ISO IEC 27001

PLAIN ENGLISH INTRODUCTION

ISO IEC 27001 2005 is an Information Security Management Standard

ISO and IEC

ISO is the International Organization for Standardization. It was set up
in 1947 and is located in Geneva, Switzerland. Its purpose is to develop
 standards that support and facilitate international trade. IEC is
the International Electrotechnical Commission. It was set up in 1906 and
is also located in Geneva, Switzerland. Its purpose is to develop standards
for all types of electrotechnologies. Both ISO and IEC are supported by
national member bodies. These member bodies participate in the
standards development process through technical committees.

ISO IEC 27001 vs. BS 7799-2

ISO IEC 27001:2005 was developed by ISO/IEC JTC 1, SC 27
 (Joint Technical Committee 1, Subcommittee 27). JTC 1 is
responsible for all kinds of information technology standards
while SC 27 is specifically responsible for the development
of standards related to IT security techniques.

ISO IEC 27001 2005 was officially published on October 15, 2005. This
new ISO 27001 2005 standard cancels and replaces the old BS 7799-2
standard (published in 2002 by BSI). The old BS 7799-2 information
security standard is now obsolete and has been officially withdrawn.

Introduction to ISO IEC 27001

ISO IEC 27001 is an information security management standard.
It defines a set of information security management requirements.
These requirements are defined in sections 4, 5, 6, 7, and 8.

The purpose of ISO IEC 27001 is to help organizations establish
and maintain an information security management system (ISMS).
ISO IEC 27001 applies to all types of organizations. It doesn’t matter
what your organization does or what size it is. ISO IEC 27001 can
help your organization meet its information security management
needs and requirements.

ISO IEC 27001 is designed to be used for certification purposes. In
other words, once you’ve established an ISMS that meets both the
ISO IEC 27001 requirements and your organization’s needs, you can
ask a registrar to audit your system. If your registrar likes what it sees,
it will issue an official certificate that states that your ISMS meets the
ISO IEC 27001 requirements. According to ISO IEC 27001, you must
meet every requirement (specified in clauses 4, 5, 6, 7, and 8) if you
wish to claim that your ISMS complies with the standard.

However, while you must meet every requirement, the size and
complexity of information security management systems varies
quite a bit. How you meet each of the ISO 27001 requirements,
and to what extent, depends on many factors, including your
organization’s:

  • Size and structure
  • Needs and objectives
  • Security requirements
  • Business processes

ISO IEC 27001 also lists a set of control objectives and controls.
These are listed in Annex A (our Part 9) and come from the
ISO IEC 27002 (17799 2005) information security standard.

In addition to control objectives and controls, ISO 27002 also
provides implementation guidance and other information. These
last two items are not included in ISO 27001. As a result, you may
find it helpful to also purchase the ISO IEC 27002 (17799) standard.

While ISO IEC 27001 expects you to meet every requirement, it does
allow you to exclude selected Annex A control objectives and controls
(see our Part 9) if you can justify doing so. Briefly put, you may exclude
 or ignore Annex A control objectives and controls whenever they address
risks you can live with, and whenever doing so will not impair your ability
and obligation to meet all relevant legal and security requirements.

More precisely, you may ignore or exclude selected control
objectives and controls under the following circumstances:

  • You may exclude selected control objectives and controls if they
    address security risks that you can accept and if you can show
    that your decision to accept these risks complies with your
    organization’s official risk acceptance criteria.

    • You must also be able to justify your exclusion decision.

    • You must also be able to show that accountable persons
      have accepted the associated risks.

  • You may exclude selected control objectives and controls if
    you have used a risk assessment to identify your organization’s
    information security requirements and you believe that these
    requirements will, nevertheless, be met.

    • You may exclude selected control objectives and controls
      whenever this does not impair your ability and responsibility
      to meet your organization’s information security requirements.

  • You may exclude selected control objectives and controls if you
    can show that all applicable legal and regulatory requirements
    will, nevertheless, be met.

    • You may exclude selected control objectives and controls
      whenever this does not impair your ability and responsibility
      to meet all applicable legal and statutory requirements.

The PDCA Model

ISO IEC 27001 uses the Plan-Do-Check-Act (PDCA) model. ISO IEC
has used this model to organize the standard and you can use it to
help you establish your information security management system
(ISMS). ISO IEC uses this model in the following way:

  • PLAN. Section 4 expects you to plan the
    establishment of your organization’s ISMS.

  • DO. Section 5 expects you to implement,
    operate, and maintain your ISMS.

  • CHECK. Sections 6 and 7 expect you to monitor,
    measure, audit, and review your ISMS.

  • ACT. Section 8 expects you to take corrective and
    preventive actions and continually improve your ISMS.

Since ISO IEC has used a PDCA model to organize the ISO IEC 27001
standard, it is conveniently designed to facilitate system development.
If you follow the five general steps (sections 4 to 8) that make up the
standard, you’ll automatically develop a comprehensive ISMS.

Your General Approach

The following material presents a brief information security management
system development plan. It summarizes the general approach you will
take to develop your own unique ISMS. It uses a PDCA approach and is
taken directly from our plain English version of the standard. If you use
our plain English standard to develop your organization’s ISMS, you
will automatically take the following steps:

  1. Define the scope and boundaries of your ISMS.

  2. Define your organization’s ISMS policy.

  3. Define your approach to risk management.

  4. Identify your organization’s security risks.

  5. Analyze and evaluate your security risks.

  6. Identify and evaluate your risk treatment options.

  7. Select control objectives and controls to treat risks.

  8. Prepare a detailed Statement of Applicability.

  9. Develop a risk treatment plan to manage your risks.

  10. Implement your organization’s risk treatment plan.

  11. Implement your organization’s security controls.

  12. Implement your organization’s educational programs.

  13. Manage and operate your organization’s ISMS.

  14. Implement your organization’s security procedures.

  15. Use procedures and controls to monitor your ISMS.

  16. Use procedures and controls to review your ISMS.

  17. Perform regular reviews of your organization’s ISMS.

  18. Verify that your security requirements are being met.

  19. Review your risk assessments on a regular basis.

  20. Review your residual risks on a regular basis.

  21. Review acceptable levels of risk on a regular basis.

  22. Perform regular internal audits of your ISMS.

  23. Perform regular management reviews of your ISMS.

  24. Update your organization’s information security plans.

  25. Implement ISMS improvements.

  26. Take appropriate corrective actions.

  27. Take appropriate preventive actions.

  28. Communicate ISMS changes to interested parties.

  29. Establish records that document your decisions.

  30. Document your organization’s ISMS.

  31. Protect and control your ISMS documents.

  32. Establish records for your organization’s ISMS.

  33. Maintain records for your organization’s ISMS.

To see a detailed version of the above ISMS development plan, please
see our plain English ISO IEC 27001 2005 standard (Parts 4 to 8).

Of course, you may already have an existing ISMS. If this is true, you don’t
need to follow a detailed ISMS development plan. You would probably find
it easier and more efficient to use a gap analysis approach, instead.

A gap analysis would compare your existing ISMS with the ISO IEC 27001
requirements. Such a comparison would pinpoint the areas that fall short
of the standard (the gaps). By focusing on filling your unique information
security gaps, you will soon comply with the ISO IEC 27001 standard.

If you already have an existing ISMS, a gap analysis is more targeted
and efficient. It is more targeted and efficient because it ignores areas
that already comply with the standard.

The Process Approach

ISO IEC 27001 also uses a process approach. The process approach
 is a management strategy. When managers use a process approach,
it means that they control their processes, the interaction between these
processes, and the inputs and outputs that “glue” these processes
together. It means that they manage by focusing on processes and
on inputs and outputs. ISO IEC 27001 suggests that you use a
process approach to manage and control your ISMS processes.

In general, a process uses resources to transform inputs into
outputs. In every case, inputs are turned into outputs because
some kind of work or activity is carried out. And because the
output of one process often becomes the input of another
process, inputs and outputs are really the same thing.

ISO IEC 27001 suggests that you structure every ISMS process
 using the Plan-Do-Check-Act (PDCA) model. This means that
every process should be:

  • Planned (PLAN)

  • Implemented, operated, and maintained (DO)

  • Monitored, measured, audited, and reviewed (CHECK)

  • Improved (ACT)

The PDCA model runs through every aspect of the ISO IEC 27001
standard. The standard not only recommends that the PDCA model
be used to structure every ISMS process, it was also used to structure
the standard itself. And since it was used to structure the standard, you
will automatically use a PDCA approach as you use the standard to
develop your own ISMS.

ISO 27001 2005

OTHER ISO 27001 INFORMATION SECURITY WEB PAGES

Overview of ISO 27001 2005 Information Security Standard

ISO IEC 27001 Plain English Information Security Definitions

Comparison of ISO 27001 2005 and ISO 27002 2005 Standards

ISO IEC 27001 2005 Security Standard Translated into Plain English

Complete List of Plain English Information Security Control Objectives

ISO IEC 27001 Plain English Security Standard - Section 8 (pdf sample)

ISO IEC 27001 Information Security Management Gap Analysis Tool

ISO 27001 Security Gap Analysis Tool - Section 7 (pdf sample)

ISO IEC 27001 2005 in Plain English - Table of Contents

Our Plain English Approach to ISO IEC 27001 2005

Our Plain English Product License Agreement
ISO 27002 INFORMATION SECURITY WEB PAGES

Introduction to ISO 27002 2005 Information Security Standard

Overview of the ISO 27002 2005 Information Security Standard

ISO 27002 2005 Information Security Management Definitions

ISO 27002 2005 Security Standard Translated into Plain English

ISO 17799 2000 Security Standard Translated into Plain English

ISO 27002 Information Security Incident Management - Section 13 (pdf)

Complete List of ISO 27002 2005 Information Security Control Objectives

ISO 27002 2005 Plain English Information Security Management Audit Tool

ISO 27002 Organizational Asset Management Audit - Section 7 (pdf)

ISO 27002 Physical and Environmental Security Audit - Section 9 (pdf)
Home Page Our Libraries A to Z Index Our Customers
How to Order Our Products Our Prices Our Guarantee

PRAXIOM RESEARCH GROUP LIMITED
9619 - 100A Street, Edmonton, Alberta, T5K 0V7, Canada
Telephone: (780)461-4514 info@praxiom.com

Updated on October 23, 2008. On the Web since May 25, 1997.

Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing and
  developing this electronic publication. We make no representation or warranties
  with respect to accuracy or completeness of the contents of this publication and
  specifically disclaim any implied warranties or merchantability or fitness for any
  particular purpose and shall in no event be liable for any loss of profit or any
  other commercial damage, including but not limited to special, incidental,
  consequential, or other damages.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies, or to copy and paste
 any of our material onto another web site.  If you would like to purchase our
 material, please contact our Sales Desk. Our staff would be very pleased to
 take your order or to answer any questions you might have.

Copyright © 2006-2008 by Praxiom Research Group Limited. All Rights Reserved.

ISO 27001 by Praxiom Research Group Limited