What is ISO 27001?


is basically a list of controls
ISO/IEC 27002:2005 (ISO 27002) ISMS Code of Practice
Formerly BS7799-1, this specification provides implementation advice.
ISO/IEC 27003:2010 (ISO 27003) ISMS Implementation Guidance
Guidance for the implementation of an ISMS.
ISO/IEC 27004:2009 (ISO 27004) Information Security Metrics and Measurements
ISO/IEC 27005:2011 (ISO 27005) Information Security Risk Management
ISO/IEC 27006:2007 (ISO 27006) Requirements for ISMS Certification Bodies
Guidelines for the accreditation of organizations offering ISMS certification
ISO/IEC 27007:2011 (ISO 27007) ISMS Auditing
ISO/IEC 27008:2011 (ISO 27008) Guidelines for Auditors on Information Security
ISO/IEC 27010:2012 (ISO 27010) Infosec Communications.
ISO/IEC 27011:2008 (ISO 27011) Guidelines for ISM Implementation in

All of the standards place some focus on what ISO is calling an ISMS. What exactly is that? No, I'm not referring to the Institution of Silly & Meaningless Sayings, although that site could prove a very entertaining diversion. Check that ISMS out at www.isms.org.uk. No, the ISMS that the standards refer to, the Information Security Management System, is a mix of policies and procedures along with the tools and records used to manage, monitor, and record anything that is information security relevant. They usually include a large amount of automation, but also a lot of manual procedure.

A lot of what comprises information security in organizations which are not ISO 27001 certified is relevant to ISO 27001, but using an ISMS is more comprehensive and better regulated. An ISMS does not include just digital assets, but also paper (e.g., invoices, customer lists, contracts), data centers, buildings, and both on-site and off-site storage -- pretty much anything that represents an information asset. So, with respect to sysadmin work, it's not just closing stale accounts, but the regulated process of reviewing accounts and the records that show the stale accounts were closed.

An ISMS provides the means to systematically assess risks and evaluate the effectiveness of controls (those things you do to mitigate the risks).

If you're at all interested in this certification, one of the first things you need to do is purchase a copy of the standards. No, they're not free. Far from it. You can buy a copy of ISO 27001 and ISO 27002 for "just" $995 or maybe a couple hundred pounds. The ISO 27000 (overview and vocabulary) alone is 50 pounds. In fact, even the textbooks you'll find on Amazon and eBay are a bit on the pricey side with many running between $50 and $100. You can get a pocket guide (roughly 70 pages) for about $30. That's costly if you're a lowly dweeb like me, but maybe not if you're Google. Anyway, it's good to get yourself schooled up if you're even remotely interested in pursuing or promoting this certification.

Photo Credit: 

Join us:






SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

Ask a Question