ISO/IEC 27001
From Wikipedia, the free encyclopedia
ISO/IEC 27001 is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission. Its full name is ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems -- Requirements but it is commonly known as "ISO 27001".
It is intended to be used in conjunction with ISO 17799, the Code of Practice for Information Security Management, which lists security control objectives and recommends a range of specific security controls. Organizations that implement an ISMS in accordance with the best practice advice in ISO 17799 are likely simultaneously to meet the requirements of ISO 27001, but certification is entirely optional.
This standard is the first in a family of information security related ISO standards which are expected to be assigned numbers within the 27000 series. Others are anticipated to include:
- ISO/IEC 27000 - a vocabulary or glossary of terms used in the ISO 27000-series standards
- ISO/IEC 27002 - the proposed re-naming of existing standard ISO 17799
- ISO/IEC 27003 - a new ISMS implementation guide
- ISO/IEC 27004 - a new standard for information security measurement and metrics
- ISO/IEC 27005 - a proposed standard for risk management, potentially related to the current British Standard BS 7799 part 3
- ISO/IEC 27006 - a guide to the certification/registration process
ISO 27001 was based upon and replaced BS 7799 part 2 which was withdrawn.
Several ISO affiliated national standards bodies have published localized versions of the standard. Generally speaking, these are simply language translations which retain the information content of ISO 27001.
[edit] Certification
The ISO 27000-series information security management standards align with other ISO management systems standard, such as those for ISO 9001 (quality management systems) and ISO 14001 (environmental management systems), both in terms of their general structure and in the nature of combining best practice with certification standards.
Certification of an organisation's ISMS against ISO/IEC 27001 is one means of providing assurance that the certified organisation has implemented a system for the management of information security in line with the standard. Credibility is the key advantage of being certified by a respected, independent and competent third party. The assurance it provides gives confidence to management, business partners, customers and auditors that the organization is serious about information security management - not perfect, necessarily, but at least on the right path to continuous, managed improvement.
Organizations may be certified compliant with ISO 27001 by a number of accredited certification bodies worldwide. Certification against any of the recognized national variants of ISO 27001 (e.g. the Japanese version) by an accredited certification body is functionally equivalent to certification against ISO 27001 itself. Certification audits are usually led/conducted by ISO 27001 Lead Auditors.
In some countries, the bodies which verify conformity of management systems to specified standards are called "certification bodies", in others "registration bodies", "assessment and registration bodies", "certification/ registration bodies", and sometimes "registrars".
ISO/IEC 27001 certification usually involves a two-stage audit process:
Stage 1 is a "table top" review of the existence and completeness of key documentation like the Security Policy, Statement of Applicability, Information Security Management System (ISMS).
Stage 2 is a detailed, in-depth audit involving testing the existence and effectiveness of the controls stated in the ISMS as well as their supporting documentation.
Certification involves periodic reviews to confirm that the ISMS continues to operate as intended.
[edit] See also
- Cyber security standards
- International Organization for Standardization
- Standard of Good Practice published by the Information Security Forum
- ISO/IEC 27000
- ISO/IEC 17799
- BS 7799