Contact Us

Employment

Terms of Use

Home

Print

Information Systems

ISO/IEC 27001

The government, industry, citizens and society rely on a number of critical information infrastructures (e.g. energy, water supply, transport, financial sector, telecommunications, and health-care services). The need to avoid disruption in the operation of these infrastructures is critical. Information security is another aspect to consider.

Information is a fundamental asset of any business and may range from digital information, paper documents, and physical assets (computers and networks) to the knowledge of individual employees. Events affecting the integrity, confidentiality and availability of information may affect a company’s ability to continue doing business impacting both finances and credibility. According to the 2006 CSI/FBI Computer Crime and Security Survey, respondents’ estimates of the losses caused by various types of computer security incident reached a total amount of $52,494,290 in 2006 (there were 313 respondents who were willing and able to estimate losses).

Information security is defined as the preservation of confidentiality, integrity and availability of information. The ISO/IEC 27001:2005 is an International Standard that specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system within the context of the organization’s overall business risks. It also provides a framework for implementing some of the principles given in the OECD (Organization for Economic Co-operation and Development) Guidelines for the Security of Information Systems and Networks using the PDCA (Plan-Do-Check-Act) model and a process approach.

ISO/IEC 27001 is based on BS 7799 and has been aligned with other international standards for management systems like ISO 9001:2000 for quality management systems and ISO 14001:2004 for environmental management systems. Some of the requirements common to all these standards are:

  • Establishment of policies and objectives
  • Monitoring, review and improvement activities
  • Training, awareness and competence
  • Internal audits and management reviews

Additionally, this standard requires the definition of a risk assessment approach; identification, analysis and evaluation of risks; identification and evaluation of options for the treatment of risks and the selection of control objectives and controls for the treatment of the identified risks. Annex A of the ISO/IEC 27001 standard provides a list of control objectives and controls directly derived from and aligned with those listed in ISO/IEC 17799:2005 Clauses 5 to 15, which also provides implementation advice and guidance on best practice in support of the controls may be found in ISO/IEC 17799:2005.

ABS Quality Evaluations, Inc. has a team of highly qualified management system auditors ready to conduct assessments of information security management systems against the requirements of the ISO/IEC 27001:2005.