What is the ISO 27001 standard?
The ISO 27001 standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organisation’s information security management system.
ISO 27001 was established by the International Organization for Standardization (ISO). It was first launched in 2005, as a replacement of BS 7799.
Alignment with other management system standards
ISO 27001 is aligned with other management systems, and supports consistent and integrated implementation and operation with related management standard.
Features of ISO 27001:
ISO 27001 is harmonized with the structure of other management systems.
ISO 27001 puts emphasis on a continual process improvement of your information security management system.
Clarifies requirements for documentation and records.
Involves risk assessment and management processes using a Plan, Do, Check, Act (PDCA) process model.
Protecting your assets
The standard takes a comprehensive approach to information security. Assets that need protection range from digital information, paper documents, and physical assets (computers and networks) to the knowledge of individual employees. Issues you have to address range from competence development of staff to technical protection against computer fraud.
ISO 27001 will help you protect your information in terms of the following principles:
Confidentiality ensures that information is accessible only to those authorized to have access.
Integrity safeguards the accuracy and completeness of information and processing methods.
Availability ensures that authorized users have access to information and associated assets when required.
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.