The ISO/IEC 27001 Standard

ISO/IEC 27001 represents the only auditable international standard to define the requirements for an Information Security Management System (ISMS). To receive certification, organizations are required to provide evidence that their ISMS has addressed information security risks in an objective, repeatable, measured and continually improving manner.

The rigorous standard was previously known as BS 7799-2 (a widely recognized British Standard) and was published as an international standard in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission. The following section illustrates the benefits of an ISO/IEC 27001 certification.

  • Universal Minimum Requirements for an ISMS - ISO/IEC 27001 is the only internationally recognized standard for the minimum requirements for managing an Information Security Management System (ISMS). An ISMS is what is commonly referred to as an Information Security Program and refers to the people, processes, and tools to ensure security is properly addressed.

  • Universal List of Information Security Controls - In addition to ISO/IEC 27001’s minimum requirements for security management, the standard’s Annex (appendix) A also specifies an international catalog of 133 required controls and a requirement that the organization describe how the controls are implemented in its environment. If a control is not applicable, a justification must be written and pass audit scrutiny. Note: The 133 controls that appear in the ISO/IEC 27001 standard and are the same controls that were popularized by ISO/IEC 17799 (later renamed to ISO 27002). The big difference is that ISO/IEC 27002 is a guide for implementing these controls while ISO/IEC 27001’s makes their implementation mandatory unless properly justified.

  • Risk-based Approach to Information Security Management - Central to an ISO/IEC 27001 certification is the risk management process which ensures the organization evaluates threats to assets and vulnerabilities in their defenses. Once risks that exceed the organization's authorized risk tolerance level are identified, options for treating the risks and selecting appropriate controls are evaluated. This process results in defensible and effective control choices.

  • Continuous Improvement Process - During an ISO/IEC 27001 audit, the registrar's auditor requires demonstration of continuous process improvement. The standard requires the organization to follow the "plan-do-check-act" model that was first popularized by W. Edwards Deming in his teachings on total quality management. According to Deming, every process should be:
    • Planned
    • Implemented
    • Monitored, measured, audited and reviewed
    • Improved

  • Continuous Audit of a Process - Inherent in the ISO/IEC 27001 certification is the concept of a continuous audit. After the initial audit and certification, surveillance audits are conducted for the next two years and a re-certification audit conducted in the third year. An organization could lose its certification if major non-conformities are noted by auditors and these are not addressed in a timely manner. This emphasis on continuous audit becomes a critical input into the process of continuous improvement noted above.