Standard: ISO/IEC 27001: 2013
Subject: Information Security Management System (ISMS)
Author: International standards Organisation (ISO)
ISMS – ISO 27001 is an accredited standard for management compliance. The standard applies to any organisation of any size, nature of business can adopt the requirements and seek a formal certification. The standard was release on 25th September 2013 as an update to the old standard ISO 27001:2005 which now stands replaced.
Trends in adaptation
ISO 27001 has seen widespread adaptation since 2005. Almost all industry sectors has used ISO 27001 to demonstrate compliance especially those that seek a formal certification.
The standard is divided into management system controls and annexure controls – also known as detail controls.
Management System Controls (Clause 4 to 10)Clause 1 - Scope
Clause 2 – Normative references
Clause 3 – Terms and definitions
Clause 4 - Context of the organisation
Clause 5 - Leadership
Clause 6 - Planning
Clause 7 - Support
Clause 8 - Operation
Clause 9 - Performance Evaluation
Clause 10 - Improvement
Annexure Controls (14 domains 35 control objectives and 114 detail controls)
- Security policies
- Organization of information security
- Human resources security
- Asset management
- Access control
- Physical and environmental security
- operations Security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
Key business benefits
Organizations seeking to demonstrate compliance to information security would use the standard to demonstrate their commitment to the security processes mentioned.
Information is anything which has business value. Information security is protection of confidentiality, integrity and availability (CIA). ISO 27001 provides a framework based on organizations’ asset and risk appetite the degree of control implementation requirement. Not all the 114 controls apply to all organizations however the degree of implementation varies between organizations depending upon assets and risks.