ISO/IEC 27001:2005 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.
Structure of ISMS (ISO 27001)
1. Information security management system
– General requirements
– Establishing and managing the ISMS
– Documentation requirements
2. Management responsibility
– Management commitment
– Resource management
3. Internal ISMS audits
4. Management review of the ISMS
– Review input
– Review output
5. ISMS improvement
– Continual improvement
– Corrective action
– Preventive action
Annex A Control objectives and controls
Annex B OECD principles and this International Standard
Annex C Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard
Major terms of ISMS (ISO 27001)
– Information Like other important assets, an asset which offer organization value and continuously requires the proper protection
– Confidentiality Ensuring information is accessible only to those authorized to have access.
– Integrity Safeguarding the accuracy and completeness of information and processing methods.
– Availability Ensuring only authorized users have access to information and associated assets when required.
– Vulnerability Risk that affects on assets though weakness/loophole, vulnerability itself is not harmful.
– Security Risk Potential risk that causes vulnerability, brining damage in an asset or information asset group.
– Risk Assessment Assessment of threats to, impacts on and vulnerabilities of information and information processing facilities and the likelihood of their occurrence.
– Risk Management Process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost.. ISMS – Information System Management System.
Necessity for ISMS (ISO 27001)
1. Increase of dependency on information processing by Information system in every sector of the society.
2. Increase of loss due to lack of information system protection measures.
3. Increase of needs due to environmental change such as development of information system and inter-connection of Open-type system.
4. Difficulty in effectively counteracting information risks due to sophistication and diversification of electronic invasion.
5. Increase of user requirements for information security.
6. of international information security standard being invisible technology barriers in international trading as it is published.
General of ISMS (ISO 27001)
ISMS is a comprehensive set of controls that identify and minimize the threats to valuable information of organizations. It defines ISMS requirements like development, establishment and documentation. Since it was first published by English Department of Trade and Industry in 1995 and revised in 1999. As International Standards Organization (ISO) recognized it as the international standard in December 2000, it became the internationally notable certification standard in information security sector.