Browse Definitions :
Definition

ISO 27001

What is ISO 27001?

ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

ISO 27001 uses a topdown, risk-based approach and is technology-neutral. The specification defines a six-part planning process:

  1. Define a security policy.
  2. Define the scope of the ISMS.
  3. Conduct a risk assessment.
  4. Manage identified risks.
  5. Select control objectives and controls to be implemented.
  6. Prepare a statement of applicability.

The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.

The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

ISO 27002 contains 12 main sections:

1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance

Organisations are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.

Other standards being developed in the 27000 family are:

  • 27003 – implementation guidance.
  • 27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS.
  • 27005 – an information security risk management standard. (Published in 2008)
  • 27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007)
  • 27007 – ISMS auditing guideline.
This was last updated in September 2009
SearchCompliance
  • ISO 31000 Risk Management

    The ISO 31000 Risk Management framework is an international standard that provides businesses with guidelines and principles for ...

  • pure risk

    Pure risk refers to risks that are beyond human control and result in a loss or no loss with no possibility of financial gain.

  • risk reporting

    Risk reporting is a method of identifying risks tied to or potentially impacting an organization's business processes.

SearchSecurity
  • Pretty Good Privacy (PGP)

    Pretty Good Privacy or PGP was a popular program used to encrypt and decrypt email over the internet, as well as authenticate ...

  • email security

    Email security is the process of ensuring the availability, integrity and authenticity of email communications by protecting ...

  • Blowfish

    Blowfish is a variable-length, symmetric, 64-bit block cipher.

SearchHealthIT
SearchDisasterRecovery
  • What is risk mitigation?

    Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

  • fault-tolerant

    Fault-tolerant technology is a capability of a computer system, electronic system or network to deliver uninterrupted service, ...

  • synchronous replication

    Synchronous replication is the process of copying data over a storage area network, local area network or wide area network so ...

SearchStorage
  • direct access

    In computer storage, direct access is the process of reading and writing data on a storage device by going directly to where the ...

  • kibi, mebi, gibi, tebi, pebi and exbi

    Kibi, mebi, gibi, tebi, pebi and exbi are binary prefix multipliers that, in 1998, were approved as a standard by the ...

  • holographic storage (holostorage)

    Holographic storage is computer storage that uses laser beams to store computer-generated data in three dimensions.

Close