ISO27000 implementation - Where do you get the standardization material?
The official route for documentation is through ISO:IEC - and papers cost 134 Swiss Francs each.
Various bodies have guidance papers, for example ISACA provide a range of ISO27001 material on topics such as implementing ISMS, aligning Cobit, ITIL and ISO27001 - but you have to be an ISACA member (if you need to, ask me how :-)
Alternatively, you can engage consultants to go through your needs and gain an understanding of what you might need to do. As an example, I have helped many large organisations align their security function with ISO27001:2005 - not to gain accreditation, as that can often be expensive overkill, but to gain the advantages a governance and security framework based on ISO27001 gives you.
You can, however, get a lot of good information from some free sources:
- http://www.itgovernance.co.uk/iso27001.aspx has a good ISMS guide and both the briefing paper and ISO27001 explained are worth a read.
- http://informationsecuritymanagement.co.uk/iso-27001-guide.php?gclid=COu59YiXgLECFZA24Qod4HK_6w also provides a free guide to achieving certification
27000 itself is free, but the other standards in the family cost money, I'm afraid.
They can be purchased as a printed book or ebook directly from the ISO and the IEC themselves, at http://www.iso.org/iso/home/store.htm or from http://webstore.iec.ch/
It's also usually available from your local countries standards body. For Norway that is Standards Norway, who you can find at http://www.standard.no/
You may like to look through the following:
- http://www.27000.org/iso-27001.htm
- http://en.wikipedia.org/wiki/ISO/IEC_27001
To my knowledge, most ISO standard documents are not freely obtainable and have to be purchased from the ISO store (http://www.iso.org/iso/home/store.htm) or from the ISO member of one's own country, e.g. DIN in Germany. (For an eventual trick to save money, see my comment below.)