Information security flaws can result in escalating financial losses and wreak havoc with business operations. The newly published ISO/IEC 27001:2005 standard for information security management systems can help organizations plug existing leaks and prevent future threats.
"The publication of ISO/IEC 27001:2005 is a big event in the world of information security and the standard has been eagerly awaited," said Ted Humphreys, Convenor of the working group responsible for managing the development of the standard. "It is a standard that all security-conscious organizations should look to implement."
ISO/IEC 27001:2005 can be used by a broad range of organizations – small, medium and large – in most of the commercial and industrial market sectors: finance and insurance, telecommunications, utilities, retail and manufacturing sectors, various service industries, transportation sector, governments and many others.
The implementation of ISO/IEC 27001:2005 will reassure customers and suppliers that information security is taken seriously within the organizations they deal with because they have in place state-of-the-art processes to deal with information security threats and issues.
Information is an asset, which, like other important business assets, adds value to an organization and consequently needs to be protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems.
ISO /IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements, specifies the processes to enable a business to establish, implement, review and monitor, manage and maintain an effective ISMS.
ISO/IEC 27001:2005 integrates the process-based approach of ISO's management system standards – ISO 9001:2000 and ISO 14001:2004 – including the Plan-Do-Check-Act (PDCA) cycle and requirement for continual improvement.
The new standard forms a complementary pair with the recently published ISO/IEC 17799:2005 "code of practice" on information security management.
Organizations that so wish can have their information security management systems independently certified as conforming to the requirements of ISO/IEC 27001:2005, although certification is not a requirement of the standard.
Up to now, organizations that wished to have their ISMS certified have done so in conformity with the British Standard BS 7799 Part 2. This is now possible against ISO/IEC 27001:2005, which is an International Standard.
ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements, costs 124 Swiss francs and is available from ISO national member institutes (see the complete list with contact details) and from the ISO Central Secretariat (see below). It was developed by ISO/IEC Joint Technical Committee JTC 1, Information technology, Subcommittee SC 27, Security techniques, Working Group WG 1, Requirements, security services and guidelines.