ISO 27001 Explained
BS 7799 was a standard originally published by BSI Group in 1995. It was written by the United Kingdom Government’s Department of Trade and Industry (DTI), and consisted of several parts.
The first part, containing the best practices for information security management, was revised in 1998; after a lengthy discussion in the worldwide standards bodies, it was eventually adopted by ISO as ISO/IEC 17799, “Information Technology – Code of practice for information security management.” in 2000. ISO/IEC 17799 was then revised in June 2005 and finally incorporated in the ISO 27000 series of standards as ISO/IEC 27002 in July 2007.
The second part of BS7799 was first published by BSI in 1999, known as BS 7799 Part 2, titled “Information Security Management Systems – Specification with guidance for use.” BS 7799-2 focused on how to implement an Information security management system (ISMS), referring to the information security management structure and controls identified in BS 7799-2. This later became ISO/IEC 27001:2005. The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) cycle (Deming cycle), aligning it with quality standards such as ISO 9000. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.
BS 7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with ISO/IEC 27001:2005.
Most organisations have a number of information security controls. However, without the ISO 27001 Information Security Management System (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Security controls in operation typically address certain aspects of IT or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole. Moreover business continuity planning and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organisation.
ISO 27001 requires that management:
- Systematically examine the organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks
that are deemed unacceptable.
Adopt an overarching management process to ensure that the information security controls continue to meet the organisation’s information security needs on an ongoing basis.