Are You Meeting ISO 27000 Standards for Information Security Management?
The ISO 27000 standard was developed by The International Electrotechnical Commission
(IEC) and International Standards Organization (ISO). The ISO 27000 is an industry standard
and internationally accepted for information security management.
The ISO 27000 family provides an extensive list of requirements and codes of practice.
Of which, ISO 27001 is a specification that sets out the specific requirements that must be
followed that a companies information security management system (ISMS) can be audited and
All the other ISO 27000 standards are codes of practice. Therefore ISO 27002, 27003,
27004, 27005, and 27006 will provide non-mandatory but considered as best practice guidelines
that companies can choose to follow as required.
With the surge of hack's and website breaches that have involved many large organizations
and their customers information being obtained and leaked has cause for many to realize that
no matter how protected you think you are it may require much more consideration than previously
thought. This is why there is legislation and requirements in place to help protect that data
and all consumers from having their data stolen. As such all companies dealing with sensitive
information must comply with the following regulations.
The ISO 27001 currently will help any organization to protect information and is increasingly
being adopted and many are now choosing to be compliant regardless of the implementation costs
that may be required.
There are many agencies that exist who will perform independent and expert reviews on
current systems in place to help show pitfalls and compare against the current industry standards.
The benefits of becoming compliant for a business can be that after any iso 27001 gap analysis,
based on the information that is obtained from the review an information security framework
can be established and recommendations can be made to help bring the security levels up to
an industry standard and being accredited with certification can be very advantageous for customers.
Once the security levels have been raised there will be an option to educate internal staff
with the knowledge to help maintain and progress the internal security infrastructure.
Although being compliant with the ISO 27001 requirements there are other legislative
requirements that exist for any company who are store, process or transmit payment card data
must be compliant within the following areas of information security management known as the
Payment Card Industry Data Security Standard (DSS PCI).
This is just the beginning of the requirements on not just companies but local councils
and anyone who is dealing with sensitive information. As technology is ever advancing and changing
the legislation and requirements are updating and keep up-to-date to ensure that there is minimal
risk to users information.
Harvey McEwan writes to offer information amd advice on a variety of areas, from technology
to holiday destinations. Read through Harvey's other articles
here to find out more.
Mandatory documents required by ISO 27001
•Security Management Systems (ISMS) scope
• ISMS policy and objectives
• Risk assessment methodology
• Risk assessment report
• Statement of Applicability
• Risk treatment plan
• Description of how to measure effectiveness of controls
• Procedure for document management
• Controls for record management
• Procedure for internal audit
• Procedure for corrective action
• Procedure for preventive action
Records required by the standard:
• Records related to effectiveness of the ISMS
• Records of management decisions
• Records of significant security incidents
• Records of training, skills, experience and qualifications
• Results of internal audit
• Results of management review
• Results of corrective actions
• Results of preventive actions