International Best Practices

ISO 27001-2005 Standard

Standard: ISO/IEC 27001: 2005
Subject: Information Security Management System (ISMS)
Author: International standards Organisation (ISO)


Overview

ISMS – ISO 27001 is an accredited standard for management compliance. The standard applies to any organisation of any size, nature of business can adopt the requirements and seek a formal certification.


Trends in adaptation

ISO 27001 has seen widespread adaptation since 2005. Almost all industry sectors has used ISO 27001 to demonstrate compliance especially those that seek a formal certification.


Coverage

The standard is divided into management system controls and annexure controls – also known as detail controls.


Management System Controls (Clause 4 to 8)

Clause 1 - Scope
Clause 2 – Normative references
Clause 3 – Terms and definitions
Clause 4 - Information Security Management System
Clause 5 – Management responsibility
Clause 6 – Internal ISMS Audits
Clause 7 – Management review of the ISMS
Clause 8 – ISMS Improvement

Annexure Controls (11 domains 39 control objectives and 133 controls)

  • Security policy
  • Organization of information security
  • Asset management
  • Human resources security
  • Physical and environmental security
  • Communications and operations management
  • Access control
  • Information systems acquisition, development and maintenance
  • Information security incident management
  • Business continuity management
  • Compliance

Key business benefits

Organizations seeking to demonstrate compliance to information security would use the standard to demonstrate their commitment to the security processes mentioned.


Summary

Information is anything which has business value. Information security is protection of confidentiality, integrity and availability (CIA). ISO 27001 provides a framework based on organizations’ asset and risk appetite the degree of control implementation requirement. Not all the 133 controls apply to all organizations however the degree of implementation varies between organizations.

Seeking iso 27001 consultancy or iso 27001 certification support?