ISO / IEC 27001 – The foundations and principles of the confidentiality of the information management system
ISO / IEC 27001
It is a specification internationally recognized work to assess the security measures used in information technology environments, moreover it pays a special attention to procedures for related work and identifies the priority actions. It also identifies stipulations and obligations to establish and implement, operate and maintain the content of the International Standard document ISO / IEC 27001 within the organization to take into account all the potential dangers that the organization may be exposed to, whether this organization was a government organization or commercial or charity facility. The specification also defines the conditions necessary for the application of security control points that meet the needs of each individual organization or any branch of that organization.
And the specification is designed to ensure the freedom of choice of the appropriate security control points that works to maintain the information and give confidence to related parties.
The basis and principles of the confidentiality of the information`s management system ISMS
The set of international standards 27000 ISO \ IEC issued by the International Organization for Standardization ISO in cooperation with the IEC in 2005 by the technical committees ISO / IEC JTC 1, ISO / SC 27 which is developing the British specifications of BS 7799 and this to address the issues concerning the confidentiality of information.
Since then the organization of the ISO releases a large number of specifications and technical reports and manuals for serving confidential information management systems, and that, as illustrated by the following statement which shows the red color of those documents that have been issued (please refer to the Organization`s site ISO to make sure of the versions):
- ISO/IEC 27000:2009 – provides an overview or introduction to the ISO27k standards and defines the specialist vocabulary used throughout the ISO27k series.
- ISO/IEC 27001:2005is the Information Security Management System (ISMS) requirements standard, a specification for an ISMS against which thousands of organizations have been certified compliant.
- ISO/IEC 27002:2005is the code of practice for information security management describing a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.
- ISO/IEC 27003:2010 provides implementation guidance for ISO/IEC 27001.
- ISO/IEC 27004:2009 is an information security management measurement standard suggesting metrics to improve the effectiveness of an ISMS.
- ISO/IEC 27005:2008 is an information security risk management standard with advice on selecting appropriate risk analysis and management tools and methods.
- ISO/IEC 27006:2007 is a guide to the certification or registration process for accredited ISMS certification/registration bodies who award ISO/IEC 27001 certificates.
- ISO/IEC 27007will be a guideline for auditing Information Security Management Systems. It is expected to focus on auditing the management system elements.
- ISO/IEC TR 27008 will provide guidance on auditing information security controls. It is expected to focus on auditing the information security controls.
- ISO/IEC 27010 will be a multi-partite standard providing guidance on information security management for sector-to-sector communications.
- ISO/IEC 27011:2008 is the information security management guideline for telecommunications organizations (also known as ITU X.1051).
- ISO/IEC 27013 will provide guidance on the integrated implementation of ISO/IEC 20000-1 (IT Service Management) and ISO/IEC 27001 (ISMS).
- ISO/IEC 27014 will cover information security governance.
- ISO/IEC 27015 will provide information security management systems guidance for financial services organizations.
- ISO/IEC 27031will be an ICT-focused standard on business continuity.
- ISO/IEC 27032 will provide guidelines for cyber security.
- ISO/IEC 27033will replace the multi-part ISO/IEC 18028 standard on IT network security.
- ISO/IEC 27034 will provide guidelines for application security.
- ISO/IEC 27035 will replace ISO TR 18044 on security incident management.
- ISO/IEC 27036guideline for security of outsourcing (new project).
- ISO/IEC 27037 guideline for digital evidence (new project).
The most important of the two International specifications ISO / IEC 27001:2005 and ISO / IEC 27002:2005 and the first gives the requirements for management system for information security and the second covers methods of good practice for control over information security.
The specification ISO / IEC 27001:2005 apply to any organization of any size or products and it is possible after the application of the system to apply to the concerned authority for certification to obtain a certificate of compliance for the organization.
The confidentiality of information in the view of the specification: ISO / IEC 27001:2005
The specification ISO / IEC 27002:2005 also specifies the confidentiality of information as to maintain:
Privacy: Confirm that the information is obtained only by those who have the authority to do so.
Integration: Confirm the accuracy and integrity of information and working methods
Availability: Confirmation that the persons authorized to have access to the information and other sources where it is required.
Areas of The specification ISO/IEC 27001 :
- The risk management of Information Technology
- Information Security Policy
- The organization`s staff of the organization security
- The safety of the work environment and the security of property
- Communication Management and Operations
- Control access to places.
- Information Security and Incident Management
- Continuity Management and Work Readiness.
Stages of application and evaluation of the information security management system