ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for Information Security Management System (ISMS). ISMS is a system of approaches and techniques that incorporates all legal, physical and specialized controls included in an organization’s information risk management process. As indicated by its documentation, ISO 27001 was created to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.” ISO 27001 incorporates a top down, risk based approach and is technology-neutral.
The specification defines a six-part planning process:
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a statement of applicability.
The specification incorporates elements for documentation, management obligations, internal audits, continual improvement, and remedial and preventive action. The standard requires participation among all segments of an association.
The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.
The 27001 standard does not mandate particular data security controls, but rather it gives an agenda of controls that ought to be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard portrays an extensive arrangement of data security control objectives and an arrangement of acknowledged good practice security controls.
ISO 27002 contains 12 main sections:
- Risk assessment
- Security policy
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition, development and maintenance
- Information security incident management
- Business continuity management
- Compliance
Enterprises should apply these controls suitably in accordance with their particular risks. Outsider licensed accredited certification is prescribed for ISO 27001 conformance.
For know more about how to keep your information assets secure by applying ISO 27001 standards, join Dr. Michael C. Redmond, in a live webinar titled “How to Apply ISO 27001 Principles to Enterprise Risk Management in 2016”. During the Webinar, Michael will help you learn to use the ISO standards in your organization’s risk management system keeping in mind their benefits. This session aims to arm you with the appropriate knowledge on the ways to fit ISO 27001 in your organization as the main structure for information security management.