ISO27001 / ISO27002 A Pocket Guide

Released October 2008

Publisher(s): IT Governance Publishing

ISBN: 9781849281669

Start your free trial

Book description

Use ISO27001 to protect your organisation's information assets

This helpful, handy ISO27001/ISO27002 pocket guide gives a useful overview of these two important information security standards.

Read this pocket guide to learn about:

The ISO/IEC 27000

Family of Information Security Standards

Background to the Standards Certification process

The ISMS and ISO27001

Overview of ISO/IEC 27001:2005

Specification vs Code of Practice

Documentation Records

Management Responsibility

Policy Scope

Risk Assessment

Implementation.

Confidentiality, Integrity and Availability

In order to ensure the availability, confidentiality and integrity of your business information, you will need to put in place an information security management system (ISMS). ISO27001 is the international standard that offers a framework for an ISMS. If your organisation's ISMS conforms to the specification of ISO27001, you can arrange for an independent audit of the ISMS against that specification and eventually achieve certification.

Why does ISO27001/27002 matter?

Improve efficiency - An ISO27001 compliant ISMS will enable your organisation to move beyond the ad hoc approach to information security. An unsystematic approach to the subject tends to mean that a lot of people's time is wasted ""putting out bush fires"": fixing bugs in software and reacting to incidents as they arise. However, the structured, coherent approach of the ISMS will make your organisation less likely to be crippled by minor setbacks and will, therefore, enable it to function more effectively

Protect your information assets - Information assets face a wide range of threats, ranging from criminal activity, such as fraud, to user error or system failure. Putting in place an ISMS, will enable you to improve the level of information security within your organisation

Manage risk - The systematic approach to information security required under ISO27001, means your organisation needs to put in place a risk treatment plan. Once you have identified the main threats to your business information, and the most likely ways in which they could do damage to your company, you can work out how best to eliminate or reduce these risks. In addition, there are some risks you can manage by ensuring they remain at an acceptable level

Prepare for the worst - Supposing that, in spite of the precautions you had taken, your company did suffer a major security breach. If something like that happened, how well prepared would your company then be to respond? ISO27001 requires you to monitor your information security events. The earlier you are able to detect information security incidents or processing errors, the quicker you can fix any problems.

Furthering the objectives of your organisation

Information security cannot be achieved through technological means alone, and should never be achieved in a way that would damage your overall ability to do business. For this reason, ISO27001 is not a one-size-fits solution, nor is it designed to be a static, fixed entity.

Under ISO27001, your ISMS should be scaled to fit the needs of your business, and it is expected to change over time in line with your company's growth and development.

ISO27001 is supported by ISO27002, which is a code of practice for information security management that offers practical guidance on how to create an information security framework. ISO27002 sets out best practice in information security by drawing on the knowledge of a group of experienced information security practitioners from over 40 countries.

Putting an ISMS in place will affect the whole organisation. It therefore requires management direction, so that the organisation as a whole understands the importance of meeting information security objectives.