ISO 27001

GENERAL INFORMATION

Problems, related to information security, still exist at the moment. Availability of information security management system in compliance with the requirements of ISO 27001:2005 international standard shall help organizations save its assets and ensure its integrity, reliability and confidentiality of information.

Information security management system (ISMS) is a part of the overall management system, based on a business risk approach to establish, implement, operate, monitor, review, maintain and improve information security.

ISO 27001 determines requirements for organizations of any type, regardless of its size, area of activity and geographical location.

HISTORY OF THE STANDARD

In response to increasing needs of the society, a working group devoted to the development of information security standards was first established in the early 1990s, resulting in a “Code of Practice for Information Security Management” published in 1993. This work evolved into the first version of British BS 7799 standard released in 1995. In 1998 BS 7799 standard was reviewed; by then the standard consisted of two parts, one of them included code of practice, and the other one – requirements for information security management systems.

ISO 27001 in Modern Business

  • Risk Assessment
  • Management Involement
  • Online Services
  • No Improvements Required
  • Encryption to be Updated
  • Off site Working

In the process of further revisions the first part was published as BS 7799:1999, Part 1, and then as ISO 17999:2000 standard. ISO 17999 standard was then reviewed again and published as ISO 17999:2005; then its name was changed to ISO 27002:2005. New revision of the second part of the British standard was issued as BS 7799:2002, Part 2; and in June 2007 was published by ISO, International Organization for Standardization as ISO 27001:2005 standard.

STRUCTURE OF THE STANDARD

International ISO 27001:2005 standards determines requirements for this system in compliance with which ISMS shall be based on the following key components:

Requirements, specified in ISO 27001 are general and designed to be applied to all organizations, regardless of their type, size and characteristics. ISO 27001 ensures:

  1. determination of objectives and concept of direction and principles of activity in respect of information security;
  2. determination of approaches to the organization’s risk assessment and management;
  3. information security management in compliance with applicable legislation and normative requirements;
  4. application of process approach in management system development, implementation, operation, monitoring, analysis, support and improvement so that objectives in respect of information security were met;
  5. determination of information security management system processes;
  6. determination of the status of arrangements on provision of information security;
  7. usage of internal and external audits to determine the level of information security management system’s compliance with the requirements of the standard;
  8. provision of adequate information on information security policy to the partners and other stakeholders.

INTEGRATION WITH OTHER STANDARDS

Information security management system can be integrated with any other management system, e.g. with quality management system in compliance with ISO 9001, environmental management system in compliance with ISO 14001, service management system in compliance with ISO 20000 and other ones.

Currently, series of standards, describing information security management system model includes:

  1. ISO/IEC 27000:2009, Information technology. Security techniques. Information security management systems. Overview and vocabulary, provides glossary for information security management system;
  2. ISO/IEC 27001:2005, Information technology. Security techniques. Information security management systems. Requirements;
  3. ISO/IEC 27002:2005, Information technology. Security techniques. Code of practice for information security management, provides code of best practices in respect of information security management;
  4. ISO/IEC 27003:2010, Information technology. Security techniques. Information security management system implementation guidance;
  5. ISO/IEC 27004:2009, Information technology. Security techniques. Information security management. Measurement; deals with metrics and information security management system assessment;
  6. ISO/IEC 27005:2011, Information technology. Security techniques. Information security risk management;
  7. ISO/IEC 27006:2011, Information technology. Security techniques. Requirements for bodies providing audit and certification of information security management systems;
  8. ISO/IEC 27007:2011, Information technology. Security techniques. Guidelines for information security management systems auditing; which specifies the main requirements for auditors on information security in addition to ISO 19011 requirements;
  9. ISO/IEC TR 27008:2011, Information technology. Security techniques. Guidelines for auditors on information security controls, focused mainly on information security controls auditing and is closely related to ISO/IEC 27002;
  10. ISO/IEC 27011:2008, Information technology. Security techniques. Information security management guidelines for telecommunications organizations based on ISO/IEC 27002;
  11. ISO/IEC 27031:2011, Information technology. Security techniques. Guidelines for information and communication technology readiness for business continuity;
  12. ISO/IEC 27799:2008, Health informatics. Information security management in health using ISO/IEC 27002; provides guidance on ISO/IEC 27002 implementation in medical sphere.

BENEFITS FROM IMPLEMENTATION AND CERTIFICATION

  • enhancement of customer, partner and other stakeholders’ trust, receiving international recognition and promotion of company’s image on internal and external market;
  • demonstration of defined level of information security to ensure confidentiality of all the stakeholders’ information;
  • cost increase of intangible assets, decrease of insurance premiums, which adds value to the company;
  • decrease of operating costs and exclusion of cross-financing within the frameworks of unified ISMS;
  • broadening company’s options for participation in government contracts.

Get in Touch

Exclusive Territory Partner Opportunity with W3 Solutionz

Are you interested in becoming a W3 Solutionz Partner? Click here to read more about this opportunity.

Available ISO Standards

Recent News

[an error occurred while processing this directive]
[an error occurred while processing this directive]