ISO/IEC 27001:2005 is an information security management system (ISMS) standard.  It is intended to be “used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management, which lists security control objectives and recommends a range of specific security controls.”^[1]

It was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) Joint Technical Committee 1 (JTC 1), Subcommittee 27 (SC 27).  ISO/IEC 27001 was officially published October 15, 2005, hence the 2005 in the name of the standard. The standards were to designed to “ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.” ^[2]

The standard includes a wide range of organizational types such as commercial, government, non-profit, and educational. This large umbrella ensures that you’ll most likely encounter it in your work. As a CIO/CISO you’re more than likely trying to follow the standards to the best of your organization’s ability for certification purposes or just as a security framework. Organizations certify they are within the ISO 27001 standards for a variety of reasons but most commercial organizations use this as a selling point to customers. By using the standards as a selling point they are hoping that it increase revenue, which on the opposite hand could be a target for someone with malicious intent. If you’re performing vulnerability assessments on an organization that follows the ISO 27001 standards then it wouldn’t hurt to glance over the standards to understand the underlying security infrastructure.

Continue reading..