ISO 27001:2005 – Information Security Management Systems

Purpose:

The ISO 27001:2005 Information Security Management Systems (ISMS) Standard is primarily concerned with ‘Information Security Management’ issues. It is a generic standard, and as such can be applied to any size or type of organisation, whatever its product or service, in any sector of activity, and whether it is a business enterprise, a public agency or government department.

The reference to ‘Management System’ refers to what the organisation does to manage its processes, or activities in order that its products or services meet its set objectives for example:

satisfying its customers’ security requirements, or
complying with Information Security regulations.

Usage:

ISO 27001 is the most widely adopted standard in the world covering the Management of Information Security. There has been a marked increase in certifications within the last few years and the trend seems likely to continue at a faster pace than before driven by increased levels of international trade, reduced trading barriers and enlargements within harmonised markets such as the EU. The proliferation of electronic commerce and the internet coupled with new legislation, has greatly increased the need for organisations to manage the security of their information and to prevent its misuse and fraud.

Compliance:

Compliance with the ISO 27001 Standard requires companies to undertake internal audits and undergo regular external assessment and audits of their Information Security Management System by a certification body in order to gain certification.

Benefits:

Although ISO 27001 certification is not a legal requirement, most companies opt to achieve certification for key business reasons including:

improvements in organisations efficiency and effectiveness
enhanced customer confidence
reducing the likelihood of information misuse and fraud
competitive advantage over rivals
requirement within ‘invitations to tender’ and ‘supply chains’
Meeting legal requirements