What is ISO/IEC 27001?
ISO/IEC 27001 is the most widely recognized international standard specifically aimed at information security management. The decision to adopt it is strategic, allowing the coordination of all operational security controls across an organization’s electronic and physical information assets.
ISO/IEC 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system within the context of the organization's overall business risks. It is designed to ensure the selection of adequate and proportionate security controls that protect business assets and give confidence to all interested parties.
ISO/IEC 27001 allows organizations to demonstrate excellence and prove best practice in information security management using evidence-based benchmarks.
Its adoption has grown rapidly in the international arena of IT service providers. Compliance to the standard has become a competitive differentiator.
Where did ISO/IEC 27001 come from?
In 1999, the BSI Group published a British code of practice for information security management, known as BS 7799. It was well-received and widely adopted, becoming a national set of guidelines that were ultimately used internationally.
A year later, BS 7799 was submitted as a fast track candidate to become ISO/IEC 17799. In 2002, a second part to BS 7799 was published. This was an information security management specification, rather than a code of practice. It began the process of alignment with other management standards such as ISO 9001.
In 2005, ISO 27001 was published. It replaced BS 7799 (Part 2), which was withdrawn. The specification is now owned and published by ISO, the International Organization for Standardization, based in Geneva.
ISO 27001 is aligned with other management systems, such as ISO/IEC 20000.
Who is ISO/IEC 27001 for?
ISO/IEC 27001 is suitable for several different types of use. It can be used by organizations:
- To determine the status of information security management activities.
- To formulate security requirements and objectives.
- As a way to ensure that security risks are cost effectively managed.
- To ensure compliance with laws and regulations.
- As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met.
It is also relevant to service providers that want to:
- Identify and clarify existing information security management processes.
- Define new information security management processes.
- Provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons.
ISO/IEC 27001 can be useful to internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization.