ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.
ISO 27001 uses a topdown, risk-based approach and is technology-neutral. The specification defines a six-part planning process:
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a statement of applicability.
The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005.
ISO 27002 contains 12 main sections:
1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
Other standards being developed in the 27000 family are:
- 27003 – implementation guidance.
- 27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS.
- 27005 – an information security risk management standard. (Published in 2008)
- 27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007)
- 27007 – ISMS auditing guideline.