Information Security and ISO 27001

Information security flaws can result in escalating financial losses and wreak havoc with business operations. The newly published ISO 27001:2005 standard for information security management systems can help organizations plug existing leaks and prevent future threats.

“The publication of ISO 27001:2005 is a big event in the world of information security and the standard has been eagerly awaited,” said Ted Humphreys, Convenor of the working group responsible for managing the development of the standard. “It is a standard that all security-conscious organizations should look to implement.”

ISO 27001:2005 can be used by a broad range of organizations – small, medium, and large – in most of the commercial and industrial market sectors: finance and insurance, telecommunications, utilities, retail, and manufacturing sectors, various service industries, transportation sector, governments, and many others.

The implementation of ISO 27001:2005 will reassure customers and suppliers that information security is taken seriously within the organizations they deal with because they have in place state-of-the-art processes to deal with information security threats and issues.

Information is an asset, which, like other important business assets, adds value to an organization and consequently needs to be protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities.

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems.

ISO 27001:2005, Information technology – Security techniques – Information security management systems – Requirements,specifies the processes to enable a business to establish, implement, review and monitor, manage and maintain an effective ISMS. It integrates the process-based approach of ISO’s management system standards – ISO 9001:2000 and ISO 14001:2004 – including the Plan-Do-Check-Act (PDCA) cycle and requirement for continual improvement.

The new standard forms a complementary pair with the recently published ISO 17799:2005 “code of practice” on information security management. Organizations that so wish can have their information security management systems independently certified as conforming to the requirements of ISO 27001:2005, although certification is not a requirement of the standard. Up to now, organizations that wished to have their ISMS certified have done so in conformity with the British Standard, BS 7799 Part 2. This is now possible against ISO 27001:2005, which is an International Standard.