ISO 27001: Information Security Management System
Information Security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, maximize return on investments and business opportunities.Information security is achieved by implementing a suitable set of controls, policies, processes, procedures, organizational structures and software and hardware functions – to ensure that the specific security and business objectives are met.ISMS provides a framework to establish, implement, operate,monitor, review,maintain and improve the information security within an organization.

The standard comes in two parts :

ISO/IEC 27001:2005 – is a standard specification for an Information Security Management Systems (ISMS) which instructs you how to apply ISO/IEC 27002 and how to build, operate, maintain and improve an ISMS.

ISO/IEC 27002:2007 - is a standard code of practice and can be regarded as a comprehensive catalogue of good security things to do

With an ISMS we are not intending to make the system ‘hacker proof’ but develop a mechanism which can, to a large extent:

  • Anticipate potential problems
  • Prepare through proactive measures
  • Protect against considerable damages
  • Ensure recovery and restoration
  • ‘Failure is not when you fall down, but when you fail to get up’

    Information is one of the most important assets for business. Without it only a few processes are able to perform as intended. The sharing of information with other organisations, which enables quick and automated processing, increases that importance. It needs for preservation of

  • Confidentiality: ensuring that information is available to only those authorised to have access
  • Integrity: Safeguarding the accuracy and completeness of information & processing methods
  • Availability: ensuring that information and vital services are available to authorised users when required.

  • ISO 27001 standard - Requirements
    Clause 1 : Scope
  • Specifies requirements for establishing, implementing,operating,monitoring,reviewing,maintaining and improving a documented ISMS within an organization.
  • Specifies requirements for the implementation of security controls that will protect information assets and give confidence to interested parties
  • Exclusions of controls are permitted only if they are found necessary to satisfy the risk acceptance criteria and should be justified.

    Clause 2 : Normative references

  • ISO/IEC 27002:2007 – Code of practice for information security management : Provides control objectives and controls identified by a risk assessment

    Clause 3 : Terms and conditions

  • A list of terms and definitions that apply to the purpose of the Standard

    Clause 4 : Information security management system

  • 4.1 General Requirements : Processes based on the PDCA model
  • 4.2 Establishing and managing the ISMS
  • 4.2.1 Establish the ISMS
    • Define the ISMS policy as per characteristics of the business
    • Define the risk assessment approach
    • Define scope & boundaries of the ISMS
    • Identify the risks
    • Analyse and evaluate the risks
    • Identify and evaluate options for the treatment of risks
    • Select control objectives and controls for the treatment of risks
    • Obtain management approval of the proposed residual risks
    • Obtain management authorization to implement and operate the ISMS
    • Prepare a Statement of Applicability(SOA)
  • 4.2.2 Implement and operate the ISMS
    • Formulate & Implement the RTP
    • Implement controls
    • How to measure effectiveness of controls
    • Implement training and awareness
    • Manage resources
    • Implement procedures and controls capable of enabling prompt detection of security incidents
  • 4.2.3 Monitor and review the ISMS
    • Execute monitoring and reviewing procedures to detect security incidents
    • Undertake regular reviews of effectiveness of the controls
    • Conduct internal audits
    • Review risk assessments regularly
  • 4.2.4 Maintain and improve the ISMS
      Apply lessons learnt from security experiences
  • 4.3 Documentation requirements
  • 4.3.1 General
    • ISMS Scope, policy and objectives
    • Procedures and controls
    • Risk assessment methodology & report
    • Risk Treatment Plan
    • Statement of Applicability
  • 4.3.2 Control of documents
  • 4.3.3 Control of Records

    Clause 5 : Management Responsibility

  • 5.1 Management commitment
  • 5.2 Resource Management

    Clause 6 : Internal ISMS Audits Organization shall conduct regular interval audits to determine if the control objectives, processes and procedures :

    • conform to the requirements of the standard
    • conform to the identified security requirements
    • are effectively implemented and maintained
    • perform as expected
    Clause 7 : Management Review of the ISMS

    Clause 8 : ISMS Improvement

    • 8.1 Continual improvement
    • 8.2 Corrective action
    • 8.3 Preventive action
  • Copyright 2008, All rights reserved.
    Designed and Hosted by
    Mirage Solutions