ISO 27001

What is BS 7799/ ISO 27001?

Put simply it’s the most widely adopted security standard in the world.

BS 7799 / ISO 27001 covers known security issues, containing many well considered control requirements and steers companies along a quantifiable path of assessments and improvements.

Compliance shows that information security is being taken seriously and that effective steps are in place.

All organizations need to keep information safe and secure, some more than others. Comprehensive Information Security policies within organizations allow rules and procedures to be developed, safeguarding information such as corporate information and customer information.

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information, ensuring it remains both secure and available. It encompasses people, processes and IT systems. BSI has published a code of practice for these systems, ISO/IEC 17799, which has now been adopted internationally by ISO (the International Standards Organization). Because the number of companies using BS 7799 is increasing so fast and several variations of the standard will be needed, ISO have set a new family number for this whole security family: ISO 27000.

BS 7799/ ISO 27001 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and quantify the range of threats to which information is regularly subjected.

Annex A of BS 7799/ ISO 27001 identifies 10 controls:

  • Security policy – This provides management direction and support for information security
  • Organization of assets and resources – To help you manage information security within the organization
  • Asset classification and control – To help you identify your assets and appropriately protect them
  • Personnel security – To reduce the risks of human error, theft, fraud or misuse of facilities
  • Physical and environmental security – To prevent unauthorised access, damage and interference to business premises and information
  • Communications and operations management – To ensure the correct and secure operation of information processing facilities
  • Access control – To control access to information
  • Systems development and maintenance – To ensure that security is built into information systems
  • Business continuity management – To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
  • Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement

Leave A Comment