ISO/IEC 27001 is one of the recently introduced standards for information management and security. This standard was published in 2005 by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC). The title of the document that was published is “ISO/IEC 27001-2005 Information Technology—Security Techniques—Information Security Management Systems—Requirements”. However, it is popularly referred to as ISO 27001.
The ISO 27001 standard covers a variety of organizations including commercial enterprises, government agencies and non-profit organizations. Micro businesses and large multinationals come within the ambit of this standard. The establishment, implementation, monitoring, review, maintenance and improvement of information management systems, is the focus of the standard. However, the information management requirements, contained in this standard, are at a very high level. It does not make mandatory any specific information security control and does not drill down to details of the management system.
The purpose of introducing ISO 27001 was to ensure sustainable, directed and continuous improvement in information security management. The ISO 27001’s Plan-Do-Check-Act (PDCA) cycles not only prescribe high level management protocols as a one time activity, but also ensures that there is a continuous monitoring and reviewing mechanism in place for sustained improvement. Vulnerabilities and impacts have to be repeated examined and information security failures will have to be flagged for evaluation, review and correction.
The standards are considered suitable for use within organizations for the formulation of security requirements and objectives. It is also seen as a cost effective means of guarding against security risks. The standards also align with the compliance requirements under various laws and can be used as a framework for implementation and management of controls that relate to specific security objectives of the organization.
The information management structure that is so built up, is very useful for the definition of management processes; identification of existing information management practices; for internal/external audit; development of security policies, directives and standards; for ensuring of uniformity of standards and procedures among trading partners and to provide security information to customers.
As stated above, the ISO 27001 standards are not prescriptive. Organizations can choose any kind of information security control and customize the same to fit in with their particular security situations. To this end an extensive list of security controls are defined for implementation with organization specific a la carte solutions (called extended control sets). However, these controls demand that the organization undertake a comprehensive assessment of information security risks before selection and customization of controls. A revised ISO 27001 standard is expected to be published sometime during 2010-2012.
Organizations implementing ISO 27001 standards can seek certification of their information management systems provided they comply with the mandatory requirements of the standard.
Auditors (accredited by ISO 27001) will generally examine whether the organization satisfy minimum requirements with reference to a set of formal items that have been detailed in the document.
While these requirements are not mandatory, they are considered minimum essentials. They will also take into consideration the scope of certification sought by the organization. The implication is that organizations seeking certification need to submit scoping documents and statements of applicability to the auditors while applying for certification.
Interestingly, while certification is optional, an increasing number of organizations, including online backup service providers are applying for certification. Customers too are eager to know whether the online backup service provider they have selected is ISO 27001 certified. This factor influences their decision as a certification is an indication that an independent auditor has examined the facilities and has opined that the online backup service has put in place the minimum essential standards and is conscious of the information security management needs of its customers.