It is suitable for several different types of organizational use, including the following:
 Formulation of security requirements and objectives;
To ensure that security risks are cost effectively managed;
To ensure compliance with laws and regulations;
As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
Identification and clarification of existing information security management processes;
To be used by management to determine the status of information security management activities;
To be used by internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization;
To provide relevant information about information security policies, directives, standards and procedures to trading partners;
To provide relevant information about information security to customers.
ISO/IEC 27001:2005 is a specification for the management of Information Security. It is applicable to all sectors of industry and commerce and not confined to information held on computers. It addresses the security of information in whatever form it is held.
The information may be printed or written on paper, stored electronically, transmitted by post or email, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, ISO/IEC 27001:2005 helps an organization ensure it is always appropriately protected.
Information security can be characterized as the preservation of
| Confidentiality |
Ensuring that access to information is appropriately authorized. |
| Integrity |
Safeguarding the accuracy and completeness of information and processing methods. |
| Availability |
Ensuring that authorized users have access to information when they need it. |
ISO/IEC 27001:2005 contains a number of control objectives and controls. These include:
Security policy
Organizational security
Asset classification and control
Personnel security
Physical and environmental security
Communications and operations management
Access control
System development and maintenance
Business continuity management
Compliance
WHY IS INFORMATION SECURITY NEEDED?
Information is now globally accepted as being a vital asset for most organizations and businesses. As such, the confidentiality, integrity, and availability of vital corporate and customer information may be essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image. ISO 27001 is intended to assist with this task. It is easy to imagine the consequences for an organization if its information was lost, destroyed, corrupted, burnt, flooded, sabotaged or misused. In many cases it can (and has) led to the collapse of companies
HOW DO YOU START TO IMPLEMENT ISO/IEC 27001:2005 ? WHAT IS INVOLVED?
Developing an Information Security Management System (ISMS) that satisfies the requirements of ISO/IEC 27001:2005 involves three steps.
1. |
Creation of a management framework for information |
This sets the direction, aims, and objectives of information security and defines a policy which has management commitment |
2. |
Identification and assessment of security risks |
Security requirements are identified by a methodical assessment of security risks. The results of this assessment will help guide and determine the appropriate management action and priorities for managing information security risks |
3. |
Selection and implementation of controls |
Once security requirements have been identified, controls should be selected and implemented. The controls need to ensure that risks are reduced to an acceptable level and meet an organization’s specific security objectives. Controls can be in the form of policies, practices, procedures, organizational structures and software functions. They will vary from organization to organization. Expenditure on controls needs to be balanced against the business harm likely to result from security failures |
|
