Overview

ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisations information risk management.

Features:

• Works on a top-down, technology-neutral, risk-based approach
• Defining a security policy, defining the scope of ISMS, conducting risk assessment, managing assessed risks, picking control objectives that are to be implemented and preparing the statement of applicability.
• Coordination between all sections of an organization and enhances management responsibility, ensures continual improvement, conducts internal audits and undertakes corrective and preventive actions.

Process:

• Define a security policy.
• Define the scope of the ISMS.
• Conduct a risk assessment.
• Manage identified risks.
• Select control objectives and controls to be implemented.
• Prepare a statement of applicability.

Benefits:

• It is the de facto international standard for Information Security Management
• It demonstrates a clear commitment to Information Security Management to third parties and stakeholders
• It can provide a framework to ensure the fulfilment of commercial, contractual and legal responsibilities
• It provides a significant competitive advantage, and can effectively be a license to trade with companies in certain regulated sectors
• It provides for inter-operability between organisations or groups within an organisation
• It can provide compliance with, or certification against, a recognised external standard which can often be used by management to demonstrate due diligence.