ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information
Security Management System (ISMS) standard published in October 2005 by the International
Organization for Standardization (ISO) and the International Electro technical Commission
(IEC). Its full name is ISO/IEC 27001:2005 - Information technology -- Security
techniques -- Information security management systems -- Requirements but it is
commonly known as "ISO 27001". ISO/IEC 27001 formally specifies a management system that is intended to bring information
security under explicit management control. Being a formal specification means that
it mandates specific requirements. Organizations that claim to have adopted ISO/IEC
27001 can therefore be formally audited and certified compliant with the standard.
Most organizations have a number of information security controls. Without an ISMS
however, the controls tend to be somewhat disorganized and disjointed, having been
implemented often as point solutions to specific situations or simply as a matter
The security controls in operation typically address certain aspects of IT or data
security, specifically, leaving non-IT information assets (such as paperwork and
proprietary knowledge) less well protected on the whole. Business continuity planning
and physical security, for examples, may be managed quite independently of IT or
information security while Human Resources practices may make little reference to
the need to define and assign information security roles and responsibilities throughout
Benefits of ISO 27000:
Implementation of a standard such as ISO 27001 can often result in greater security
awareness within an organization.
Due Diligence -
Compliance with, or certification against, and international standard is often used
by management to demonstrate due diligence .
Management can be assured of the quality of a system, business unit, or other entity,
if a recognized framework or approach is followed .
This is a general benefit of standardization. The idea is that systems from diverse
parties are more likely to fit together if they follow a common guideline .
Bench Marking -
Organizations often use a standard as a measure of their status within their peer
community. It can be used as a bench mark for current position and progress.
Because implementation of ISO 27001 (and the other ISO 27000 standards) tends to
involve both business management and technical staff, greater IT and Business alignment
Who Can Apply
ISO 27000:2009 is applicable to all types of organization i.e. commercial enterprises,
government agencies and non-profit organizations.