ISO/IEC 27001:2005 (which is better known as ISO 27001) stemmed from the British Standard BS7799-2 and is the best practice specification that helps businesses across the world to develop a best-in-class Information Security Management System (ISMS). The standard was originally published jointly by the International Security Office (ISO) and the International Electrotechnical Commission (IEC).
But what exactly is an ISMS? It is essentially a systematic approach to managing confidential or sensitive corporate information so that it remains secure, available, confidential and with its integrity intact. It encompasses people, processes and IT systems. This has never been so important as information is absolutely critical to all organisations and any breach of security could have serious consequences.
Information security is not just about anti-virus software, implementing the latest firewall or locking down laptops or web servers though. The overall approach to information security needs to be both strategic and operational in order to be practical and fit for purpose. This means different security initiatives must be prioritised, integrated and cross-referenced to ensure overall effectiveness. In essence an ISMS helps organisations to co-ordinate their security efforts – both electronic and physical – in a coherent and cost-effective manner.
These days information and information systems are the lifeblood of all organisations and ISO 27001 sets out the specific requirements against which an organisations ISMS can be audited and certified. ISO 27001 is also designed to harmonise with ISO 9001:2008, ISO 14001:2004, ISO 20000:2011 and other standards for effective management system integration. It also reflects the principles of the 2002 OECD guidance on the security of information systems and networks.
Implementing ISO27001 can therefore help organisations to create a framework for compliance – embracing many regulatory standards and aiding the development of a system that is integrated, comprehensive and incorporates globally recognised best practices.
In many organisations expenditure on information security is already substantial and in some cases, where implementation has not been well structured, business effectiveness can be impeded and its value for money is therefore not clear. Done properly though, ISO 27001 can actually help organisations reduce their total information security expenditure, while increasing its effectiveness.
Certification International provides consultancy and services to assist organisations interested in ISO 27001.So whether you require a basic understanding of the standard, toolkits to accelerate an ISO 27001 project, or you are planning and implementing an ISO 27001 project from scratch then do please do not hesitate to contact us.