What is ISO 27001?
ISO 27001 is an international standard published by the International Standardization Organization (ISO), and it depicts how to handle information security in a company. The latest revision of this standard was published in 2013, and its full title is now ISO/IEC 27001:2013. The first revision of the standard was published in 2005, and it was developed based on the British standard BS 7799-2.
ISO 27001 can be implemented in any kind of organization, profit or non-profit, private or state-owned, small or large. It was written by the world’s best specialists in the field of information security and offers methodology for the implementation of information security management in an organization. It also allows companies to become certified, which means that an independent certification body has confirmed that an organization has implemented information security compliant with ISO 27001.
Advantage of establishing an ISMS:
- Awareness of information security risks
- Security of the assets according to the needs
- Establishing business continuity through effective incident management
- Competitiveness
- Profitability
- Corporate image
- Legal and statutory compliance
History of the ISO/IEC 27001 ISMS:
- BS7799:1995; part 1 issued
- BS7799-2:1998; part 2 issued
- BS7799-2:1999; part 2 revised
- ISO/IEC 17799:2000; issued
- BS7799-2:2001; part 2 improved
- BS 7799-2:2002 : harmonized with the other management system standards , Plan-Do-Check-Act (PDCA) model intruduced (ISO 9001:2000 and ISO 14001:1996)
- ISO/IEC 27001:2005 ; Information security management system; replaced BS 7799-2
- ISO/IEC 27002:2005 ; Code of practice, replaced ISO/IEC 17799:2005
Principals of the ISO/IEC 27001 ISMS
ISO/IEC 27001 specifies the requirements for establishing,implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within thecontext of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.
The process approach for information security management presented in the Standard encourages companies to emphasize the importance of:
- understanding an organization’s information security requirements and the need to establish policy and objectives for information security;
- implementing and operating controls to manage an organization’s information security risks in the context of the organization’s overall business risks;
- monitoring and reviewing the performance and effectiveness of the ISMS; and
- continual improvement based on objective measurement.
ISO/IEC 27002:2005 provides implementation guidance that can be used when designing controls.
CONTENT OF THE ISO/IEC 27001:
- 0 Introduction
- 0.1 General
- 0.2 Process approach
- 0.3 Compatibility with other management systems
- 1 Scope
- 1.1 General
- 1.2 Application
- 2 Normative references
- 3 Terms and definitions
- 4 Information security management system
- 4.1 General requirements
- 4.2 Establishing and managing the ISMS
- 4.2.1 Establish the ISMS
- 4.2.2 Implement and operate the ISMS
- 4.2.3 Monitor and review the ISMS
- 4.2.4 Maintain and improve the ISMS
- 4.3 Documentation requirements
- 4.3.1 General
- 4.3.2 Control of documents
- 4.3.3 Control of records
- 5 Management responsibility
- 5.1 Management commitment
- 5.2 Resource management
- 5.2.1 Provision of resources
- 5.2.2 Training, awareness and competence
- 6 Internal ISMS
- 7 Management review of the ISMS
- 7.1 General
- 7.2 Review input
- 7.3 Review output
- 8 ISMS improvement
- 8.1 Continual improvement
- 8.2 Corrective action
- 8.3 Preventive action
- Annex A (normative) Control objectives and controls
- Annex B (informative) OECD principles and this International Standard
- Annex C (informative) Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard