What is ISO/IEC 27001

ISO/IEC 27001 is part of the International Standards Organisation family of IT related standards it is constructed, implemented and managed in a similar fashion to many other standards such as ISO/IEC 20000″ and ISO 9001.

Similar to these standards there is a set of minimum requirements detailed in Part 1 and then set of supplementary guidance or code of practice detailed Part 2 clauses.

ISO/IEC 27001

However the ISO 27001 standard focuses on the management and security of company information and stored data. Therefore a key element of the standard is the implementation and management of information security controls and an overall adoption of an appropriate Information Security Management System. (ISMS)

Key Drivers for the adoption of ISO/IEC 27001 would include:

  • A requirement to implement effective protective mechanisms for sensitive information or stored data,
  • Provides credibility, trust and confidence for our customers and interested stakeholders
  • Demonstrates security status according to internationally accepted criteria
  • Creates differentiators resulting from the prestige, credibility and reputation
  • provides a professional end to end, risked-based approach to secure information and compliance
  • Ensures you are doing the right things in the right way with regard to information management.

The Red Badge offer an array of services that can help your organisation improve your information security solution, please visit outr Consultancy pages for more information

Specifically; ISO/IEC 27001 requires that you’re ISMS solution:

  • Systematically examine the organisation’s information security risks, taking account of the threats, vulnerabilities, and potential impacts;
  • Design and implement a coherent and comprehensive array of effective information security controls and other forms of risk mitigation for example risk avoidance or risk transfer, to address those risks that are deemed unacceptable;
  • Adopts an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an on-going basis.
  • That you are demonstrating a commitment to continual improvement of your ISMS.

The key benefits of 27001 are:

  • It can act as the extension of the current quality system to include security
  • It provides an opportunity to identify and manage risks to key information and systems assets
  • Provides confidence and assurance to trading partners and clients; acts as a marketing tool
  • Allows an independent review and assurance to you on information security practices

ISO/IEC 27001 has was originally published by the British Standards Institute as the British Standards (BS) 7799 back in 1995

In some countries, the bodies that verify conformity of management systems to specified standards are called “certification bodies”, while in others they are commonly referred to as “registration bodies”, “assessment and registration bodies”, “certification/ registration bodies”, and sometimes “registrars”.

An ISMS may be only be certified compliant with ISO/IEC 27001 by a number of officially accredited and normally government backed registrars which are referred to as registered certified bodies (RCBs) on other occasions they are referred to as registrars.

Goals of Information Security

Information systems are generally defined by all of a company’s data and the material and software resources that allow a company to store and circulate this data. Information systems are essential to companies and must be protected.

IT security generally consists in ensuring that an organisation’s material and software resources are used only for their intended purposes as below:-

  • Integrity – this is concerned with guaranteeing that the data is maintained in a proper state as intended.
  • Confidentiality – is the approach to ensuring that only authorised individuals have access to data resources
  • Availability – the information is accessible and you are guaranteeing the information system’s proper operation
  • Non-repudiation: guaranteeing that an operation or activities undertaken cannot be denied
  • Authentication: relates to confidentiality and is about ensuring that only access controls exist