ISO 27001 is the only auditable international standard that defines the requirements of an information security management system (ISMS). Certification to ISO/IEC 27001 demonstrates that an organisation has defined and put in place best-practice information security processes.
The approach to information security described in ISO/IEC 27001 is not one particular product or product component. Rather it is a flexible, holistic process that ensures the information assets in an organisation are protected in every aspect of their use, storage and disclosure.
The standard applies to any organisation whose core activity is the storage and processing of information on behalf of others.
It is intended to be used by organisations of all sizes, from the smallest home-based businesses through to large organisation with many locations and with multiple stakeholders.
The standard is made up of 12 clauses that are divided into four main parts. Each clause defines a responsibility, a prerequisite or a criterion to be met. Additional information can also be provided in what is called “management objectives, controls and associated risks”.
The management objectives, controls and risks can be adopted as part of the standard or they can be changed to fit the needs of the organisation. For example, the controls and risks in ISO 27001 could be re-written to include the following:
“The organisation shall develop policies, procedures, products and services that will be used in accordance with the laws of the region or country where the organisation is located.”
“The organisation shall ensure that real time activity monitoring and event management are employed to detect and avoid any possible security breach of information assets.”
ISO/IEC 27001 defines four levels of implementation:
- Level 1 — Generic risk based ISMS. This level is applicable to the smallest organisations. An example of this level would be a home business that has no customers information or employees information; just a server in the home for use for the business and for personal records. It must be noted that the business is exposed to the risk of the loss of all records that are in the home. In addition, the business must be aware that the appropriate legislative requirements in this case would be the laws of the state in which the business resides, and not any federal or international law.
- Level 2 — Generic ISMS. This level is applicable for basic private and public organisations. An example of this level would be a private security company operating in one country. The company may have many customers, not all would be the same size, but none of them would be so big that could not be serviced locally. If the company is a multinational, then it could be serviced by their home country regarding the security information. It is important to note that the appropriate legislative requirements could be imposed by the home country, but this company manages all the information security tasks based on the ISO 27001 and the information security procedures. This company has an ISMS to meet its customers needs and it has the procedures to allow the management to judge the effectiveness of the company to perform its duties within the ISO 27001 standard.
- Level 3 — ISMS of an organisation with multiple locations and numerous stakeholders. This level is applicable for individual sites of large organisations that have locations outside of its home country or region. Some examples are: a multinational company, a bank, or the church.
The ISO 27001 standard places a considerable emphasis on risk management. This is not surprising considering the number of businesses lost by small or large organisations every year because of the lack of risk management and the inability to detect and respond to risks early on.
The standard specifies the information that must be contained in the risk management process, but leaves choice of tools to the organisation. The standard identifies the general categories of risks that should be addressed. For example:
- Business risks (turnover, reputation, organisation effectiveness)
- Operational risks (disruption, failure, malicious, natural)
- Legislative risks (compliance, jurisdiction)