ISO 27001

The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. It is the specification for ISMS, an Information Security Management System. BS7799 itself was a long standing standard, first published in the nineties as a code of practice. ISO 27001 enhanced the content of BS7799-2 and harmonized it with other standards. A scheme has been introduced by various certification bodies for conversion from BS7799 certification to ISO27001 certification.

 

ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for the original document, BS7799-2. It is intended to provide the foundation for third party audit, and is 'harmonized' with other management standards, such as ISO 9001 and ISO 14001.

 

The basic objective of the standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organization for Economic Cooperation and Development) principles, governing security of information and network systems.

 

ISO 27001 has 11 domain areas, 39 control objectives and 133 controls in all. The security controls represent information security best practices and the standard suggests that these controls should be applied depending on the business requirements.

 

ISO 27001 suggests development and implementation of a structured Information Security Management System (ISMS), which governs the security implementation and monitoring in an enterprise. The standard is designed to serve as a single 'reference point for identifying the range of controls needed for most situations where information systems are used'.