What is ISO 27001? - Definition from WhatIs.com

Definition

ISO 27001

What is ISO 27001?

ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

ISO 27001 uses a topdown, risk-based approach and is technology-neutral. The specification defines a six-part planning process:

  1. Define a security policy.
  2. Define the scope of the ISMS.
  3. Conduct a risk assessment.
  4. Manage identified risks.
  5. Select control objectives and controls to be implemented.
  6. Prepare a statement of applicability.

The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.

The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

ISO 27002 contains 12 main sections:

1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance

Organisations are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.

Other standards being developed in the 27000 family are:

  • 27003 – implementation guidance.
  • 27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS.
  • 27005 – an information security risk management standard. (Published in 2008)
  • 27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007)
  • 27007 – ISMS auditing guideline.

This was last updated in September 2009
Posted by: Margaret Rouse

Email Alerts

Register now to receive SearchSecurity.co.uk-related news, tips and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

More News and Tutorials

  • Consider a compliance-driven security framework

    Midmarket companies bound to regulations such as PCI DSS, HIPAA and Sarbanes-Oxley should consider using these requirements as the basis for their security programs.

  • Q&A: Google to defend cloud computing security

    Cloud computing is changing the way we do business; the scalability, flexibility and cost savings are seductive, even irresistible. But, as with every "next big thing" in technology, security is a potential stumbling point. The distributed computing that makes the cloud model possible makes it difficult, perhaps impossible, for customers to implement and enforce the kind of controls they would normally exercise with service providers.

    Moreover, regulatory compliance can become an issue, as the very nature of cloud computing can impede on traditional controls and audit inspection. Google is one of the leaders in the young cloud computing market, and is trying to make a strong case for its security program. In this interview, Eran Feigenbaum, director of security for Google Apps, describes the security strengths and some of the limitations of cloud computing, and how Google works to ensure data security and privacy. Here are some excerpts.

    Feigenbaum will attend the 2009 RSA Conference in San Francisco, California and participate in a panel discussion titled: "Cloud computing – secure enough for primetime today?"

  • Standards and guidelines for system hardening

    When hardening a system, what specific standards or guidelines should information security pros adhere to? Security management expert Mike Rothman explains.

Do you have something to add to this definition? Let us know.

Send your comments to techterms@whatis.com