Iso 2 7 0 0 1 Version 1

Information Security and ISO27001 – an Introduction

Overview What is ISO 27001 (BS7799), and how does this standard help organizations more effectively manage their information security? What's the relationship between ISO 27001 (BS7799) and ISO 17799, how can it relate to ISO 9001, and what does someone coming to this field for the first time need to know in order to initiate, or take onresponsibility for, an organizational information security project, and specifically one that is intended to lead to ISO 27001 (BS7799) certification? This paper, written by the ISO 27001/BS7799 expert Alan Calder, answers these basic questions and others and points to online resources and tools that are useful to anyone tasked with leading an information security project. The information in thispaper is suitable for all sizes of organizations, and all sectors, anywhere in the world. It reflects the guidance and information available from The ISO27001 Site, which can be accessed through http://www.itgovernance.co.uk/iso27001.asp IT Governance and information security The last few years have seen board corporate governance requirements increasingly more defined and specific. As informationtechnology has become pervasive, underpinning and supporting almost every aspect of the organization, manipulating and storing the information on which the organization depends for its survival, so the role of IT in corporate governance has become more clearly defined and IT governance is increasingly recognised as a specific area for board and corporate attention. A fundamental aspect of ITgovernance is the protection of the information – its availability, confidentiality and integrity – on which everything else depends. In parallel, international standards related to information security have emerged and have become one of the cornerstones of an effective IT governance framework. The information security standards BS7799 was created in 1995, by the British Standards Institution (BSI), as astandard to guide the development and implementation of an Information Security Management System, commonly known as an ISMS. BS7799 was conceived, from the outset, as a technologyneutral, vendor-neutral management system that, properly implemented, would enable an organization's management to assure itself that its information security measures and arrangements were effective. From the outset,BS7799 focused on protecting the availability, confidentiality and integrity of organizational information and this remains, today, the driving objective of the standard. Crucially though, it doesn't talk about protection from every single possible threat, but only from those that the organization considers relevant and only to the extent that is justified financially and commercially through arisk assessment. BS7799 was originally just a single standard, and had the status of a Code of Practice. In other words, it provided guidance for organizations, but hadn't been written as specification

(1.1) Copyright © IT Governance Ltd 2005, 2006

Page 1 of 6

Information Security and ISO27001 – an Introduction that could form the basis of an external third party verification andcertification scheme. As more and more organizations began to recognize the scale, severity and interconnectedness of information security threats, and with the emergence of a growing range of data protection and privacy-related law and regulation, so the demand for a certification option linked to the standard began to develop. This led, eventually, to the emergence of a second part to the standard, in theform of a specification (a specification uses words like ‘shall’) numbered as BS7799-2 (or, part 2). The Code of Practice (which uses words like ‘may’ and which deals with controls, not with Information Security Management Systems), is now recognized under the dual numbers of ISO17799 and BS7799-1 (or, part 1). The relationship between the Code of Practice and the specification was also...