ISO/IEC 27001:2005 Information technology -- Security techniques -- Specification for an Information Security Management System

ISO/IEC 27001 is the formal standard against which organizations may seek independent certification of their Information Security Management Systems (meaning their frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations).

The standard covers all types of organizations (e.g. commercial enterprises, government agencies and non-profit organizations). It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall risk management processes. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. It does not mandate specific information security controls.

According to JTC1/SC27, the ISO/IEC committee responsible for ISO27k and related standards, ISO/IEC 27001 “is intended to be suitable for several different types of use, including:

• Use within organisations to formulate security requirements and objectives;
• Use within organisations as a way to ensure that security risks are cost-effectively managed;
• Use within organisations to ensure compliance with laws and regulations;
• Use within an organisation as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organisation are met;
• The definition of new information security management processes;
• Identification and clarification of existing information security management processes;
• Use by the management of organisations to determine the status of information security management activities;
• Use by the internal and external auditors of organisations to demonstrate the information security policies, directives and standards adopted by an organisation and determine the degree of compliance with those policies, directives and standards;
• Use by organisations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organisations that they interact with for operational or commercial reasons;
• Implementation of a business enabling information security; and
• Use by organisations to provide relevant information about information security to customers.”

The information security controls from ISO/IEC 27002 are noted in an appendix to ISO/IEC 27001, rather like a menu. Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information security situations, drawing on those listed in the menu and potentially supplementing them with other a la carte options. As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information security risks, which is one vital part of the ISMS.

 ISO/IEC 27001 is available as a PDF for just US$30 from ANSI.

History of ISO/IEC 27001

ISO/IEC 27001 was born as BS 7799 Part 2 in 1999. It was revised by BSI in 2002, explicitly incorporating the Plan-Do-Check-Act Deming cycle, and was adopted by ISO/IEC in 2005. It may be revised again if that decision is made by JTC1/SC27 members at the next meeting in Cyprus, but that is not a forgone conclusion.

ISO/IEC 27001 certifications increasing by 1,000 per year

A number of certification bodies are accredited by national standards bodies (such as the British Standards Institution and the National Institute of Science and Technology) to review compliance with ISO/IEC 27001 and issue certificates. Over 4,400 organizations worldwide have already been certified compliant with ISO/IEC 27001 or equivalent national variants:

The graph shows the ‘absolute total’ number of ISO/IEC 27001 certificates reported by ISO27001certificates.com for the last 3 years or so. ISO27001certificates.com routinely receives and collates information on ISO/IEC 27001 certificates issued by certification bodies worldwide. Please note that many organizations have just one ISO/IEC 27001 certificate but numerous physical locations in scope.

Organizations can specify the scope of their ISO/IEC 27001 certification as broadly or as narrowly as they wish. Understanding the scoping documents plus “Statements of Applicability” (SoA) is therefore crucial if one intends to attach any meaning to the certificates. If an organization’s ISO/IEC 27001 scope only notes “Acme Ltd. Department X”, for example, the associated certificate says nothing about the state of information security in “Acme Ltd. Department Y” or “Acme Ltd.” as a whole. Similarly, if the SoA asserts that antivirus controls are not necessary for some reason, the certification body will doubtless have checked that assertion but will not have certified the antivirus controls - in fact, they may not have assessed any technical controls since ISO/IEC 27001 is primarily a management system standard, so compliance requires the organization to have a suite of management controls in place.

Certification is entirely optional but is increasingly being demanded from suppliers and business partners by organizations that are concerned about information security. Certification against ISO/IEC 27001 brings a number of benefits above and beyond simple compliance, in much the same way that an ISO 9000-series certificate says more than “We are a quality organization”. Independent assessment necessarily brings some rigor and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires management approval (which is an advantage in security awareness terms, at least!). The certificate has marketing potential and should help assure most business partners of the organization’s status with respect to information security without the necessity of conducting their own security reviews.