ISO 27001 Information Security Standard in Plain English

The ISO 27001 2005 standard is all-encompassing. It takes a very broad
approach to information security. In the context of this standard, the term
information includes all forms of data, documents, communications,
conversations, messages, recordings, and photographs. It includes
everything from digital data and email to faxes and telephone
conversations. It includes all forms of information.

This page presents a preview of ISO IEC 27001 2005.
It does not present the entire security standard. If you need
the entire detailed standard, please consider purchasing our
Title 35: ISO IEC 27001 2005 Translated into Plain English.
(See our Plain English ISO IEC 27001 2005 SAMPLE pdf).

The ISO IEC 27001 2005 standard is an information security
management standard. It defines a set of information security
management requirements. These information security
requirements are listed in sections 4 to 8. Therefore,
the following material starts with section 4.

ISO IEC 27001 IN PLAIN ENGLISH

4. ESTABLISH YOUR ORGANIZATION’S ISMS

4.1 STUDY GENERAL ISMS REQUIREMENTS

Define your organization’s ISMS.
Implement your organization’s ISMS.
Operate your organization’s ISMS.
Monitor your organization’s ISMS.
Review your organization’s ISMS.
Maintain your organization’s ISMS.
Improve your organization’s ISMS.
Document your organization’s ISMS.

4.2 DEVELOP YOUR ORGANIZATION’S ISMS

4.2.1 DEFINE AND PLAN YOUR ISMS

Define the scope and boundaries of your ISMS.
Define your organization’s ISMS policy.
Define your approach to risk assessment.
Identify your organization’s security risks.
Analyze and evaluate your organization’s security risks.
Identify and evaluate risk treatment options and actions.
Select control objectives and controls to treat risks.
Make sure that management formally approves all
residual risks (those that are left over after you’ve
implemented your risk treatment decisions).
Get authorization from management before you
implement and operate your organization’s ISMS.
Prepare a Statement of Applicability that lists your
organization’s specific control objectives and controls.

4.2.2 IMPLEMENT AND OPERATE YOUR ISMS

Develop a risk treatment plan to manage your
organization’s information security risks.
Implement your organization’s risk treatment plan.
Implement your organization’s security controls.
Implement your organization’s educational programs.
Manage and operate your organization’s ISMS.
Manage your organization’s ISMS resources.
Implement your organization’s security procedures.

4.2.3 MONITOR AND REVIEW YOUR ISMS

Use procedures and controls to monitor your ISMS.
Use procedures and controls to review your ISMS.
Perform regular reviews of your ISMS.
Verify that your security requirements are being met.
Review your risk assessments on a regular basis.
Review your residual risks on a regular basis.
Review acceptable levels of risk on a regular basis.
Perform regular internal audits of your ISMS.
Perform regular management reviews of your ISMS.
Update your information security plans.
Maintain a record of ISMS events and actions.

4.2.4 MAINTAIN AND IMPROVE YOUR ISMS

Implement your ISMS improvements.
Take appropriate corrective actions.
Take appropriate preventive actions.
Apply the security lessons that you have learned.
Communicate ISMS changes to all interested parties.
Make sure that your organization’s ISMS changes
achieve the intended objectives.

4.3 DOCUMENT YOUR ORGANIZATION’S ISMS

4.3.1 DEVELOP ISMS DOCUMENTS AND RECORDS

Establish records that document decisions.
Document your organization’s ISMS.

4.3.2 CONTROL YOUR ISMS DOCUMENTS

Protect and control your ISMS documents.
Establish a procedure to control ISMS documents.

4.3.3 CONTROL YOUR ISMS RECORDS

Establish records for your organization’s ISMS.
Maintain records for your organization’s ISMS.

ISO IEC 27001 IN PLAIN ENGLISH

5. MANAGE YOUR ORGANIZATION’S ISMS

5.1 SHOW THAT YOU SUPPORT YOUR ISMS

Demonstrate that your management
supports the establishment of an ISMS.
Demonstrate that your management
supports the implementation of an ISMS.
Demonstrate that your management
supports the operation of your ISMS.
Demonstrate that your management
supports the monitoring of your ISMS.
Demonstrate that your management
supports the review of your ISMS.
Demonstrate that your management
supports the maintenance of your ISMS.
Demonstrate that your management
supports the improvement of your ISMS.

5.2 MANAGE YOUR ISMS RESOURCES

5.2.1 PROVIDE RESOURCES FOR YOUR ISMS

Identify your organization’s ISMS resource needs.
Provide the resources that your ISMS needs.
Identify the resources that will be needed in order to
ensure that your organization’s information security
procedures support its business requirements.
Identify the resources needed to meet your
organization’s legal security requirements.
Identify the resources needed to meet your
organization’s regulatory security requirements.
Identify the resources needed to meet your
organization’s contractual security obligations.
Identify the resources needed to ensure that all
implemented security controls are correctly applied.
Identify the resources needed to ensure that ISMS
management reviews are routinely carried out.
Identify the resources needed to ensure that
you will be able to react appropriately to the
results of your ISMS management reviews.
Identify the resources needed to ensure that
you will be able to improve the effectiveness
of your ISMS when required to do so.

5.2.2 ENSURE THAT ISMS PERSONNEL ARE COMPETENT

Ensure that all ISMS personnel are competent and
can perform the tasks that are assigned to them.
Evaluate the effectiveness of your organization’s
ISMS personnel training and employment activities.
Maintain records that document the competence
of personnel performing work that affects your ISMS.
Make your personnel aware of how important
their information security activities are.

ISO IEC 27001 IN PLAIN ENGLISH

6. AUDIT YOUR ORGANIZATION’S ISMS

ESTABLISH AN INTERNAL AUDIT PROCEDURE

Establish an internal ISMS audit procedure.
Document your internal ISMS audit procedure.

PLAN YOUR INTERNAL AUDITS

Plan your internal ISMS audit projects and activities.
- Figure out how often internal audits should be done.
- Schedule your internal audits at planned intervals.
- Clarify the scope of each internal ISMS audit.
- Specify the audit criteria for each internal audit.
- Define your internal ISMS audit methods.
- Select your internal ISMS auditors.

CONDUCT INTERNAL AUDITS

Carry out regular internal ISMS audits.
- Audit your organization’s ISMS control objectives.
- Audit your organization’s ISMS controls.
- Audit your organization’s ISMS processes.
- Audit your organization’s ISMS procedures.

TAKE REMEDIAL ACTION

Eliminate nonconformities and their causes.
Take follow up actions to ensure that nonconformities
and causes have been eliminated without undue delay.
- Verify that remedial actions have actually been taken.
- Report the results of your verification activities.

ISO IEC 27001 IN PLAIN ENGLISH

7. REVIEW YOUR ORGANIZATION’S ISMS

7.1 PERFORM MANAGEMENT REVIEWS

Carry out management reviews of your ISMS.
- Make sure that your organization’s management
  people review your ISMS at planned intervals.
Examine the performance of your ISMS.
- Examine the ongoing suitability of your ISMS.
- Examine the ongoing adequacy of your ISMS.
- Examine the ongoing effectiveness of your ISMS.
Assess whether or not your organization’s
ISMS should be changed or improved.
- Assess whether or not your information
  security policy should be changed or improved.
- Assess whether or not your information security
  objectives should be changed or improved.
Keep a record of your ISMS management reviews.
- Record the results of ISMS management reviews.

7.2 EXAMINE MANAGEMENT REVIEW INPUTS

Examine information about your ISMS (inputs).
- Examine the results of prior management reviews.
- Examine the results of previous ISMS audits.
- Examine previous ISMS measurement results.
- Examine the status of previous remedial actions.
- Examine security issues that were inadequately
  addressed during the previous risk assessment.
- Examine opportunities to improve your ISMS.
- Examine changes that might affect your ISMS.

7.3 GENERATE MANAGEMENT REVIEW OUTPUTS

Generate decisions and actions (outputs).
- Generate management review decisions and
  actions to improve your organization’s ISMS.
- Generate management review decisions and
  actions to update your organization’s ISMS.
- Generate management review decisions and
  actions to respond to events that affect the ISMS.
- Generate management review decisions and
  actions to address your ISMS resource needs.

ISO IEC 27001 IN PLAIN ENGLISH

8. IMPROVE YOUR ORGANIZATION’S ISMS

8.1 CONTINUALLY IMPROVE YOUR ISMS

Improve the effectiveness of your ISMS.
- Use your security policy to continually
  improve the effectiveness of your ISMS.
- Use your security objectives to continually
  improve the effectiveness of your ISMS.
- Use your security audit results to continually
  improve the effectiveness of your ISMS.
- Use your management reviews to continually
  improve the effectiveness of your ISMS.
- Use your corrective actions to continually
  improve the effectiveness of your ISMS.
- Use your preventive actions to continually
  improve the effectiveness of your ISMS.
- Use your monitoring process to continually
  improve the effectiveness of your ISMS.

8.2 CORRECT ACTUAL ISMS NONCONFORMITIES

Establish a corrective action procedure to prevent
the recurrence of actual nonconformities.
- Make sure that your corrective action procedure
  expects you to identify actual nonconformities.
- Make sure that your corrective action procedure expects
  you to identify the causes of your nonconformities.
- Make sure that your procedure expects you
  to evaluate whether you need to take action.
- Make sure that your procedure expects you to
  develop corrective actions when they are needed.
- Make sure that your procedure expects you to
  prevent the recurrence of actual nonconformities.
- Make sure that your corrective action procedure
  expects you to eliminate the causes of your
  organization’s nonconformities.
- Make sure that your procedure expects you to
  record the results of any corrective actions taken.
- Make sure that your procedure expects you to
  review the results of any corrective actions taken.
Document your corrective action procedure.
Implement your corrective action procedure.
- Use your organization’s corrective action
  procedure to identify nonconformities.
- Use your organization’s corrective
  action procedure to identify causes.
- Use your procedure to evaluate whether
  or not you need to take corrective action.
- Use your procedure to develop corrective actions
  whenever corrective actions are actually needed.
- Use your procedure to take corrective actions.
- Use your procedure to prevent the
  recurrence of actual nonconformities.
- Use your procedure to eliminate the
  causes of actual nonconformities.
- Use your procedure to record the
  results of any corrective actions taken.
- Use your procedure to review the
  corrective actions that have been taken.
Maintain your corrective action procedure.

8.3 PREVENT POTENTIAL ISMS NONCONFORMITIES

Establish a preventive action procedure to prevent
the occurrence of potential nonconformities.
- Make sure that your preventive action procedure
  expects you to identify potential nonconformities.
- Make sure that your procedure expects you to
  identify the causes of potential nonconformities.
- Make sure that your procedure expects you to
  evaluate whether or not your organization needs
  to take preventive action.
- Make sure that your procedure expects you to
  develop preventive actions when they are needed.
- Make sure that your procedure expects you to
  prevent the occurrence of potential nonconformities.
- Make sure that your procedure expects you to
  eliminate the causes of potential nonconformities.
- Make sure that your procedure expects you to
  record the results of any preventive actions taken.
- Make sure that your procedure expects you to
  review the results of any preventive actions taken.
Document your preventive action procedure.
Implement your preventive action procedure.
- Use your organization’s preventive action
  procedure to identify potential nonconformities.
- Use your preventive action procedure to identify
  the causes of potential nonconformities.
- Use your preventive action procedure to evaluate
  whether or not you need to take preventive action.
- Use your preventive action procedure to develop
  preventive actions whenever they are needed.
- Use your procedure to take preventive actions.
- Use your preventive action procedure to prevent
  the occurrence of potential nonconformities.
- Use your preventive action procedure to eliminate
  the causes of potential nonconformities.
- Use your preventive action procedure to record
  the results of any preventive actions taken.
- Use your preventive action procedure to review
  the preventive actions that have been taken.
Maintain your preventive action procedure.

ISO IEC 27001 IN PLAIN ENGLISH

Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing and
developing this electronic publication. We make no representation or warranties
with respect to accuracy or completeness of the contents of this publication and
specifically disclaim any implied warranties or merchantability or fitness for any
particular purpose and shall in no event be liable for any loss of profit or any
other commercial damage, including but not limited to special, incidental,
consequential, or other damages.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
material as often as you wish, free of charge. And as long as you keep intact
all copyright notices, you are also welcome to print or make one copy of this
page for your own personal, noncommercial, home use. But, you are not
legally authorized to print or produce additional copies, or to copy and paste
any of our material onto another web site. If you would like to purchase our
material, please contact our Sales Desk. Our staff would be very pleased to
take your order or to answer any questions you might have.

Home Page	Our Libraries	A to Z Index	Our Customers
How to Order	Our Products	Our Prices	Our Guarantee
PRAXIOM RESEARCH GROUP LIMITED 9619 - 100A Street, Edmonton, Alberta, T5K 0V7, Canada Telephone: (780)461-4514 info@praxiom.com
Updated on January 6, 2010. On the Web since May 25, 1997.

ISO IEC 27001 2005

INFORMATION SECURITY STANDARD

TRANSLATED INTO PLAIN ENGLISH