Problem solve Get help with specific problems with your technologies, process and projects.

How can a call center achieve compliance with ISO 27001?

Before you begin putting the pieces of your security program together, you may want to have a look at ISO 27001. In this expert Q&A, Shon Harris explains the framework and how it can identify and address an organization's security risks.

If a call center's IT department is working toward ISO 27001 compliance, what needs should be addressed?

The ISO 27001 is really a new and improved BS 7799-2 standard. BS 7799-2 outlined the best practices to follow when building a security program. The regulation previously determined how an organization's security program components should be tested and BS 7799-2 certified. Enterprises had used BS 7799-2 to not only make sure that they were prepared to build and maintain their security programs, but they had also used the framework to boost the confidence of customers and shareholders.

In 2000, BS 7799, a de facto standard, was finally adopted by the International Standards Organization (ISO) and released as ISO 17799. BS 7799-2, however, has been replaced with ISO 27001. ISO 27001 defines the components of an information security management system, a plan for monitoring, measuring and controlling information security as a whole.

ISO 27001 also provides a methodology on how to create and certify a security program, but does not get into the specific, essential pieces that are needed for it – that level of granularity is provided by ISO 17799. So in layman's terms, ISO 27001 tells you "here is a way to build a security program and how to get certified" and ISO 17799 tells you "here are the necessary pieces for that security program."

The ISO 27001 standard requires an organization to select its own security objectives and controls. So the question of what needs should be addressed in a call center can only be answered by the organization itself. ISO 27001, like all standards, is high-level and has to apply to all types of organizations. The standard, therefore, will not dictate your controls. You have to decide the controls yourself and determine the necessary components, like risk analysis, monitoring, documentation, etc.

Once your organization develops its security objectives and controls, it must create a statement of applicability. Using supporting evidence, the statement describes how an organization has interpreted and applied the standard. It links your company's unique security risks and requirements to the controls that have been put into place. The SOA specifies the scope of certification and creates a detailed risk treatment plan, indicating how to identify and mitigate risk in your unique environment.

To learn more about the security objectives and controls, your company can purchase ISO 17799, which provides more in-depth guidelines for security controls.

Most organizations have some type of security program in place and can carry out a gap analysis that determines what controls and processes currently comply with the requirements of ISO 27001. This analysis allows the organization to pinpoint its needs before becoming formally certified.

More on this topic

  • Read a book excerpt on regulatory compliance and ISO 27001.
  • Develop an infosec program using SABSA and ISO 17799.


This was last published in January 2007

Dig Deeper on Security audit, compliance and standards