The ISO/IEC 27001 standard was published in October 2005, essentially as a replacement for the old BS7799-2 standard. ISO 27001 is the specification for an ISMS, an Information Security Management System. The BS7799 standard was a long-standing standard, first published in the nineties as a code of practice. ISO/IEC 27002
-The ISO/IEC 27002 standard is a renaming of the ISO/IEC 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms which may be implemented, in theory, subject to the guidance provided within ISO/IEC 27001.
- Organizations may be certified compliant with ISO/IEC 27001 by a number of accredited certification bodies worldwide. Certification against any of the recognized national variants of ISO/IEC 27001 (e.g. the Japanese version) by an accredited certification body is functionally equivalent to certification against ISO/IEC 27001 itself. Certification audits are usually conducted by ISO/IEC 27001 Lead Auditors.
- Developing an Information Security Management System (ISMS) that satisfies the requirements of ISO/IEC 27001 involves three steps of implementation:
- Once all the requirements of ISO/IEC 27001 have been met, you can apply for an external audit. This should be carried out by a third party, an accredited certification body. In the UK, the body should be accredited by UKAS (look for the 'crown and tick' logo).
- Obtaining a certificate from a third party certification body demonstrates that you have addressed, implemented and controlled the security of your information. But the benefits don’t stop there.
