The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. It is the specification for an ISMS, an Information Security Management System. BS7799 itself was a long standing standard, first published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems. It is this against which certification is granted. Today in excess of a thousand certificates are in place, across the world.

ISO 27001 enhanced the content of BS7799-2 and harmonized it with other standards. A scheme has been introduced by various certification bodies for conversion from BS7799 certification to ISO27001 certification.

The objective of the standard itself is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System". Regarding its adoption, this should be a strategic decision. Further, "The design and implementation of an organization's ISMS is influenced by their needs and objectives, security requirements, the process employed and the size and structure of the organization".

The standard defines its 'process approach' as "The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management". It employs the PDCA, Plan-Do-Check-Act model to structure the processes, and reflects the principles set out in the OECG guidelines


ISO 27001 is an Information Security Management Systems (ISMS) standard that is promulgated by the International Organization for Standardization (ISO).  It is a formal specification for an ISMS in that it mandates a particular set of controls that need to be in place.  Therefore, organizations that claim to have adopted 27001 can be formally audited and certified compliant with the standard.  It is this ability to certify the operation of an ISMS that makes 27001 unique and makes it ideal to be used as a form of independent attestation to the design and operation of an Information Security program.

ISO 27001 requires that management:

• Systematically examines the organization's information security risks, taking account of the threats, vulnerabilities and impacts;
• Designs and implements a coherent and comprehensive suite of information security controls (defined by ISO 27002 (formerly 17799)) and/or other forms of risk treatment to address unacceptable risks; and,
• Adopts an overarching management process to ensure that the information security controls meet the organization's information security needs on an ongoing basis.

Another benefit to 27001 is that an organization adhering to the 27001 standard can also simultaneously fulfill other compliance requirements including HIPAA, PCS, Sarbanes Oxley, and Identity Theft/Personally Identifiable Information regulations with minimal additional effort.


Article source: http://www.27000.org/iso-27001.htm
Article source: http://www.pivotpointsecurity.com/-iso-27001/