The ISO 27001 Standard (ISO/IEC 27001:2005) is the international standard describing best practice for an Information Security Management System.
The ISO 27001 Information Security Management standard can be applied to all types of organisations and specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within the context of the organization's overall business risks. ISO 27001 specifies requirements for the implementation of security controls customized to the needs of individual organizations.
ISO 27001 - giving confidence to the value chain
Designed to ensure that adequate and proportionate security controls are used to protect information assets, ISO 27001 aims to give confidence to an organisation's stakeholders across the whole value chain. This includes to:
- formulate security requirements and objectives;
- use as a way to ensure that security risks are cost effectively managed;
- to ensure compliance with laws and regulations;
- use as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
- definition of new information security management processes;
- identification and clarification of existing information security management processes;
- use to determine the status of information security management activities;
- use to determine the degree of compliance with the policies, directives and standards adopted by an organization;
- use to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;
- implementation of business-enabling information security;
- to provide relevant information about information security to customers.
ISO 27001 information security management
An Information Security Management System is a systematic approach to managing confidential or sensitive corporate information so that it remains secure (which means available, confidential and with its integrity intact). It encompasses people, processes and IT systems.
Information security is not just about anti-virus software, implementing the latest firewall or locking down your laptops or web servers. The overall approach to information security should be strategic as well as operational, and different security initiatives should be prioritised, integrated and cross-referenced to ensure overall effectiveness.
An Information Security Management System (ISMS) helps you coordinate all your security efforts – both electronic and physical – coherently, consistently and cost-effectively.
- will underpin and protect IT worldwide over the next decade
- Harmonises with ISO 9001:2008, ISO 14001:2004, ISO 20000 and others for effective management system integration
- Implements the Plan-Do-Check-Act (PDCA) model, and
- Reflects the principles of the 2002 OECD guidance on the security of information systems and networks.
IT Security Legislation
ISO 27001 can help organisations create a framework for compliance with many legal and regulatory requirements.