ISO/IEC 27001:2005 was developed to provide a specification for an ISMS (Information security management system) and the foundation for third-party audits and certifications. It helps companies identify, manage and minimize threats to information. The standard works in tandem with ISO/IEC 17799:2005. Eventually, BS ISO/IEC 27001 will become part of the new ISO/IEC 27000 series. ISO/IEC 27002 and ISO/IEC 27004 will come out in the next few years.
The standard exists so that organizations can launch and maintain effective information management systems, following the concept of continual improvement. It also follows the principles developed by the OECD (Organization for Economic Cooperation and Development) for security of information and network systems.
ISO/IEC 27001:2005 is broken into the following sections:
- Normative References
- Terms and Definitions
- Information Security Management System
- Management Responsibility
- Management review of the ISMS
- ISMS improvement.
The standard makes the following suggestions for implementation:
- Define and create an information security policy
- Determine the scope of the information security management system
- Conduct a security risk assessment
- Manage the risk you identify
- Select controls that need to be implemented and applied
- Create an SoA (a "statement of applicability").
ISO/IEC 27001:2005 is synchronized with other management system standards such as ISO 9001 and ISO 14001 and uses the same Plan-Do-Check-Act (PDCA) model found in other standards. ISO/IEC 27001 assures your stakeholders that you adequately address information security within your organization and that you can deal with information security threats.
ISO/IEC 27001:2005 helps organizations with the following:
- management direction and support for information security
- management of information security within the organization
- identification of assets and how to protect them
- reduction of risk due to human error, theft, fraud or misuse of facilities
- prevention of unauthorized access, damage or interference
- management of information processing facilities
- access control
- securing information systems
- counteracting the effects of major failures
- ensuring compliance to laws, regulations and contracts