ISO 27001 is the best practice specification that helps businesses and organizations throughout the world to develop a best-in-class Information security management system.
ISO 27001 is the first in a family of international information security standards (ISMS) that:
will underpin and protect IT worldwide over the next decade
ISO 27001 is designed to harmonise with ISO 9001:2008 and ISO 14001:2004 so that management systems can be effectively integrated,
implements the Plan-Do-Check-Act (PDCA) model and
reflects the principles of the 2002 OECD guidance on the security of information systems and networks.
ISO 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard (more below).
Most organizations have a number of information security controls. Without an ISMS however, the controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Maturity models typically refer to this stage as “ad hoc”. The security controls in operation typically address certain aspects of IT or data security, specifically, leaving non-IT information assets (such as paperwork and proprietary knowledge) less well protected on the whole. Business continuity planning and physical security, for examples, may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.
ISO 27001 requires that management:
Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities and impacts;
Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
A.5 Security policy
A.6 Organization of information security
A.7 Asset management
A.8 Human resources security
A.9 Physical and environmental security
A.10 Communications and operations management
A.11 Access control
A.12 Information systems acquisition, development and maintenance
A.13 Information security incident management
A.14 Business continuity management