. You have to decide the controls yourself and determine the necessary components, like risk analysis, monitoring, documentation, etc.
Once your organization develops its security objectives and controls, it must create a statement of applicability. Using supporting evidence, the statement describes how an organization has interpreted and applied the standard. It links your company's unique security risks and requirements to the controls that have been put into place. The SOA specifies the scope of certification and creates a detailed risk treatment plan, indicating how to identify and mitigate risk in your unique environment.
To learn more about the security objectives and controls, your company can purchase ISO 17799, which provides more in-depth guidelines for security controls.
Most organizations have some type of security program in place and can carry out a gap analysis that determines what controls and processes currently comply with the requirements of ISO 27001. This analysis allows the organization to pinpoint its needs before becoming formally certified.
This was first published in January 2007