The ISO 27001 Standard

ISO/IEC 27001 is intended to be used with ISO/IEC 17799, the Code of Practice for Information Security Management, which lists objectives, controls, and implementation guidelines. Organizations that implement an ISMS in accordance with ISO 17799 are likely to also meet the requirements of ISO/IEC 27001. This ISO standard is the first in a family of information security related standards which are assigned numbers in the 27000 series. They include:

  • ISO/IEC 27000 - a vocabulary or glossary of terms used in the ISO 27000-series standards
  • ISO/IEC 27002 - the proposed re-naming of existing standard ISO 17799
  • ISO/IEC 27003 - a new ISMS implementation guide
  • ISO/IEC 27004 - a new standard for information security measurement and metrics
  • ISO/IEC 27005 - a proposed standard for risk management, potentially related to the current British Standard BS 7799 part 3
  • ISO/IEC 27006 - a guide to the certification process

Certification to ISO/IEC 27001

The ISO 27000-family of information security management standards align with other ISO management system standards, such as ISO 9001 (quality management) and ISO 14001 (environmental management), regarding both general structure and the nature of integrating best practices with certification standards. Certification of an organization to ISO/IEC 27001 is one means of providing assurance that the organization has not only implemented a system for the management of information security in line with the international standard, but also maintains and continuously improves the system.

Credibility and recognition are the primary advantages of being certified by a respected, independent third party. It provides assurance and confidence to management, suppliers, customers, and employees that the organization is committed to information security management and continual improvement. Organizations may be certified compliant with ISO 27001 by a number of accredited certification bodies worldwide.

Certification audits are led by ISO 27001 Lead Auditors. Certification usually involves a two-stage audit process:

  • Stage 1 is a Readiness Review, assessing the existence and completion of key documentation and preparing for the Stage 2 audit
  • Stage 2 is the on-site Certification Audit that assesses overall conformance to the standard. It is a detailed, in-depth audit to assess the existence and effectiveness of the controls stated in the ISMS as well as their supporting documentation.

Maintaining certification over a typical three-year period requires periodic surveillance audits to confirm that the ISMS continues to operate as required and observed in the certification audit.

Control Objectives and Controls

In addition to the clauses of the standard, the following are the minimum control objectives and controls in ISO 27001, and they align directly with those in ISO 17799. Minimally, these objectives and controls shall be a part of the ISMS. Additional objectives and controls may be necessary, depending on the organization’s requirements.

A.5 Information Security

  • Information security policy

A.6 Organization of Information Security

  • Internal organization
  • External parties

A.7 Asset Management

  • Responsibility for assets
  • Information classification

A.8 Human Resources Security

  • Prior to employment
  • During employment
  • Termination or change of employment

A.9 Physical and Environmental Security

  • Secure areas
  • Equipment security

A.10 Communications and Operations Management

  • Operational procedures and responsibilities
  • Third party service delivery management
  • System planning and acceptance
  • Protection against malicious and mobile code
  • Back-up
  • Network security management
  • Media handling
  • Exchange of information
  • Electronic commerce services
  • Monitoring

A.11 Access Control

  • Business requirements for access control
  • User access management
  • User responsibilities
  • Network access control
  • Operating system access control
  • Application and information access and control
  • Mobile computing and tele-working

A.12 Information Systems Acquisition, Development, and Maintenance

  • Security requirements of information systems
  • Correct processing in applications
  • Cryptographic controls
  • Security of system files
  • Security in development and support processes
  • Technical vulnerability management

A.13 Information Security Incident Management

  • Reporting information security events and weaknesses
  • Management of information security incidents and improvement

A.14 Business Continuity Management

  • Information security aspects of business continuity mgmt.

A.15 Compliance

  • Compliance with legal requirements
  • Compliance with security policies and standards, and technical compliance
  • Information systems audit considerations