What is ISO 27001?

In a time where knowledge and information is the most important asset of any organisation, the protection of these assets needs to be protected. The systems that have to protect the knowledge and information, however, have to be of an acceptable standard to prevent them from being accessed by unauthorised people. This is why a set of standards – ISO 27001 – where written and implemented.

ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems – Requirements, ISO 27001 for short is published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) who also do the necessary audits to ensure compliance with the security standards required.

Because it is an international standard, companies have to register their compliance with the ISO and agree to submit themselves to annual auditing. This means that the management system specifically indicated by ISO 27001 is being implemented by the organisation. The management system entails bringing the information security under the explicit control of management.

The reason for this standard being implemented in the first place is the fact that information security is somewhat ad hoc and haphazard. These measures were mostly to address specific problems in information security that the organisation encountered. Therefore information and knowledge would be at risk from other sources of infringement, which would lead to further ad hoc and interim measures being implemented to address that particular issue.

ISO 27001 is specifically formulated to address management issues and to provide guidance to companies on how to take full control over all the aspects of their information security and management systems. It has three main requirements:

  • The organisation’s information security risks are examined closely and systematically to determine threats, vulnerabilities and the factors that impact on the system.

  • A comprehensive and coherent system of information security controls are designed and implemented. This also considers other forms of risk treatment e.g. risk avoidance and risk transfer and determines what constitutes risks that are unacceptable.

  • It adopts a holistic management process that ensures that the information security controls continuously meet the security needs of the organisation.

Because it deals with the security management system holistically, ISO 27001 works closely with the ISO 27002 – a Code of Practice for Information Security Management. In fact, on most occasions the two standards are used together to design and implement an information security system. ISO 27002 provides additional information, guidance and implementation advice on the information security controls listed in ISO27001.

Finally, when compliance has been established, the International Organisation for Standardisation will issue the company with a certificate stating that the company / organization is in fact compliant with the ISO 27001 standard.