What is ISO 27001?

ISO 27000 is a series management system standards for that is concerned with assuring information security. Customers are increasingly concerned about providing data to their suppliers and are demanding controls. Scandals like the lost laptops and customer details turning up in dumpsters have speeded the need for and interest in these standards.

The full series includes related standards and documents that cover key issues such as risk management and security controls. ISO 27001 deals specifically with the requirements to establish and maintain an information security management system.

There are two key documents.

• ISO 27001 is the requirements document. It is written as a specification that can be audited and verified and is intended to be the basis of registration schemes. It is a generic, general standard for information security management and is applicable to any organization that wants to consciously control all information in the organization. The information security management system that it specifies requires organizations to establish a management system to identify their information assets, their value, their vulnerabilities and their threats. From this a probability can be established and linked to the value of the asset, so a quantitative risk can be determined and assigned to particular situations for that asset. This allows prioritization of risks and allows management to treat the risks with mitigating controls and other activities. They can also simply accept the security risk and live with the situation.
• The standard does not require any specific risk to be addressed or control to be applied. It simply requires conscious determination, action or acceptance and ultimately brings accountability. ISO 27001 does contain an annex which includes specific security controls which, although, not exhaustive, do provide a good basis for a sensible strategy for information security the annex refers to ISO 27001 (previously ISO 17799).
• While the purpose of the standard is to drive information security improvement, it also requires control over, and improvement of, organizational support processes such as document control, competency, corrective action, etc. These support processes and the overall approach will be familiar to those already involved with ISO 9001 as they are basically the same requirements – these are the basic requirements to establish any management system to support organizational success.
• ISO 27002 is technically a guidance document although the requirements document ISO 27001 requires that these controls are at least addressed (including justification for not being included). The security controls include such security topics as physical security and facilities, continuity planning, HR, Legal, networks, applications, development and operations ISO 27002 introduces each subject by describing how these controls can assure and enhance information security and breaks each area into some detail.

ISO 27001 is an excellent statement of commitment to protect customer (and other) information and is occasionally required by customers. It is internationally accepted and recognized and yet flexible enough for any organization. While like any of the ISO standards it is possible to abuse it, it is also possible to commit to it and tangibly benefit from it, including promotion of a positive information security commitment that sometimes influences customers.