ISO/IEC 27001 is the formal set of specifications against which organizations may seek independent certification of their Information Security Management System (ISMS).
ISO/IEC 27001 specifies requirements for the establishment, implementation, monitoring and review, maintenance, and improvement of a management system – an overall management and control framework – for managing an organization’s information security risks. It does not mandate specific information security controls but stops at the level of the management system.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies, and nonprofit organizations) and all sizes from micro-businesses to huge multinationals. This is clearly a very wide brief.
Bringing information security under management control is a prerequisite for sustainable, directed, and continuous improvement. An ISO/IEC 27001 ISMS therefore incorporates several Plan-Do-Check-Act (PDCA) cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities, and impacts of information security failures, using review and improvement activities specified within the management system.
According to JTC1/SC27, the ISO/IEC committee responsible for iso 27000 and related standards, ISO/IEC 27001 “Is intended for different types of use.”
The information security controls from ISO/IEC 27002 are noted in an appendix (annex) to ISO/IEC 27001, rather like a menu. Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information security situations, drawing on those listed in the menu and potentially supplementing them with other a la carte options (sometimes known as extended control sets). As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information security risks, which is one vital part of the ISMS.
HISTORY OF ISO/IEC 27001
ISO/IEC 27001 was born as BS 7799 Part 2 in 1999. It was revised by the British Standards Institute (BSI) in 2002, explicitly incorporating Deming’s Plan-Do-Check-Act cycle, and was adopted by ISO/IEC in 2005.
Since ISO/IEC 27001 is an active certification standard, major/structural changes are likely to be difficult and even minor changes will have to be justified in order to retain “backwards compatibility” with the existing standard wherever possible. Nevertheless, there is pressure to realign 27001 with 27000, 27002, 27003, and 27005, reducing duplication and potential conflict, and to realign with other ISO management systems standards such as ISO 9000 and ISO 14000. Hopefully, confusion around the meaning and purpose of “Statement of Applicability,” “ISMS Policy,” and “Information Security Policy” will be resolved.