ISO 27001

ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

ISO 27001 uses a topdown, risk-based approach and is technology-neutral. The specification defines a six-part planning process:

1. Define a security policy.
2. Define the scope of the ISMS.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select control objectives and controls to be implemented.
6. Prepare a statement of applicability.

The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.

The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance

Organisations are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.

Other standards being developed in the 27000 family are:

• 27003 – implementation guidance.
• 27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS.
• 27005 – an information security risk management standard. (Published in 2008)
• 27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007)
• 27007 – ISMS auditing guideline.

Learn more about IT Security Frameworks and Standards

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

FILE EXTENSION AND FILE FORMAT LIST File Extension and File Format List: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z #

RELATED CONTENT ISACA issues mobile smartphone security policy guidance ISACA recently issued new guidance, warning users of the dangers of smartphones, and giving guidance on creating a policy for their secure use. How to meet the PCI DSS compliance deadline on an IT security budget Learn how to meet the upcoming PCI DSS compliance deadline while sticking to an IT security budget by leveraging existing security infrastructure in... PCI compliance UK: The future of European merchant PCI compliance This PCI DSS UK compliance guide offers advice on how to achieve merchant PCI compliance with expert advice and real-world case studies.

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Financial Services Authority  (SearchSecurityUK.com) The FSA (Financial Services Authority) is an independent, non-governmental body that regulates the financial services industry in the UK, including... IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com) The IISP (Institute of Information Security Professionals) is a London-based professional membership association who describes its purpose as: "to...