The ISO/IEC 27001:2005 (ISO 27001) or more commonly referred to as ISO 27k, was published in October 2005. It is an Information Security Management System (ISMS) standard. An ISMS consists of documented security objectives and measures including security policies, procedures, resources, and structures that effectively manage accessibility, confidentiality, and integrity of information assets and minimize information security risks. The ISO 27001 standard sets the requirements for an ISMS certification.
The standard is comprised of two parts – The first covers a code of practice detailing what is necessary to establish, execute and sustain an Information Security Management System. The second covers a set of standard controls tailored to an organization’s needs. ISO 27001 has increasingly become accepted as the single, overarching standard to assure that companies achieve compliance with numerous information-related security and compliance requirements
The ISO Standards apply to nearly every type of company in nearly every area of business around the world. For ISO/IEC 27001:2005, each organization is expected to undertake a structured information security risk assessment process to determine its specific requirements, before selecting controls that are appropriate to its particular circumstances.
Organizations need only implement the security controls relevant to their business, and do not need to implement every single control identified in the standard. An external consultant with experience in ISO legislation can provide an array of services to help companies manage compliance, while reducing redundancies and cutting costs.
Assistance with achieving and demonstrating ISO compliance should be obtained through an experienced enterprise solutions provider that specializes in security and compliance; one that can perform an ISO 27001 Audit by a certified ISO 27001 Lead Auditor.
The objective is to analyze, remediate, and assess adherence to the ISO standard in a cost effective manner. An end-to-end compliance management solution helps identify vulnerabilities, define internal and external policies and manage changes and enforcement.
Tactical and precise, the road to ISO compliance can be as simple as the following three- step process:
Step 1: Gap Analysis
Step 2: Report of Recommendation
Step 3: Remediation
|A Tactical Gap Analysis and documentation review will go a long way in outlining strategies for a cost effective road to compliance.||This report demonstrates the existence of a best-practice based information security infrastructure.||
Whether it is writing security policies or implementing the recommended security controls; working hand in hand with a qualified lead auditor ensures direct and efficient ROI, and helps a company focus on the continuous improvement of its information security processes.
Following this process, a company should receive a certified assessment of compliance to all appropriate ISO security standards.