An overview on ISO/IEC 27001:2005

ISO/IEC 27001:2005 is an internationally recognized Information Security Management System (ISMS) standard which was published in October 2005. A new version, ISO/IEC 27001:2013 has been recently released but its still to pick up pace in the industry. In the subsequent sections, ISO/IEC 27001:2005 will be shortly referred as ISO27001. ISO27001 standard solely relates to information security and formalizes the process of securing information within the organization. The organizations that have adopted this standard can be formally certified and audited. The standard is not restricted to information alone but also extends to all information processing assets including people.

Approach:

This standard implements the Plan-Do-Check-Act (PDCA) model and the four stages of this model must be continuously implemented in order to ensure confidentiality, integrity and availability of information. The PDCA model is described as follows:

• Plan – In this phase, the scope and policies must be established. All processes and procedures to manage risks must be planned and all assets must be identified. From the standard, all relevant controls must be selected.
• Do – In this phase, all policies, controls, procedures and processes planned in the previous phase must be implemented. Awareness and training programs must also be conducted in this phase.
• Check – The ISMS implementation must be monitored / checked in this phase using various methods (e.g. audit) against the set objectives and the results must be communicated to management for review
• Act - Based on the findings of the previous phase, corrective and preventive actions must be performed to ensure continual improvement of ISMS.

Mandatory Documents:

Documentation plays a very vital role in the ISMS implementation. The standard does allow flexibility in terms of the implementation. However it does prescribe a set of mandatory documents that need to be prepared in order to ensure that the organization risks are identified and mitigated. Risk Management consists of identifying all assets for the organization and the associated vulnerability and threats. The treatment of the risks also needs to be documented and implemented and an acceptable risk level is arrived at. This residual risk should be accepted by the management. Apart from the risk management framework, documented processes and procedures also need to exist for all the process areas / departments under scope for the implementation. Physical security boundaries also need to be defined for the scope of the implementation. One of the other key focus areas of the standard is the top management commitment to the ISMS implementation. The ISMS implementation has to be a thought about implementation and this should be demonstrated through the various documents. For example a good scope document as well as a comprehensive BCP document will go a long way in ensuring that the implementation has been given adequate thought and meets business requirements. Also the implementation is not a onetime activity. Periodic internal audits also need to be conducted to ensure that the standard is being adhered to. Apart from internal audits, yearly surveillance audits also need to be undergone to ensure continuity of the certificate.

In today’s times and age when information security is the buzz word, many companies go in for a certification purely for commercial purposes or because of vendor requirements. However this would be a wrong approach for the implementation. The ISMS has to be implemented to meet business requirements and not for commercial gains. Business requirements like BCP, backups and access requirements have to be taken into account for the implementation.

About Author:

Kintu Racca is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at kintu.r@spluspl.com