ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.
The way that ISO 27001 is structured is through the six normal stages of an ISMS. The six stages are as follows:
- Leadership Management responsibility and accountability
- Information security policies
- People and the organisation
- Relationship with third parties
- Process management
- Information assets
The stage with the greatest complexity is stage 4, information security policies. This stage is subdivided into five sub sections. This article will briefly describe each of the five sub sections, together with the relevant ISO 27001 clauses.
Policies to be addressed
The first sub section within stage 4 are information security policies. Information security policies are official, written decisions made by people in positions of leadership. These policies help to keep information control issues in control.
Clause 4.4 is the introductory clause for information security policies. The introductory clause states that an ISMS must include detailed policies, procedures and processes for all aspects of information risk management.
Policies to be referenced
The next sub section is information security policies to be referenced. Generally, policies are information that is produced by the organisation. This sub section describes policies that are required from outside the organistaion. This is achieved using sub clause 4.10.
The aim of sub clause 4.10 is to ensure that there are policies, standards and guidelines related to information security, which ISO 27001 encourages.
Policies related to system development life cycle
The third sub section is policies related to the system development life cycle. This is achieved using clause 4.12. There are also in clause 4.12 clauses that describe information security policies related to service design, service deployment, service operation and service deprovision.
Policies related to overall risk
The fourth sub section is policies related to the overall risk. There are ISO 27001 clauses that describe information security policies related to residual risk, annual risk and compromise risk.
Policies related to international risk management
The final sub section is policies related to international risk management. Such policies could be HR policies or policies related to international marketing.
ISO 27001 audit clause 4.18 states that information security policies in clause 4.4-4.18 must be reviewed, revised and updated. This document and previous version should be held in a corporate library.
The ISO 27001 framework and its six stages is a well thought out and comprehensive information risk management framework.