ISO/IEC 27001:2005

ISO/IEC 27001:2005 and its objectives

ISO/IEC 27001:2005 is a n international standard for the management of information assets and for safeguarding business continuity. It defines requirements for an information security management system (ISMS). A well-implemented ISMS helps to counteract interruptions to business activities and to protect critical business processes from the effects of disasters and major failures of information systems, and ensures the timely resumption of normal operations .

ISO/IEC 27001:2005 is applicable to all sectors of industry and business, and not limited to information that is handled by electronic media. The information can be printed or written on paper, stored electronically, transmitted by post or email, or spoken in conversation. ISO/IEC 27001:2005 helps organisations to ensure that information assets are always adequately protect ed and available when they are needed . ISMS is relevant to all organisations, regardless of whether they use stand-alone computers or complex heterogenic network systems.

Aligned with the Organisation for Economic Cooperation and Development guidelines for the Security of Information Systems and Networks ( www.oecd.org ), the overall intention of the standard is to secure business continuity in a networked economy. ISO/IEC 27001:2005 provides a framework of an information security management system to implement the essentials of the OECD guidelines by using a "Plan-Do-Check-Act" ( PDCA) process model.

How ISO/IEC 27001:2005 works?

ISO/IEC 27001:2005 takes a holistic approach to information security. Information security is the preservation of the confidentiality, integrity and availability of any information that is important for an organisation to work effectively.

Th e s tandard is based on the process approach and adopts the PDCA model, which is applied to structure all ISMS processes.

The input for the ISMS consists of the information security requirements and expectations of the interested parties. After going through the necessary actions and processes, information security outcomes are produced to meet the aforementioned requirements and expectations.

The standard supports the consistent and integrated implementation and operation of related management standards like ISO 9001:2000 and ISO 14001:2004. One suitably designed management system can thus satisfy the requirements of all these standards.

The standard covers the following management areas.

•  Information security management system

•  Management responsibility

•  Internal ISMS audits

•  Management review of the ISMS

•  ISMS improvement

The standard considers information and communication technology ( I C T ) and information security as more than just a technical part of the organisation's infrastructure. As all business processes are run on the basis of and with the aid of IT solutions, IT security has to be regarded and managed in an integral manner.

How does ISO/IEC 27001:2005 relate to ISO/IEC 17799:2005?

ISO/IEC 17799:2005 stipulates the internationally accepted good information security practice. ISO/IEC 27001:2005 helps to implement a combination of the baseline approach to information security of ISO/IEC 17799:2005 with a risk management based approach. ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

Information security controls and guidance on their use are described in detail in the international standard ISO/IEC 17799:2005. These controls are summarized and listed in the annex of ISO/IEC 27001:2005 .

Thereby, the protection needs identified by a risk assessment based on ISO/IEC 27001:2005 requirements are easily met by implementing the controls of the annex.

The aforementioned controls cover the following areas:

•  Security policy

•  Organising Information Security

•  Asset Management

•  Human Resource Security

•  Physical and environment security

•  Communications and operations management

•  Access control

•  Information systems acquisition, development and maintenance

•  Information security incident management

•  Business continuity management

•  Compliance

How is ISO/IEC 27001:2005 implemented?

Effective risk assessment and management are the key requirements of ISO/IEC 27001. They enable organisations to identify control objectives and to select the most suitable security controls . Therefore, the implementation of the standard starts with defining a systematic approach and the implementation of risk management.

The definition of a risk management approach is followed by risk evaluation by all interested parties and the determination of the level of security needed, given economic considerations.

Control objectives and controls can be selected from the ISO/IEC 27001:2005 annex and implemented to meet the requirements that have been identified by the risk assessment and risk treatment process. If the existing security system is sufficient, then the controls that are listed in the annex can be disregarded. Additional control measures can also be introduced.

After implementing a systematic risk management approach, the organisation maintains the system in accordance with its own requirements and the requirements of the standard.

Steps of System Certification

Pre-assessment (optional)

Before the actual audit, the organisation is informed about its purpose and benefits, its standard and method, the basic requirements for the certification and the steps of the certification process. After agreeing to the scope of the certification and the estimated schedule and cost, TÜV Rheinland will analyse the organisation's status of protection in the context of existing business, the IT environment and already established information security measures with regard to suitability, systematic, completeness and customer expectations . This may be combined with an optional pre-document check.

Stage 1 Audit

Stage 1 provides a focus for planning the audit (stage 2) by developing an understanding of the management system and site operations in the context of possible significant aspects of the applicant's management system and of the organisation's state of preparedness for stage 2 . This stage is part of a careful audit planning. By means of interviews and available documents and records , the auditors determine whether the information security policy is adequate, whether risk assessment can be effectively conducted and whether the statement of applicability (SOA) is appropriate. The SOA contains the controls that the auditee selected for implementation.

Stage 2 Audit

In stage 2, the auditors confirm that the organisation adheres to its own policies, objectives and procedures, that the procedures are effective and that the ISMS conforms to all of the requirements of the standard. Once possible nonconformities have been corrected by the organisation, corrective actions are verified and the requirements of ISO/IEC 27001:2005 are met , TÜV Rheinland issues the certificate, which proves the quality of your information security management system.

On-going service – Follow-up audits

To assist the organisation in the ongoing re - evaluation of the effectiveness of its management system, follow-up audits are part of the service . This provides a double benefit compared to regular monitoring: the effectiveness of the measures are sustained over a longer period, and future IT and information security requirements are confronted and preferably solved at an early stage.

ISO/IEC 27001:2005 audit and certification by TÜV Rheinland

The competitive advantage of “ demonstrated information security” by an independent internationally accepted authority

The audit and certification by TÜV Rheinland

•  An ISMS audit provides for a better understanding of information assets and the need for information security management processes .

•  Helps to improve a baseline for information security and to implement a risk-based management system.

•  Supports organisations by providing a process framework for the implementation and management of security controls to ensure that their specific security objectives are met .

•  Helps organisations to ensure that security risks are managed cost effectively by providing valuable feedback.

•  Enhances the organisation's confidence that it is in compliance with laws and regulations .

•  Provides a tool for the internal and external auditors of organisations to determine the degree of compliance with the policies, management directions and standards that those organisations adopt.

Enables the organisations to give confidence to customers, trading partners and other organisations with whom they interact for operational or commercial reasons

ISO/IEC 27001:2005 certification by TÜV Rheinland shows your customers, partners and the authorities the high quality and security level at which your business processes are carried out.

By using TÜV Rheinland's ISO/IEC 27001:2005 certification, organisations can demonstrate that they are trustful business partners.