U3008


toc


 * ISO 27001 - Information Technology**

**Introduction**
//ISO/IEC 27001// (full name //ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems -- Requirements)// is an information security management standart ([|ISMS]) presented by //International Standartization Organization// ([|ISO]) in 2005. ISO 27001 specifies a set of requirements for the establishing, implementation, maintening and improving ISMS. Its important to notice, however, that ISO 27001 //does not// mandate specific information security control.

**History**
ISO 27001 was initialy developed as BS 7799 Part 2 in the year 1999. It has been revised by BSI 2002 and completely adopted by ISO 2005. At the moment ISO 27001 is been revised again and the revised standart is to be published by 2009 or 2010.

**Content**
The standarts covers all types of organizations (commercial enterprises, goverment agencies and non-profit organizations). ISO 27001 has the following sections:


 * Introduction** - the standard uses a process approach
 * 1)** **Scope** - specifies generic ISMS requirements suitable for organizations of any type, size or nature
 * 2)** **Normative references** - just ISO/IEC 27002:2005 is considered essential
 * 3)** **Terms and definitions** - a brief, formalized glossary
 * 4)** **Information security management system** - the ‘guts’ of the standard, based on the Plan-Do-Check-Act cycle where Plan = define requirements, assess risks, decide which controls are applicable; Do = implement and operate the ISMS; Check = monitor and review the ISMS; Act = maintain and continuously improve the ISMS. Also specifies certain specific documents that are required and must be controlled, and states that records must be generated and controlled to prove the operation of the ISMS (//e.g//. certification audit purposes)
 * 5) Management responsibility** - management must demonstrate their commitment to the ISMS, principally by allocating adequate resources to implement and operate it
 * 6)** **Internal ISMS audits** - the organization must conduct periodic internal audits to ensure the ISMS incorporates adequate controls which operate effectively
 * 7)** **Management review of the ISMS** - management must review the suitability, adequacy and effectiveness of the ISMS at least once a year, assessing opportunities for improvement and the need for changes
 * 8)** **ISMS improvements** - the organization must continually improve the ISMS by assessing and where necessary making changes to ensure its suitability and effectiveness, addressing nonconformance (noncompliance) and where possible preventing recurrent issues
 * Annex A -** Control objectives and controls - little more in fact than a list of titles of the control sections in ISO/IEC 27002, down to the second level of numbering (e.g. 9.1, 9.2)
 * Annex B -** OECD principles and this International Standard - a table briefly showing which parts of this standard satisfy 7 key principles laid out in the OECD Guidelines for the Security of Information Systems and Networks
 * Annex C -** Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard - the standard shares the same basic structure of other management systems standards, meaning that an organization which implements any one should be familiar with concepts such as PDCA, records and audits.