ISO 27001 is a management system designed to ensure information security is management controlled.
How ISO 27001 works
Most businesses implement information controls, for various reasons such as confidentiality. Without an information security system these controls can be unorganised and therefore not carry out the job you need it to. This occurs for a variety of reasons, mainly because such systems were initially implemented in order to deliver a solution to a smaller, specific business issue rather than incorporate all aspects of system security.
There are a number of aspects of information system security which is covered by ISO 27001.
What it means to businesses
ISO 27001 requires that business management thoroughly examine security risks within a business and account for threats and the impacts of any non-compliance or breaches. It is also a requirement of ISO 27001 that a business management team implement a system of controls to manage and reduce any risk attached to information security to a minimal, acceptable level. It is also down to the business management to ensure there is a process for the on-going monitoring of such processes to ensure a clear and accurate audit trail.
Businesses can utilise ISO 27001 in the manner which suits their own business specific needs. For example, a multi-site organisation can choose to have one control across the entire business or implement one control for each individual site. It is important to note that an ISO 27001 accreditation of compliance only credits that a system is in place, full auditing of information systems would be required in order to ascertain the actual level of security within a business.
A business’ security information system may be certified as ISO 27001 compliant by a wide number of registrars. There is a three step audit process in place prior to gaining this certification, which is standard for information security systems.
An initial review will be carried out to familiarise the auditing body with the business and ensure documents such as the business’ security policy is up to date and compliant. Stage two is a more formal auditing procedure, which tests the business’ information security system stringently against the requirements of the ISO 27001 certificate. The final part of the auditing process involves on-going follow up audits to ensure the business in question continually remains compliant with the requirements of the accreditation.
These should be checked on a yearly basis; however businesses often complete reviews more regularly, particularly if an information security system is new or has suffered technical problems in the past.
Iso27001standard.com provides a large online resource for implementing the ISO 27001 and BS 25999-2 standards. Get documents toolkits, downloads and expert help.