ISO/IEC 27001:2005 is an information security management system (ISMS) standard.  It is intended to be “used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management, which lists security control objectives and recommends a range of specific security controls.”^[1]

It was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) Joint Technical Committee 1 (JTC 1), Subcommittee 27 (SC 27).  ISO/IEC 27001 was officially published October 15, 2005, hence the 2005 in the name of the standard. The standards were to designed to “ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.” ^[2]

The standard includes a wide range of organizational types such as commercial, government, non-profit, and educational. This large umbrella ensures that you’ll most likely encounter it in your work. As a CIO/CISO you’re more than likely trying to follow the standards to the best of your organization’s ability for certification purposes or just as a security framework. Organizations certify they are within the ISO 27001 standards for a variety of reasons but most commercial organizations use this as a selling point to customers. By using the standards as a selling point they are hoping that it increase revenue, which on the opposite hand could be a target for someone with malicious intent. If you’re performing vulnerability assessments on an organization that follows the ISO 27001 standards then it wouldn’t hurt to glance over the standards to understand the underlying security infrastructure.

Organizations are certified against the ISO 27001 standard (or a local variant) by Accredited Registrars. Audits are conducted by ISO 27001:2005 Lead Auditors. In order for an organization to become ISO 27001 compliant they must pass a three-stage certification process that begins with a general review.

• General Review – checking of key documents for completeness such as the the organization’s security policy, Statement of Applicability (SoA) and Risk Treatment Plan.
• Detailed Review – an in-depth audit and the testing of security controls as stated in the Statement of Applicability and Risk Treatment Plan.
• Followup Review – a reassessment audit to ensure the organization is within compliance. This is often done periodically.

The information security management system (ISMS) is comprised of the PDCA cycle where PDCA stands for Plan-Do-Check-Act. Planning includes defining the requirements, assessing the risks, and selecting the appropriate controls. Doing includes implementing the selected security controls and operating the ISMS. Checking is the monitoring and reviewing of the ISMS to ensure that the appropriate requirements are being met. Lastly, Acting is the maintenance of the cycle and the continuation of ISMS improvements.

A flowchart of the ISO 27001 process can be found at http://www.iso27001security.com/ISO27k_ISMS_implementation_and_certification_process_v3.pdf.^[3]

1. http://en.wikipedia.org/wiki/ISO_27001
2. http://www.iso.org/iso/catalogue_detail?csnumber=42103
3. http://www.iso27001security.com/html/27001.html