ISO 27001

ISO 27001:2005 sets out how a company should address the requirements of confidentiality, integrity and availability of it's information assets and incorporate this into an Information management security system (ISMS).

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information, ensuring it remains both secure and available. It encompasses people, processes and IT systems. BSI has published a code of practice for these systems, ISO/IEC 17799, which has now been adopted internationally by ISO (the International Standards Organization).

ISO 27001: 2005 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and quantify the range of threats to which information is regularly subjected.

ISO 27001: 2005 specifies the mandatory requirements for establishing, implementing, and documenting ISMS and specifies requirements for security controls to be implemented according to the needs of individual organizations. It consists of 11 control sections, 39 control objectives, and 133 controls and is aligned with ISO 17799. It includes a plan-do-check-act (PDCA) model, which enables continual improvement. The 11 controls sections are;

• Information Security policy - This provides management direction and support for information security
• Organizational Security - To help you manage information security within the organization
• Asset Management - To help you identify your assets and appropriately protect them
• Human Resources Security - To reduce the risks of human error, theft, fraud or misuse of facilities
• Physical and Environmental security - To prevent unauthorised access, damage and interference to business premises and information
• Communications and operations management - To ensure the correct and secure operation of information processing facilities
• Access control - To control access to information
• Systems development and maintenance - To ensure that security is built into information systems
• Information Security Management and Incident Reporting - To ensure that effective controls in place to capture the incident and they have dealt effectively
• Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
• Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement

HOW WE CAN HELP?