This is a series of recommendations as to how to address concerns about data security – what to do to control the related risks and how to determine improvements while providing appropriate flexible criteria checklists against which to assess the right actions.
The processes are carried out within an Information Security Management System (ISMS) which is a series of procedures, clauses and controls to address all data security issues in any organisation.
It is voluntary – not a legal requirement (yet)
It is flexible – not all of it has to be used and not all of it will apply
It is comprehensive as it is an approach rather than be specific to particular situations
It provides an approach that does not just find the problems, but shows how to solve them
It relates to all aspects of data security – not just IT but paperwork, physical security etc
It allows organisations to choose the level of risk they are happy with in each situation
The 27001 standard is made up as follows:
3 sections relating to generic requirements (Scope, References and Definitions)
Section 4 goes into “interested parties” ie identifies who is affected by the standard
Section 5 details a requirement for top management to commit to the ISMS (vital)
Section 6 goes through the steps to identify, analyse, plan and treat risk
Section 7 relates to competency training and documentation requirements
Section 8 goes into how to assess and treat risk and manage the change process involved
Section 9 details the need to monitor, measure and audit the controls and procedures
Section 10 addresses how to react to the findings from such reviews and the steps required to achieve continual improvement
Then there is Annex A which lists the controls and their objectives:
114 controls - In 14 clauses - Sub-grouped by 35 control categories
The 27001 standard was set up based on work carried out by the UK Department of Trade & Industry (DTI as it was then) in 1995. This was adopted ultimately by the ISO (International Organisation for Standardisation) – hence is often referred to as ISO 27001. ISO is an independent body which runs a system of controls that regulate Certifiers who act as third party assessors for the 27001 standard (and others). Any organisation wanting to be assessed, can apply for a Certifier to assess them. This too is voluntary – the use of the procedures and controls in the standard are sufficient to cover data security – but many like to have the 3rd party oversight to prove to others that they are taking things seriously