You are in: ISO 27001 - The Facts

Objectives

OBJECTIVES AND CONTROLS � ISO 27001

ISO 27001 is an International Standard setting out the requirements for an Information Security Management System. It helps identify, manage and quantify the range of threats to which information is regularly subjected. The standard uses the words:

Confidentiality: by limiting access to authorised users and ensuring they understand and agree to keep confidential information confidential.

Integrity: by ensuring accuracy and completeness and removing or controlling any opportunities for data corruption.

Availability: by ensuring information is always available to authorised users at all required times and not to unauthorised users at any time.

Annex A of ISO 27001/ ISO 17799 identifies 11 controls:

� Security policy - This provides management direction and support for information security and represents top management�s decision regarding the balance of risk and control required in your organisation.
� Organization of assets and resources - To help you manage information security within the organization
� Asset classification and control - To help you identify your assets and appropriately protect them
� Personnel security - To reduce the risks of human error, theft, fraud or misuse of facilities
� Physical and environmental security - To prevent unauthorised access, damage and interference to business premises and information
� Communications and operations management - To ensure the correct and secure operation of information processing facilities
� Access control - To control access to information
� Systems development and maintenance - To ensure that security is built into information systems
� Information security incident management � to ensure continuous improvement of information security in the organisation.
� Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
� Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement

Specific examples might include and not be exclusively confined to; acceptable use and control of databases, control of network system user access rights, locks on doors (types of), equipment siting, cabling security, Email policy and enforcement, capacity planning, controls against malicious code, information back-up, network security, third party agreements, contracts of employment, electronic commerce, privacy of personal information, business continuity plans, information leakage, publicly available information, fault and security event logging, input and output data validation, user authentication for external connections etc.

The ISO 27001 standard is the result of thousands of submissions based on actual experience from information security professionals worldwide, and a successful audit and certification indicates a very high level of information security and an expectation that attempts to breach security will be seen to be prevented.


For more information on ISO27001 contact Alex Cox.Tel: +44 (0)1666 826065

[ Back to top ]