Title/definition ISO/IEC 27000: Information security

The basics:

ISO / IEC 27000 is a series of information security standards developed and published by ISO and IEC; these standards provide a globally recognized framework for best practice in information security management.

Summary: ISO/IEC 27000 is owned by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001 is a specification that sets out specific requirements, all of which must be followed, and against which an organization's Information Security Management System (ISMS) can be audited and certified. All the other Standards in the ISO27000 family are Codes of Practice; these provide non-mandatory best practice guidelines which organisations may follow, in whole or in part, at their own discretion.

Key concepts that govern the standards are:

  • Organisations are encouraged to assess their own information security risks
  • Organisations should implement appropriate information security controls according to their needs
  • Guidance should be taken from the relevant standards
  • Implement continuous feedback and use of the Plan, Do, Check, Act model
  • Continually assess changes in threat and risk to information security issues.

The standards family

·ISO/IEC 27000:2009 provides an overview of information security management systems,
which form the subject of the information security management system (ISMS) family of
standards, and defines related terms.

·ISO 27001 is the specification for an an Information Security Management System (ISMS).

·ISO 270002 is a code of practice for information security.

·ISO 270003 is a proposed development to provide help and guidance in implementing an
ISMS

·ISO270004 provides guidance on the development and use of measures and
measurement for the assessment of the effectiveness of an implemented information
security management system and controls, as specified in ISO 27001.

·ISO 270005 covers information security risk management.

·ISO 270006 offers guidelines for the accreditation of organizations which offer certification
and registration for an ISMS.

Target group(s): All roles responsible for IT security management in an organization; IT security management professionals; auditors

Scope: The family of ISO/IEC 27000 standards is broad in scope: they are applicable to any organization, in any sector, of any size.

Strengths and pitfalls:
Strengths
By aligning itself with an ISO / IEC Standard, an organisation can:
·Secure its own critical assets
·Manage levels of risks
·Improve and ensure customer confidence
·Avoid loss of brand damage, loss of earnings or potential fines
·Evolve their information security alongside technological developments
Pitfalls
·Few organizations formally state the scope of their ISMS or document their risk
  assessment method and risk acceptance criteria in accordance with the standard.
·Many organizations lack formal procedures for reporting security events, and
  mechanisms to quantify and monitor incidents.
·Business continuity plans are often either absent or outdated, while continuit
  exercises are irregular and unrealistic
·Few organizations identify all the information security-relevant laws and regulations, and established mechanisms to stay up-to-date on changes.

Relevant links: Official ISO website: www.iso.org/iso/specific-applications_it-security

Please wait...

X
Added to your cart