ISO/IEC 27001

Source: Wikipedia: ISO/IEC 27001


ISO/IEC 27001

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Question book-new.svg
This article relies largely or entirely upon a single source. Please help improve this article by introducing appropriate citations of additional sources. (May 2010)

ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 - Information technology — Security techniques — Information security management systems — Requirements but it is commonly known as "ISO 27001".

ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard (more below).

Most organizations have a number of information security controls. Without an ISMS however, the controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Maturity models typically refer to this stage as "ad hoc". The security controls in operation typically address certain aspects of IT or data security, specifically, leaving non-IT information assets (such as paperwork and proprietary knowledge) less well protected on the whole. Business continuity planning and physical security, for examples, may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.

ISO/IEC 27001 requires that management:

* Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities and impacts;
* Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
* Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

While other sets of information security controls may potentially be used within an ISO/IEC 27001 ISMS as well as, or even instead of, ISO/IEC 27002 (the Code of Practice for Information Security Management), these two standards are normally used together in practice. Annex A to ISO/IEC 27001 succinctly lists the information security controls from ISO/IEC 27002, while ISO/IEC 27002 provides additional information and implementation advice on the controls.

Organizations that implement a suite of information security controls in accordance with ISO/IEC 27002 are simultaneously likely to meet many of the requirements of ISO/IEC 27001, but may lack some of the overarching management system elements. The converse is also true, in other words, an ISO/IEC 27001 compliance certificate provides assurance that the management system for information security is in place, but says little about the absolute state of information security within the organization. Technical security controls such as antivirus and firewalls are not normally audited in ISO/IEC 27001 certification audits: the organization is essentially presumed to have adopted all necessary information security controls since the overall ISMS is in place and is deemed adequate by satisfying the requirements of ISO/IEC 27001. Furthermore, management determines the scope of the ISMS for certification purposes and may limit it to, say, a single business unit or location. The ISO/IEC 27001 certificate does not necessarily mean the remainder of the organization, outside the scoped area, has an adequate approach to information security management.

Other standards in the ISO/IEC 27000 family of standards provide additional guidance on certain aspects of designing, implementing and operating an ISMS, for example on information security risk management (ISO/IEC 27005).
Contents
[hide]

* 1 Certification
* 2 References
* 3 See also
* 4 External links

[edit] Certification

An ISMS may be certified compliant with ISO/IEC 27001 by a number of Accredited Registrars worldwide. Certification against any of the recognized national variants of ISO/IEC 27001 (e.g. JIS Q 27001, the Japanese version) by an accredited certification body is functionally equivalent to certification against ISO/IEC 27001 itself.

In some countries, the bodies which verify conformity of management systems to specified standards are called "certification bodies", in others they are commonly referred to as "registration bodies", "assessment and registration bodies", "certification/ registration bodies", and sometimes "registrars".

The ISO/IEC 27001 certification[1], like other ISO management system certifications, usually involves a three-stage audit process:

* Stage 1 is a preliminary, informal review of the ISMS, for example checking the existence and completeness of key documentation such as the organization's information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP). This stage serves to familiarize the auditors with the organization and vice versa.

* Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/IEC 27001. The auditors will seek evidence to confirm that the management system has been properly designed and implemented, and is in fact in operation (for example by confirming that a security committee or similar management body meets regularly to oversee the ISMS). Certification audits are usually conducted by ISO/IEC 27001 Lead Auditors. Passing this stage results in the ISMS being certified compliant with ISO/IEC 27001.

* Stage 3 involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended. These should happen at least annually but (by agreement with management) are often conducted more frequently, particularly while the ISMS is still maturing.

[edit] References

1. ^ The ISO/IEC 27001 Certification Process.

[edit] See also

* ISO 9001
* ISO/IEC_27000-series
* ISO/IEC 15408
* BS 7799
* Cyber security standards
* International Organization for Standardization
* List of ISO standards
* Standard of Good Practice published by the Information Security Forum

[edit] External links

* ISO 27001 and ISO 27002 User Group
* ISO 17799 and ISO 27001 Wiki
* Opensource software to support ISO 27001 PDCA/ISMS processes

[show]
v • d • e
ISO Standards
Lists: List of ISO standards · List of ISO romanizations · List of IEC standards
Categories: Category:ISO standards · Category:OSI protocols
1
to
9999
1 · 2 · 3 · 4 · 6 · 7 · 9 · 16 · 31 (-0, -1, -2, -3, -4, -5, -6, -7, -8, -9, -10, -11, -12, -13) · 128 · 216 · 217 · 226 · 228 · 233 · 259 · 269 · 302 · 306 · 428 · 639 (-1, -2, -3, -5, -6) · 646 · 690 · 732 · 764 · 843 · 898 · 1000 · 1004 · 1007 · 1073-1 · 1413 · 1538 · 1745 · 2014 · 2015 · 2022 · 2108 · 2145 · 2281 · 2709 · 2711 · 2788 · 3029 · 3103 · 3166 (-1, -2, -3) · 3307 · 3602 · 3864 · 3901 · 3977 · 4031 · 4157 · 4217 · 5218 · 5775 · 5776 · 5964 · 6166 · 6344 · 6346 · 6425 · 6429 · 6438 · 6523 · 6709 · 7001 · 7002 · 7098 · 7185 · 7498 · 7736 · 7810 · 7811 · 7812 · 7813 · 7816 · 8000 · 8217 · 8571 · 8583 · 8601 · 8632 · 8652 · 8807 · 8820-5 · 8859 (-1, -2, -3, -4, -5, -6, -7, -8, -9, -10, -11, -12, -13, -14, -15, -16) · 9000 · 9075 · 9126 · 9241 · 9362 · 9407 · 9506 · 9529 · 9594 · 9660 · 9897 · 9945 · 9984 · 9985 · 9995
10000
to
19999
10006 · 10118-3 · 10160 · 10161 · 10165 · 10179 · 10206 · 10303 · 10303-11 · 10303-21 · 10303-22 · 10303-238 · 10303-28 · 10383 · 10487 · 10585 · 10589 · 10646 · 10664 · 10746 · 10861 · 10962 · 10967 · 11073 · 11170 · 11179 · 11404 · 11544 · 11783 · 11784 · 11785 · 11801 · 11898 · 11940 · 11941 · 11941 · 11992 · 12006 · 12182:1998 · 12207 · 12234-2 · 13211 (-1, -2) · 13216 · 13250 · 13399 · 13406-2 · 13407 · 13450 · 13485 · 13490 · 13567 · 13568 · 13584 · 13616 · 14000 · 14031 · 14396 · 14443 · 14496-10 · 14496-14 · 14644 (-1, -2, -3, -4, -5, -6, -7, -8, -9) · 14649 · 14651 · 14698 · 14698-2 · 14750 · 14882 · 14971 · 15022 · 15189 · 15288 · 15291 · 15292 · 15408 · 15444 · 15445 · 15438 · 15504 · 15686 · 15693 · 15706-2 · 15897 · 15919 · 15924 · 15926 · 15926 WIP · 15930 · 16023 · 16262 · 16750 · 17024 · 17025 · 17369 · 17799 · 18000 · 18004 · 18014 · 18245 · 18629 · 18916 · 19005 · 19011 · 19092-1 · 19092-2 · 19114 · 19115 · 19439 · 19501:2005 · 19752 · 19757 · 19770 · 19775-1
20000+
20000 · 20022 · 21827:2002 · 22000 · 23270 · 25178 · 26000 · 26300 · 27000 series · 27000 · 27001 · 27002 · 27003 · 27004 · 27005 · 27006 · 27007 · 27799 · 29500 · 31000 · 32000 · 38500 · 42010 · 80000
See also: All articles beginning with "ISO"
Retrieved from "http://en.wikipedia.org/wiki/ISO/IEC_27001"
Categories: ISO standards | IEC standards | Information assurance standards
Hidden categories: Articles needing additional references from May 2010 | All articles needing additional references
Personal tools

* New features
* Log in / create account

Namespaces

* Article
* Discussion

Variants

Views

* Read
* Edit
* View history

Actions

Search
Search
Navigation

* Main page
* Contents
* Featured content
* Current events
* Random article

Interaction

* About Wikipedia
* Community portal
* Recent changes
* Contact Wikipedia
* Donate to Wikipedia
* Help

Toolbox

* What links here
* Related changes
* Upload file
* Special pages
* Permanent link
* Cite this page

Print/export

* Create a book
* Download as PDF
* Printable version

Languages

* Deutsch
* Español
* Français
* Bahasa Indonesia
* Italiano
* Magyar
* Nederlands
* Polski
* Português
* Русский
* Yorùbá

* This page was last modified on 8 July 2010 at 21:15.
* Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. See Terms of Use for details.
Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.
* Contact us

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License