ISO stands for International Organisation for Standardization. It was founded in 1947 and has since been a source of standards for businesses and organizations across 163 countries. ISO often collaborates with IEC (International Electrotechnical Commission) on an international level. ISO creates documents that include specifications, guidelines, and standards. These documents can be used consistently by companies and ensure that materials, products and processes are appropriate for their target. These provisions are also accepted by ISO in all countries connected to ensure standardization. An ISO certification allows companies to prove that their products, services, and systems meet the specified specifications. The ISO standards promote innovation and increase worldwide safety, quality, and reliability.
What is ISO 27001?
ISO 27001 describes what an organization must do to create a model for setting up, operating, monitoring and evaluating an Information Security Management System. An ISMS is a set of procedures and strategies that include all legal, physical and technical controls. The ISO 27001 provides a list of controls that should all be considered in the code of practice. This standard consists of a comprehensive set information security control objectives as well as a set generally accepted good practices security controls. There are 12 sections to ISO 27001:
Introduction: This section explains what information security is, and how an association should manage risk.
Scope: It describes the high-level conditions that an ISMS must meet in order to be applicable for all types and sizes of organizations.
Normative References – This is what explains the relationship between ISO 27000 standards and ISO 27001 standards.
Terms and Definitions: This covers complex technology used in the standard.
Context of the Organization: This document explains who should be involved in the creation and maintenance of ISMS.
Leadership: It describes how leaders in an organization should adhere to ISMS policies.
Planning: It describes how risk management should all be planned across the organization.
Support: This describes how to raise awareness about information security responsibilities.
Operation: This describes how to manage risks and how documentation should work to meet audit standards.
Performance Evaluation: This document provides guidelines for how to control and measure performance of ISMS.
Improvement: This section explains how ISMS should be continuously updated and improved.
Reference Control Objectives & Controls This annexe provides an analysis of each element of an audit.
ISO 27000 family
Since 2005, the ISO 27000 family has been published in a progressive manner. The ISO 27001:2013 standard is the only one that can be certified by the ISO 27000 family. Other standards are guidelines.
ISO 27000: This information security standard defines the fundamental concepts and vocabulary for analyzing Information Security Management Systems.
ISO 27001: This information security standard outlines the requirements for Information Security Management Systems (ISMS).
ISO 27002 (previously ISO17799): Guide to best practices in information security management. This standard outlines the objectives and makes recommendations for information security management. It anticipates and addresses global concerns that organizations may have regarding information security.
ISO 27003: Guide to setting up or implementing an ISMS.
ISO 27004: A guide of metrics to aid ISMS management. It provides a way to identify the objectives and effectiveness criteria for follow-up and evolution measurement throughout the process.
ISO 27005: Information security risk management guide that complies with the concepts and models.