Understanding ISO 27001

ISO 27001 information securityToday, to one degree or another, every organization is concerned with computer security. Network firewalls, password-controlled access to IT systems and specific applications, important files stored in encrypted form – all of these techniques help to prevent unauthorized access to and use of information.

Increasingly, though, it’s recognized that what’s needed to maintain information security at the very highest levels is a comprehensive set of policies and best practices that encompass not only technical safeguards but also day-to-day management procedures. And in 2005, this thinking resulted in a formal set of policies and procedures known as ISO 27001:2005.

The policies described by ISO 27001:2005 seek to improve the quality of an organization’s information security management system, or ISMS. These policies aim to help the organization to examine risks and vulnerabilities, to design and implement the controls needed to address those risks, and to set up a management process that makes sure the controls remain effective over the long-term, even as technologies and the organization itself evolves. The goal is to be as comprehensive as possible and replace the kinds of inconsistent, ad hoc controls often found in large organizations.

Once an organization has implemented the ISO policies and had the relevant procedures formally audited by another, specially authorized group, the organization will enjoy a new standing among its business partners. Its customers, suppliers, and other partners will be assured that the organization is, as it were, doing the right thing when it comes to protecting all information that needs protecting.

The ISO 27001:2005 is based on a standard ISO model known as Plan-Do-Check-Act. (It actually was first described by quality control guru Dr. W. Edwards Deming.) In broad strokes, this cycle calls, first, for an organization to assess its security risks and select appropriate controls. This means examining not only the protection of digital information it stores in computers but also any sensitive information kept in paper or other physical form.

Next, the selected controls must be put in place and the appropriate people trained to use each of them properly. And with that done, the controls must then be put into operation wherever necessary.

Once the controls are up and running, the organization needs to review and evaluate their operation, making sure each one is doing what it’s supposed to with maximum efficiency and effectiveness.

Finally, the organization must make changes where necessary to ensure that any gaps found in the previous step get closed.

In brief, ISO 27001:2005 is based on the idea that information security depends mainly on people doing the right things, not solely the use of specialized security technologies. Indeed, it assumes that the actions of employees, not those of hackers and other outsiders, are the main threat to security. It’s not that every employee must be viewed as potentially a self-interested criminal, but that without the proper procedures and checks in place, the  inadvertent mistakes that people make while doing their daily jobs can compromise security and open the organization to unwanted risk.