Published: 01 July 2011
What is in the ISO27001 standard?
The ISO27001 information security standard is the one standard amongst the ISO27000 family of standards against which an organisation’s ISMS can be audited and certified. The goal of the ISO27001 standard is to ‘provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an information security management system’.
The ISO27001 information security standard specifies a number of requirements that an organisation’s ISMS must meet in order to comply with the standard. The main body of the standard describes the mandatory elements of the ISMS. The requirement for a company to conduct a risk assessment, and base its selection of controls on the outcome of that risk assessment, is an essential and fundamental part of the standard. Appendix A of ISO27001 consists of 11 control sections, 39 control objectives and 133 individual controls. The 11 control sections are broken down as follows:
Security policy: This section of the standard is to ensure that management provide direction and support for information security in the organisation.
Organisation of information security: In order to help you manage information security within the organisation, this section outlines a number of controls that relate to the organisation of information security.
Asset management: Asset management focuses on identifying your information assets and protecting them appropriately.
Human resources security: As humans are such a large factor in information security, this section contains controls that aim to reduce the risks of human error, theft, fraud or misuse of facilities.
Physical and environmental security: This section contains controls to prevent unauthorised access, damage and interference to business premises and information assets.
Communications and operations management: This section contains controls to ensure the correct and secure operation of information processing facilities.
Access control: As information is the core asset secured by ISO27001, this section contains controls that secure and manage access to information assets.
Information systems acquisition, development and maintenance: This section of the ISO27001 information security standard has a number of controls to ensure that security is built into information systems, whether they are developed in-house or by third parties, or are commercial off-the-shelf software packages.
Information security incident management: Invariably there will be breaches of information security controls, and this section of the standard concentrates on how all information security events and weaknesses can be reported and responded to effectively.
Business continuity management: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters, this section highlights controls to be put in place in respect of the information security aspects of business continuity.
Compliance: This section contains controls designed to help organisations avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations, and any security requirement.
The plan, do, check and act cycle (PDCA)
Plan (establishing the ISMS): Establish the policy, the ISMS objectives, processes and procedures related to risk management and the improvement of information security to provide results in line with the global policies and objectives of the organization.
Do (implementing and workings of the ISMS): Implement and exploit the ISMS policy, controls, processes and procedures.
Check (monitoring and review of the ISMS): Assess and, if applicable, measure the performances of the processes against the policy, objectives and practical experience and report results to management for review.
Act (update and improvement of the ISMS): Undertake corrective and preventive actions, on the basis of the results of the ISMS internal audit and management review, or other relevant information to continually improve the said system.
Did you ever wanted to become an Ethical ...
This short course is designed to partially ...
Penetration Testing Framework 0.58 This post ...
If you are trying to use the ...
Speakers: Alan Burchill, Jeremy Moskowitz, ...
Since I have starterd to work for Kemp ...
Did you miss the life sessions for EC Council ...
Microsoft Egypt is Hiring ! If you are based in ...
Articles Most Read
- Certified Ethical Hacking course for FREE
- Free Course :EC Council Network Security Administrator
- Penetration Testing Framework 0.58
- Fix: Couldn’t connect to the source mailbox
- Desktop Security with Windows 7 Applocker, Bitlocker, Forefront End Point Protection
- NLB vs Hardware Load Balancer
- EC Council ENSA Online Course
- Microsoft Egypt is Hiring
- Fix: Exchange Server 2010 SP update errors
- E-Mail Crimes and Violations (how the leakage could occur)