This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Hide
Jump to navigation

ISO 27001 & Information Security

ISO 27000 Standards | Books | Training | Toolkits | ConsultancyAll our ISO 27001 products

ISO 27001 is the international standard describing best practice for an Information Security Management System, often shorted to 'ISMS'.

This page describes in detail what ISO 27001 is, its history and the products that are available to help your organisation when approaching an ISO 27001 project.

The Joint ISO/IEC committee (JTC 1/SC 27) that is responsible for the ISO27000 family of standards has released (16 January 2013) a draft of what might, in due course, become the new versions of ISO/IEC 27001 and ISO/IEC 27002. Read more about this here.

What's on this page?

What is an Information Security Management System?

An Information Security Management System (‘ISMS’) is a systematic approach to managing confidential or sensitive corporate information so that it remains secure (which means available, confidential and with its integrity intact). It encompasses people, processes and IT systems.

Information security is not just about anti-virus software, implementing the latest firewall or locking down your laptops or web servers. The overall approach to information security should be strategic as well as operational, and different security initiatives should be prioritised, integrated and cross-referenced to ensure overall effectiveness.

An Information Security Management System (ISMS) helps you coordinate all your security efforts – both electronic and physical – coherently, consistently and cost-effectively.

ISO 27001 Explained

ISO/IEC 27001:2005, usually referred to just as ISO 27001, is the best practice specification that helps businesses and organisations throughout the world to develop an Information Security Management System (ISMS).

The standard was published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). The British standard BS7799-2 was the forerunner for ISO 27001.

Information and information systems are vital to all organisations. ISO 27001 sets out specific requirements, all of which must be followed, and against which an organisation's ISMS can be audited and certified against.

ISO 27001 is the first in a family of international information security standards that:

  • Will underpin and protect IT worldwide over the next decade
  • Harmonises with ISO 9001:2008, ISO 14001:2004, ISO 20000 and others for effective management system integration
  • Implements the Plan-Do-Check-Act (PDCA) model, and
  • Reflects the principles of the 2002 OECD guidance on the security of information systems and networks.

For those new to ISO 27001, IT Governance recommends the following products to develop your understanding of the Standard and how it can benefit your business:

  • ISO 27001:2005 – The official standard
  • ISO 27001 Nine Steps To Success – A practical guide to achieving ISO 27001 certification
  • ISO 27001 Pocket Guide Complete Set – These pocket guides provide a complete overview of information security and best practice guidance that is fully aligned with ISO 27001
  • The Case for ISO27001 – Outlines the case for information security and how adopting ISO 27001 will safeguard your information, protect the reputatation of your company, and manage risk in an evolving technological world.

IT Governance Products & Services

At IT Governance we provide products and services to assist individuals and organisations who are interested in ISO 27001. We provide books, toolkits, consultancy and training courses that cover every aspect of an ISO 27001 project. Our key product areas are:

  • ISO 27001 Books – Covering an introduction to the standard, how to sell your ISO 27001 project to the board, how to achieve certification and what ISO 27001 can do for your business
  • ISO 27001 Training – Foundation & Masterclass courses for those embarking on an ISO 27001 project
  • ISO 27001 Toolkits – Save time and money with our pre-prepared ISO 27001 project documentation
  • ISO 27001 Consultancy – A tailor-made service for your organisation from consultants with over 10 years' experience. Take advantage of our free trial assessment.

ISO 27001 – A Framework For Compliance

ISO27001 can help organisations create a framework for compliance with many regulatory standards, for example in the UK:

  • Telecommunications Regulations Act 1998
  • Data Protection Act 1998
  • Computer Misuse Act 1990
  • The Human Rights Act 1998
  • The Regulation of Investigatory Powers Act 2000
  • The Copyright, Designs and Patent Act 1998
  • The Freedom of Information Act 2000 (public sector).

ISO 27001 assists organisations in the development of an information security management system that is integrated, comprehensive and incorporates globally-recognised best practices. For example, this global standard has assisted organisations in the US comply with such regulatory acts as:

  • Gramm-Leach-Bliley Act (GLBA)
  • The Health Insurance Portability and Availability Act (HIPAA)
  • The Californian Senate Bill 1386
  • Online Personal Protection Act
  • Sarbanes-Oxley Act (SOX)
  • Federal Information Security Management Act.

ISO 27001 & Best Practice For ISMS

IT Governance specialises in helping organisations, from all sectors and all over the world, design and implement best practice Information Security Management Systems that deliver returns on investment, and, which are capable of certification to ISO27001.

We recognise that, in many organisations, expenditure on information security is already substantial, that it often impedes business effectiveness, and that its value for money is not clear. We can help organisations reduce their total information security expenditure, while increasing its effectiveness.

Please email us or call +44 (0) 845 070 1750 to find out how we can help you use ISO27001.

ISO27001 & BS7799 History

It is important to recognise that ISO stardards are international, whereas BS standards are British. BS7799 was the pre-cursor to ISO 27001.

Certifications prior to publication of ISO/IEC 27001 were certified against BS7799-2:2002..

  • BS7799 was published with the status of Code of Practice. In April 1999 it became a formal two-part standard
  • BS7799 Part 1 was "Code of Practice for Information security Management" and Part 2 was "Specification for Information Security Management Systems". Part 1 provided best practice guidance, whilst Part 2 formed the standard against which an organisation's security management systems could be assessed
  • BS7799 Part 1 Internationalised as ISO 17999, then ISO 27002
  • The BS7799 Code of Practice, Part 1, took the form of guidance and recommendations. Its foreword clearly stated that it was not to be treated as a specification. It became internationalised as ISO17799 in December 2000 and a revised version was issued in early 2005, it was later renamed in 2007 as ISO 27002
  • ISO 27002:2005 is the international code of best practice that is increasingly applied by organisations who are seeking a method of implementing an information security management system that will ensure they effectively meet the wide range of regulatory and compliance demands they face today
  • In 2005, BS7799 Part 2 Internationalised as ISO 27001
  • BS7799 Part 2 was revised in 2002, with significant re-ordering of the controls. The British Standard then underwent fast track internationalisation in 2005 and ISO 27001:2005 was published.

Book

Buy

Engage

BUY ISO27001 BOOKS

The Case for ISO27001

Buy now

United Kingdom

Select your regional store:

live chat support software