ISO/IEC 27001

Information security management systems

"There are only two types of companies: those that have been hacked and those that will be" - Robert Mueller, former FBI Director

Information security is defined using the C-I-A triad: confidentiality (ensure that information is available only to those authorized); integrity (safeguard the accuracy and completeness of information) and availability (authorized users shall have access to information whenever needed).

As the International Organization for Standardization says it “The ISO 27000 family of standards helps organizations keep information assets secure”. Such assets may include intellectual property, financial information, information about employees, research and development data or information entrusted to the organization by third parties.

First publication of ISO/IEC 27001 was in 2005 and back then the standard replaced BS 7599 part 2, a British standard defining the requirements for an Information Security Management System that was published in 1999. The current version is the one published in 2013, namely ISO/IEC 27001:2013.

ISO/IEC 27001 is applicable to all types of organizations (private businesses, governmental institutions or not for profit organizations), all sizes (from micro-businesses to multinationals) and all industries (commerce, industry, banking, healthcare, education, services, etc).

An information security management system (ISMS) is a systematic approach to managing sensitive information so that it remains secure. The core element of the ISMS is the process to determine and assess information security risks as well as the risk treatment process.

A list of information security controls are included in annex A of ISO/IEC 27001 and another standard ISO/IEC 27002 has been developed to detail the controls and provide best practice recommendations on information security management.

Starting from this comprehensive list of controls organizations that implement an ISMS are allowed to choose the controls applicable to their information security situations and may supplement them with others if considered necessary. The controls from the annex A of ISO/IEC 27001 refer to aspects like: human resources security, access control, physical and environmental security, cryptography, communication security, supplier relationships or incident management.

According to the ISO Surveys, the popularity of the standard is growing steadily year-on-year both in terms of numbers but also in terms of countries where the standard is being used.

Interested in an online course on the ISO/IEC 27001:2013 requirements?

Follow this link: ISO/IEC 27001:2013 Information Security Management Systems.