What is ISO 27001 ? ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements (commonly known as ISO 27001) is a set of best practices that defines a certifiable information security management system (ISMS). The framework establishes the general principles to initiate, implement, maintain and continually improve an ISMS within the organisation. Compliance with ISO 27001 will assure the organisation that it addresses issues in a holistic manner. More important, it will assure its clients and partners that information security is regarded as an important subject.
The organisation which has been certified as an ISO 27001 complaint will have a commercial edge in relation to its non-complaint competitors. It will be more likely for the organisation to be trusted by its partners than its competitors. Do you trust more a person who drives and has a driving licence or a person who drives but does not have one? While neither ones will guarantee an accidentalness ride, the first person is obviously more trusted. It proves that they pose expertise in that field.
It demonstrates also, the commitment of the management team towards information security. The implementation of the standard takes into the account the organisation’s expectation and requirement. For example, you can have, as a requirement, to avoid disclosure of the organisation’s financial information.
This will lead to certain measures intended to avoid and minimise if a disasters happens.
ISO 27001 is based on Plan – Do – Check – Act (PDCA) model. The phases are:
- Establishing the ISMS (Plan)
- Implementing and operating the ISMS (Do)
- Monitoring and reviewing the ISMS (Check)
- Maintaining and improving the ISMS (Act)
ISO 27001 specifies a series of objectives and controls grouped in the following areas:
|Security policy||Organizational security|
|Asset classification and control||Personnel security|
|Communications and operations management||Physical and environmental security|
|Access control||System development and maintenance|
|Business continuity management||Compliance|
Security is a process and not a project. Once you have everything in place (including the certification badge on the wall if you wish to be certified) you have to go back to the first step. From time to time (depending on your organisation requirements) you will need to reassess the information security risks for example. This is done by conducting an information risk management assessment followed by a risk treatment plan. It is required because the natural changes that happen within the organisation or because the external threats change from time to time.
ISO 27001 is for information security what ISO 9001 is for quality or ISO 14001 for environment. The International Organization for Standardization developed the standard in such a way to smoothly integrate it with other management system requirements (e.g. ISO 9001).
I hope I answered to the question What is ISO 27001. If you need any aspect clarified, please use the below feedback form. Stay safe!