What is ISO / IEC 27001 ?

by Süleyman Petek 6. July 2015 22:42
Briefly, it is an information security standard. ISO stands for : International Organization for Sta

Briefly, it is an information security standard widely accepted all over the world.
ISO stands for : International Organization for Standardization and
IEC stands for : International Electrotechnical Commission.
The standard described in it, specifies an Information Security Management System (ISMS). From a top down approach, a bunch of activities concerning the management of information security risks. 

ISMS : An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It encompasses people, processes and technology, recognising that information security is not just about antivirus software, implementing the latest firewall or locking down your laptops or web servers. The overall approach to information security should be strategic as well as operational, and different security initiatives should be prioritised, integrated and cross-referenced to ensure overall effectiveness.

ISO / IEC 27001 is derived from BS 7799 Part 2, published in 1999.  BS 7799 Part 2 was revised by BSI in 2002, explicitly incorporating Deming’s Plan-Do-Check-Act cyclic process concept, and was adopted by ISO/IEC as ISO/IEC 27001 in 2005.  It was extensively revised in 2013, align with the other ISO certified management systems standards and dropping the PDCA concept.

Hence it is the successor of ISO / IEC 17799, it also includes the concepts like "Quantifiable", "Reusable" and "Scalable". The framework warrants that the security arrangements are aligned to keep in line with changes to the security threats, vulnerabilities and business impacts. In such a dynamic field, a key advantage of ISO / IEC 27001 is flexible and has a risk-driven approach as compared to PCI-DSS

Quantifiable : Third parties can measure the metrics and the standard is eligible to  assess the assets, measure the risks.

Reusable : Whichever part you want can be repeated. Gaining the support of the executives and educating the workers results with minimized risks.

Scalable : The standard can be used for a pilot department, then the surface can be extended.In case extra audits can be plugged in or out.

The framework structure is like below :

  1. Introduction
  2. Scope
  3. Normative references
  4. Terms and definitions 
  5. Context of the organization
  6. Leadership
  7. Planning
  8. Support
  9. Operation
  10. Performance evaluation
  11. Improvement
Accredited certification to ISO /IEC 27001 demonstrates that an organisation is following international information security best practices.


  • Supports compliance with relevant laws and regulations
  • Reduces likelihood of facing fines
  • Protects your reputation
  • Provides reassurance to clients that their information is secure
  • Cost savings through reduction in incidents
  • Demonstrates credibility and trust
  • Improves your ability to recover your operations and continue business as usual
  • Confidence in your information security arrangements
  • Improved internal organization
  • Better visibility of risks amongst interested stakeholders 
  • Meet customer and tender requirements
  • Reduce third party investigation of your information security requirements
  • Get a competitive advantage
  • Improved information security awareness
  • Shows commitment to information security at all levels throughout your organization
  • Reduces staff-related security breaches

For certification, you will find an authorized partner and they will assist you. In general there are 3 steps :

  1. Gap analysis, where they will look your existing information security management system and compare it with ISO/IEC 27001 requirements.
  2. Formal assessment, reviewing your organization’s preparedness for assessment by checking if the necessary ISO/IEC 27001 procedures and controls have been developed.
  3. Certification, if you have passed the formal assessment you will receive an ISO/IEC 27001 certificate, which is valid for 3 years.


Add comment


<<  August 2020  >>

View posts in large calendar