ISO 27001 Information Security - Plain English Introduction

ISO IEC 27001

ISO IEC 27001 is an information security management standard.
It defines a set of information security management requirements.
These requirements are defined in sections 4, 5, 6, 7, and 8.

The purpose of ISO IEC 27001 is to help organizations establish
and maintain an information security management system (ISMS).
ISO IEC 27001 applies to all types of organizations. It doesn’t matter
what your organization does or what size it is. ISO IEC 27001 can
help your organization meet its information security management
needs and requirements.

ISO IEC 27001 is designed to be used for certification purposes. In
other words, once you’ve established an ISMS that meets both the
ISO IEC 27001 requirements and your organization’s needs, you can
ask a registrar to audit your system. If your registrar likes what it sees,
it will issue an official certificate that states that your ISMS meets the
ISO IEC 27001 requirements. According to ISO IEC 27001, you must
meet every requirement (specified in clauses 4, 5, 6, 7, and 8) if you
wish to claim that your ISMS complies with the standard.

However, while you must meet every requirement, the size and
complexity of information security management systems varies
quite a bit. How you meet each of the ISO 27001 requirements,
and to what extent, depends on many factors, including your
organization’s:

Size and structure
Needs and objectives
Security requirements
Business processes

ISO IEC 27001 also lists a set of control objectives and controls.
These are listed in Annex A (our Part 9) and come from the
ISO IEC 27002 (17799 2005) information security standard.

In addition to control objectives and controls, ISO 27002 also
provides implementation guidance and other information. These
last two items are not included in ISO 27001. As a result, you may
find it helpful to also purchase the ISO IEC 27002 (17799) standard.

While ISO IEC 27001 expects you to meet every requirement, it does
allow you to exclude selected Annex A control objectives and controls
(see our Part 9) if you can justify doing so. Briefly put, you may exclude
or ignore Annex A control objectives and controls whenever they address
risks you can live with, and whenever doing so will not impair your ability
and obligation to meet all relevant legal and security requirements.

More precisely, you may ignore or exclude selected control
objectives and controls under the following circumstances:

You may exclude selected control objectives and controls if they
address security risks that you can accept and if you can show
that your decision to accept these risks complies with your
organization’s official risk acceptance criteria.
- You must also be able to justify your exclusion decision.
- You must also be able to show that accountable persons
  have accepted the associated risks.
You may exclude selected control objectives and controls if
you have used a risk assessment to identify your organization’s
information security requirements and you believe that these
requirements will, nevertheless, be met.
- You may exclude selected control objectives and controls
  whenever this does not impair your ability and responsibility
  to meet your organization’s information security requirements.
You may exclude selected control objectives and controls if you
can show that all applicable legal and regulatory requirements
will, nevertheless, be met.
- You may exclude selected control objectives and controls
  whenever this does not impair your ability and responsibility
  to meet all applicable legal and statutory requirements.

ISO IEC 27001 vs. BS 7799-2

ISO IEC 27001:2005 was developed by ISO/IEC JTC 1, SC 27
(Joint Technical Committee 1, Subcommittee 27). JTC 1 is
responsible for all kinds of information technology standards
while SC 27 is specifically responsible for the development
of standards related to IT security techniques.

ISO IEC 27001 2005 was officially published on October 15, 2005. This
new ISO 27001 2005 standard cancels and replaces the old BS 7799-2
standard (published in 2002 by BSI). The old BS 7799-2 information
security standard is now obsolete and has been officially withdrawn.

The PDCA Model

ISO IEC 27001 uses the Plan-Do-Check-Act (PDCA) model. ISO IEC
has used this model to organize the standard and you can use it to
help you establish your information security management system
(ISMS). ISO IEC uses this model in the following way:

PLAN. Section 4 expects you to plan the
establishment of your organization’s ISMS.
DO. Section 5 expects you to implement,
operate, and maintain your ISMS.
CHECK. Sections 6 and 7 expect you to monitor,
measure, audit, and review your ISMS.
ACT. Section 8 expects you to take corrective and
preventive actions and continually improve your ISMS.

Since ISO IEC has used a PDCA model to organize the ISO IEC 27001
standard, it is conveniently designed to facilitate system development.
If you follow the five general steps (sections 4 to 8) that make up the
standard, you’ll automatically develop a comprehensive ISMS.

The Process Approach

ISO IEC 27001 also uses a process approach. The process approach
is a management strategy. When managers use a process approach,
it means that they control their processes, the interaction between these
processes, and the inputs and outputs that “glue” these processes
together. It means that they manage by focusing on processes and
on inputs and outputs. ISO IEC 27001 suggests that you use a
process approach to manage and control your ISMS processes.

In general, a process uses resources to transform inputs into
outputs. In every case, inputs are turned into outputs because
some kind of work or activity is carried out. And because the
output of one process often becomes the input of another
process, inputs and outputs are really the same thing.

ISO IEC 27001 suggests that you structure every ISMS process
using the Plan-Do-Check-Act (PDCA) model. This means that
every process should be:

Planned (PLAN)
Implemented, operated, and maintained (DO)
Monitored, measured, audited, and reviewed (CHECK)
Improved (ACT)

The PDCA model runs through every aspect of the ISO IEC 27001
standard. The standard not only recommends that the PDCA model
be used to structure every ISMS process, it was also used to structure
the standard itself. And since it was used to structure the standard, you
will automatically use a PDCA approach as you use the standard to
develop your own ISMS.

Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing and
developing this electronic publication. We make no representation or warranties
with respect to accuracy or completeness of the contents of this publication and
specifically disclaim any implied warranties or merchantability or fitness for any
particular purpose and shall in no event be liable for any loss of profit or any
other commercial damage, including but not limited to special, incidental,
consequential, or other damages.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
material as often as you wish, free of charge. And as long as you keep intact
all copyright notices, you are also welcome to print or make one copy of this
page for your own personal, noncommercial, home use. But, you are not
legally authorized to print or produce additional copies or to copy and paste
any of our material onto another web site or to republish it in any way.

Home Page	Our Libraries	A to Z Index	Our Customers
How to Order	Our Products	Our Prices	Our Guarantee
PRAXIOM RESEARCH GROUP LIMITED 9619 - 100A Street, Edmonton, Alberta, T5K 0V7, Canada Telephone: 780-461-4514 - Email: info@praxiom.com
Updated on December 27, 2011. First published on June 12, 2006.

ISO IEC 27001

PLAIN ENGLISH INTRODUCTION

ISO IEC 27001

ISO IEC 27001 vs. BS 7799-2

The PDCA Model

The Process Approach