ISO 27001 Overview


The connection of IT systems over the internet brings with it significant risks – from viruses to sabotage and industrial espionage. Data security is therefore becoming an increasingly critical competitive factor. ISO 27001:2005 certification demonstrates that you have your Information Security Management System (ISMS) under control.

Information is an asset. ISO 27001:2005 states “An asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected.”  Information must be protected throughout its entire lifecycle: CreationàStorageàProcessingà Distribution.

ISO 27001 is a management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. As defined by the standard Information Security is  the “preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.”  These terms can be further defined as:

  • Confidentiality:  Ensuring that information is accessible only to those authorized to have access.
  • Integrity:  Safeguarding the accuracy and completeness of information and process methods.
  • Availability:  Ensuring that authorized users have access to information and associated assets when required.

The ISO 27001 standard includes:iso-27001

Management system requirements:

  • Establishment and implementation
    • Risk identification and assessment
    • Selection of controls
    • Establish and approve a Statement of Applicability
    • Planned implementation and review
    • Documentation and records
  • Management responsibility
    • Commitment, resources and training
  • Internal ISMS audits
  • Management review of the ISMS
  • Continuous improvement

ANNEX A Control Areas:

  • Security policy
  • Internal organization
  • Asset management
  • Human resources security
  • Physical and environmental security
  • Communications and operations management
  • Access control
  • Information systems acquisition, development and maintenance
  • Information security incident management
  • Business continuity management
  • Compliance

The ISO 27001 standard follows the “Plan-Do-Check-Act” approach as shown below:

PLAN – Establish the ISMS

  • Define the scope of the ISMS (organization, business, processes, …)
  • Define and document an ISMS policy and an Information Security Policy
  • Define and document an appropriate method for risk assessments
  • Conduct a risk assessment
    • identify the organizations assets and their value (impact)
    • identify vulnerabilities of the assets and identify relevant threats (probability)
    • identify and quantify the risk, based on the probability the threat can abuse the vulnerability and the impact
    • think of appropriate measures to address the risks
  • Select relevant controls (from annex A) and document all selected controls
  • Document a Statement of Applicability

DO – Implement and operate the ISMSharbec-3

  • Identify the gaps
  • Draw up an implementation plan
  • Define a measurement per control or per group of controls
  • Execute the plan

CHECK – Monitor and review the ISMS

  • Verify the implementation through
    • internal audits
    • measurements of the effectiveness of the controls
    • conduct a management review

ACT – Maintain and improve the ISMS

  • Take appropriate corrective and preventive measures

For any additional questions please contact a DEKRA representative for more information or help in determining if outside resources are required.