ISO 27001 - the Information Security Management System

ISO/IEC 27001:2005 the international standard for Information Security Management Systems (ISMS). The standard can aid organizations in meeting all their information-related regulatory compliance objectives. Helping them prepare and position themselves for all existing and emerging regulations.

There are a number of direct, practical reasons for implementing an information security policy and information security management system (ISMS) that is capable of being independently certified (sometimes called ‘registration’) as compliant with the new international information security standard ISO/IEC 27001:2005.

  • An ISO/IEC 27001-certificated ISMS will help your organization meet the requirements of the EU Data Protection and Privacy Directives, and national legislation such as the Data Protection Act 1998. 
  • An ISO/IEC 27001-certificated ISMS will ensure that you are in compliance with the whole range of information-related legislation, including (as applicable) HIPAA, GLBA, SB 1386 and other State breach laws, PIPEDA, FISMA, EU Safe Harbor regulations, and so on;
  • An ISO/IEC 27001-certificated ISMS will ensure that you have in place the general control environment on which a successful SOX s404 report or Turnbull Guidance depends; 
  • A certificate tells existing and potential customers as well as regulators that you have defined and put in place effective information security processes, thus helping create a trusting relationshi;.
  • ISO/IEC 27001 certification will cost a fraction of a SAS 70 audit (which typically costs upwards of $100k) and demonstrates the existence of a best-practice based information security infrastructure;
  • The certification process also helps the whole organization focus on continuously improving its information security processes;
  • ISO/IEC 27001 is also an effective response to information risks identified in any COSO-type enterprise risk management framework.

Information systems are not usually designed from the outset to be secure. Technical security measures and checklists are limited in their ability to protect a compete information system. Management systems and procedural controls are essential components of any really secure information system and, to be effective, need careful planning and attention to detail, such as is contained in the ISO 27001 ISMS Documentation Toolkit.

ISO/IEC 27001 provides the specification for an information security management system and, in the related Code of Practice, ISO/IEC 27002, it draws on the knowledge of a group of experienced information security practitioners in a wide range of significant organizations across more than 40 countries to set out best practice in information security. An ISO 27001-compliant system will provide a systematic approach to identifying and combating the entire range of potential risks to the organization’s information assets. It will also enable a Federal organization to comply with the requirements of FISMA (the Federal Information Security Management Act).