Home
Contact Us
Log in
BSI Worldwide
Business Standards Magazine

Information Security ISO/IEC 27001

What are ISO/IEC 27001:2005 & ISO/IEC 27002:2005?

ISO/IEC 27001:2005

ISO/IEC 27001:2005 (formerly BS 7799-2:2002) is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimize the range of threats to which information is regularly subjected. The standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties including an organization?s customers.

It is suitable for several different types of organizational use, including the following: 

  • Formulation of security requirements and objectives; 
  • To ensure that security risks are cost effectively managed; 
  • To ensure compliance with laws and regulations; 
  • As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met; 
  • Identification and clarification of existing information security management processes; 
  • To be used by management to determine the status of information security management activities; 
  • To be used by internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization; 
  • To provide relevant information about information security policies, directives, standards and procedures to trading partners; 
  • To provide relevant information about information security to customers.

An organization using ISO/IEC 27001:2005 as the basis for its ISMS, can become registered by BSI, thus demonstrating to stakeholders that the ISMS meets the requirements of the standard.

ISO/IEC 27002:2005

The ISO/IEC 27002 Code of Practice for Information Security Management establishes guidelines and general principles for organizations to initiate, implement, maintain, and improve information security management. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27002 contains best practices of control objectives and controls in the following areas of information security management:

  • Security policy; 
  • Organization of information security; 
  • Asset management; 
  • Human resources security; 
  • Physical and environmental security; 
  • Communications and operations management; 
  • Access control; 
  • Information systems acquisition, development and maintenance; 
  • Information security incident management; 
  • Business continuity management; 
  • Compliance.

ISMS Registration

BSI Group, 389 Chiswick High Road, London, W4 4AL. Email: international@bsigroup.com
© 2007 BSI. Legal Notice.