Professional Documents
Culture Documents
WHAT IS
ISO/IEC 27001
www.pecb.com
WHAT IS INFORMATION SECURITY?
• Confidentiality: ensuring that the information is accessible only to those authorized to access it.
• Integrity: ensuring that the information is accurate and complete and that the information is not modified
without authorization.
• Availability: ensuring that the information is accessible to authorized users when required.
Information security is achieved by applying a suitable set of controls (policies, processes, procedures,
organizational structures, and software and hardware functions).
2 What is an ISMS?
All activities must follow a method. The method is arbitrary but must be well defined and documented. The
standard requires a company to specify its own security goals.
ISO/IEC 27001 is aligned with both the ISO 9001 (quality management systems) and ISO 14001 (environmental
management systems) standards. The three standards share system elements and principles, including
adopting the PLAN, DO, CHECK ACT cyclic process. This approach makes it possible to integrate the systems
to the extent it makes sense.
If information assets are important to your business, you should consider implementing an ISMS in order to
protect those assets within a sustainable framework.
If you implement an ISMS, you should consider going through the process to be certified against the ISO/
IEC 27001 standard. ISO/IEC 27001 continues to build a reputation for helping to model business practices
that enhance an organization’s ability to protect its information assets. A growing number of organizations
around the world have already gone through the certification process.
Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of
information and information systems and processing facilities, and the likelihood of their occurrence.
Risk management is the process of identifying, controlling, and minimizing or eliminating security risks.
In the real world, the cost of protecting information must be balanced against the potential cost of security
breaches. A company must fully understand the security risks it faces in order to determine the appropriate
management action and to implement controls selected to protect against these risks.
WHAT IS INFORMATION SECURITY?
Selecting the right set of controls requires the use of a risk assessment-based approach. This approach is a
mandatory part of the PLAN (identify, analyze and evaluate the risks), DO (select, implement, and use controls
to manage the risks to acceptable levels), CHECK, and ACT cyclic process defined for the establishment,
implementation, and maintenance of an ISMS.
The standard specifies only that the organization should use a systematic approach to risk assessment
(method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable
level).
An organization that manages change effectively has a better chance of survival. The PDCA process model
provides a means of assessing the risks an organization is challenged with as a result of changes in the
business environment.
ISO/IEC 27001 is the standard that specifies an ISMS. A third party can audit an ISMS and if satisfied that it
is true can certify that an organization is compliant with this standards.
Usually certificates have a limited validity only. The maximum term of validity is three years.
Yes. The certification body will conduct regular continuing assessments of your ISMS. You are also obliged to
announce major changes of your ISMS. The certification body will then decide on the necessity of additional
checks.
COPYRIGHTS: HTTP://WWW.ATSEC.COM/01/ISMS-ISO-IEC-27001-BS-7799-FAQ.HTML