ISO 27001 & Information Security

ISO 27001 is the international best practice standard for an Information Security Management System (ISMS). This page will discuss in detail what ISO 27001 is, its history and the products that are available to help your organisation when approaching an ISO 27001 project.

What is on this page:

ISO27001 Cyber Security Toolkit

Build your defences with the Cyber security toolkit

Free ISO 27001 Introductory Briefing Paper

If you are new to ISO 27001, one of the best places to start is our free ISO 27001 ISMS introductory briefing paper. In non technical language, this paper will help you get to grips with the key concepts of ISO 27001. Provide you details below and we will send you this useful resource:

What is an Information Security Management System?

An Information Security Management System (‘ISMS’) is a systematic approach to managing confidential or sensitive corporate information so that it remains secure (which means available, confidential and with its integrity intact). It encompasses people, processes and IT systems.

Information security is not just about anti-virus software, implementing the latest firewall or locking down your laptops or web servers. The overall approach to information security should be strategic as well as operational, and different security initiatives should be prioritised, integrated and cross-referenced to ensure overall effectiveness.

An Information Security Management System (ISMS) helps you coordinate all your security efforts – both electronic and physical – coherently, consistently and cost-effectively.

Click here to see our ISMS FAQ's

ISO 27001 Explained

ISO/IEC 27001:2005, usually referred to just as ISO 27001, is the best practice specification that helps businesses and organisations throughout the world to develop a best-in-class Information Security Management System (ISMS). The Standard was published jointly by the International Security Office (ISO) and the International Electrotechnical Commission (IEC). The British standard BS7799-2 was the forerunner for ISO 27001.

In this modern age, information and information systems are vital to all organisations. ISO 27001 sets out specific requirements, all of which must be followed, and against which an organisations Information Security Management System (ISMS) can be audited and certified.

ISO 27001 is the first in a family of international information security standards that:

Will underpin and protect IT worldwide over the next decade
ISO 27001 is designed to harmonise with ISO 9001:2008, ISO 14001:2004, ISO 20000 and others for effective management system integration
Implements the Plan-Do-Check-Act (PDCA) model, and
Reflects the principles of the 2002 OECD guidance on the security of information systems and networks.

For those new to ISO 27001, IT Governance recommends the following products to develop your understanding of the Standard and understand how it can benefit your business:

ISO 27001:2005 – The Official Standard
ISO 27001 Nine Steps To Success – A Practical guide on achieving ISO 27001 certification
ISO 27001 Pocket Guide Complete Set – These pocket guides provide a complete overview of information security and best practice guidance that is fully aligned with ISO 27001
The Case for ISO27001 – Outlines the case for information security in all organisations and how adopting ISO 27001 will safeguard your information, protect the reputatation of your company, and manage risk in an ever evolving technological world.

IT Governance Products & Services

At IT Governance we provide products and services to assist individuals and organisations interested in ISO 27001. We provide books, toolkits, consultancy and training courses that cover every aspect of an ISO 27001 project. From gaining a basic understanding of the Standard, toolkits to accelerate an ISO 27001 project, and planning and implementing an ISO 27001 project from scratch, IT Governance has it all. Our key product areas are:

ISO 27001 Books – Books covering an introduction to the Standard, how to sell your ISO 27001 project to the board, how to achieve certification and what ISO 27001 can do for your business.
ISO 27001 Training – Foundation & Masterclass courses for those embarking on an ISO 27001 project.
ISO 27001 Toolkits – Toolkits provide an invaluable, cost-effective resource to assist you in your ISO 27001 project.
ISO 27001 Consultancy – A tailor-made service for your organisation from consultants with over 10 years experience. Take advantage of our free trial assessment.

ISO 27001 – A Framework For Compliance

ISO27001 can help organisations create a framework for compliance with many regulatory standards. All UK business must comply with:

Telecommunications Regulations Act 1998
Data Protection Act 1998
Computer Misuse Act 1990
The Human Rights Act 1998
The Regulation of Investigatory Powers Act 2000
The Copyright, Designs and Patent Act 1998
The Freedom of Information Act 2000(UK public sector).

ISO 27001 assists organisations in the development of an information security management system that is integrated, comprehensive and incorporates globally recognised best practice. For example, this global standard has assisted organisations in the US comply with such regulatory act as:

Gramm-Leach-Bliley Act (GLBA)
The Health Insurance Portability and Availability Act (HIPAA)
The Californian Senate Bill 1386
Online Personal Protection Act
Sarbanes-Oxley Act (SOX)
Federal Information Security Management Act.

ISO 27001 & Best Practise For ISMS

IT Governance specialises in helping organisations, in all sectors and all over the world, design and implement best practice Information Security Management Systems that deliver identifiable returns on investment, and, which are capable of certification to ISO27001. We recognise that, in many organisations, expenditure on information security is already substantial, that it often impedes business effectiveness, and that its value for money is not clear. We can help organisations reduce their total information security expenditure, while increasing its effectiveness.

Please email us to find out how we can help you use ISO27001 to improve the Return on Investment in your information security posture.

ISO27001 & BS7799 History

We should begin by stating that ISO standards are international standards, whilst BS standards are British Standards. ISO 27001 was born out of BS77999 and here we will chart the standards history.

BS7799

BS7799 was published in 1995 and only had the status of Code of Practice. In April 1999 it became a formal 2-part standard.

BS7799 Part 1 ‘Code of Practise for Information security Management’ and BS7799 Part 2 ‘Specification for Information Security Management Systems". Part 1 provided best practise guidance, whilst part 2 formed the standard against which an organisation security management systems could be assessed.

BS7799 Part 1 Internationalised as ISO 17999, then ISO 27002

The BS7799 Code of Practice, Part 1, took the form of guidance and recommendations. Its foreword clearly stated that it was not to be treated as a specification. It became internationalised as ISO17799 in December 2000 and a revised version was issued in early 2005, it was later renamed in 2007 as ISO 27002.

ISO 27002:2005 is the international code of best practice that is increasingly applied by organizations who are seeking a method of implementing an information security management system that will ensure they effectively meet the wide range of regulatory and compliance demands they face today.

BS7799 Part 2 Internationalised as ISO 27001

BS7799 Part 2 was revised in 2002, with significant reordering of the controls. The British Standard then underwent fast track internationalisation in 2005 and ISO 27001:2005 was published.

Certifications prior to publication of ISO/IEC 27001 will be certified against BS7799-2:2002 and, therefore, organisations will need to adapt their current projects or existing management systems accordingly. The ISMS converter provides more information on the changes, together with a detailed side-by-side comparison of the old and new of ISO/IEC 17799 (27002).

The company's ISMS (Information Security Management System) has achieved accredited certification to ISO/IEC 27001 and its integrated management system is being prepared for accredited certification to ISO9001 and other standards.

Untitled Page