Introduction to ISO:27001

ISO (the International Organization for Standardization) and IEC (the International Electro technical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. ISO has equal importance to all software development companies in India and globe.

ISO/IEC 27001 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.

ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks.  The ISMS is an overarching management framework through which the organization identifies, analyses and addresses its information security risks.   The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts - an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS.

The standard covers all types of organizations that includes software development companies as well (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defence, healthcare, education and government).  This is clearly a very wide brief.

History

ISO/IEC 27001 is derived from BS 7799 Part 2, published in 1999.  BS 7799 Part 2 was revised by BSI in 2002, explicitly incorporating Deming’s Plan-Do-Check-Act cyclic process concept, and was adopted by ISO/IEC as ISO/IEC 27001 in 2005.  It was extensively revised in 2013, bringing it into line with the other ISO certified management systems standards and dropping the PDCA concept.

What is ISO 27001

ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an Information Security Management System (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.

According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

Benefits of ISO/IEC 27001 Information Security Management

• Identify risks and put controls in place to manage or reduce them
• Flexibility to adapt controls to all or selected areas of your business
• Gain stakeholder and customer trust that their data is protected
• Demonstrate compliance and gain status as preferred supplier
• Meet more tender expectations by demonstrating compliance 

ISO 27001 uses a top down, risk-based approach and is technology-neutral. The specification defines a six-part planning process:

1. Define a security policy.
2. Define the scope of the ISMS.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select control objectives and controls to be implemented.
6. Prepare a statement of applicability.

The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organization.

The 27001 standard does not mandate specific information security controls, but it provides a check-list of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

1. ISO 27002 contains 12 main sections:
2. Risk assessment
3. Security policy
4. Organization of information security
5. Asset management
6. Human resources security
7. Physical and environmental security
8. Communications and operations management
9. Access control
10. Information systems acquisition, development and maintenance
11. Information security incident management
12. Business continuity management
13. Compliance

Organizations including software development companies are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.