ISO IEC 27001 2005


ISO IEC 27001 2005 is NOW OBSOLETE. Please see ISO IEC 27001 2013.


ISO IEC 27001 is an information security management standard.
It defines a set of information security management requirements.
These requirements are listed in sections 4, 5, 6, 7, and 8.

The purpose of ISO IEC 27001 is to help organizations establish
and maintain an information security management system (ISMS).
It applies to all types of organizations. It doesn’t matter what your
organization does or what size it is. It can help your organization
meet its information security management needs and requirements.

ISO IEC 27001 is designed to be used for certification purposes. In
other words, once you’ve established an ISMS that meets both the
ISO IEC 27001 requirements and your organization’s needs, you can
ask a registrar to audit your system. If your registrar likes what it sees,
it will issue an official certificate that states that your ISMS meets the
ISO IEC 27001 requirements. According to the standard, you must
meet every requirement (specified in clauses 4, 5, 6, 7, and 8) if
you wish to claim that your ISMS complies with the standard.

However, while you must meet every requirement, the size and
complexity of information security management systems varies
quite a bit. How you meet each of the standard's requirements,
and to what extent, depends on many factors, including your

•  Size and structure

•  Needs and objectives

•  Security requirements

•  Business processes

ISO IEC 27001 also lists a set of control objectives and controls.
These are listed in Annex A (our Part 9) and come from the
ISO IEC 27002 (17799 2005) information security standard.

In addition to control objectives and controls, ISO 27002 also
provides implementation guidance and other information. These
last two items are not included in ISO 27001. As a result, you may
find it helpful to also purchase the ISO IEC 27002 (17799) standard.

While ISO IEC 27001 expects you to meet every requirement, it does
allow you to exclude selected Annex A control objectives and controls
(see our Part 9) if you can justify doing so. Briefly put, you may exclude
or ignore Annex A control objectives and controls whenever they address
risks you can live with, and whenever doing so will not impair your ability
and obligation to meet all relevant legal and security requirements.

More precisely, you may ignore or exclude selected control
objectives and controls under the following circumstances:

•  You may exclude selected control objectives and controls if they
address security risks that you can accept and if you can show
that your decision to accept these risks complies with your
organization’s official risk acceptance criteria.

•  You must also be able to justify your exclusion decision.

•  You must also be able to show that accountable persons
have accepted the associated risks.

  You may exclude selected control objectives and controls if
you have used a risk assessment to identify your organization’s
information security requirements and you believe that these
requirements will, nevertheless, be met.

•  You may exclude selected control objectives and controls
whenever this does not impair your ability and responsibility
to meet your organization’s information security requirements.

•  You may exclude selected control objectives and controls if you
can show that all applicable legal and regulatory requirements
will, nevertheless, be met.

•  You may exclude selected control objectives and controls
whenever this does not impair your ability and responsibility
to meet all applicable legal and statutory requirements.

ISO IEC 27001 VS. BS 7799-2

ISO IEC 27001:2005 was developed by ISO/IEC JTC 1, SC 27
(Joint Technical Committee 1, Subcommittee 27). JTC 1 is
responsible for all kinds of information technology standards
while SC 27 is specifically responsible for the development
of standards related to IT security techniques.

ISO IEC 27001 2005 was officially published on October 15, 2005.
This new standard cancels and replaces the old BS 7799-2standard
(published in 2002 by BSI). The old BS 7799-2 information security
standard is now obsolete and has been officially withdrawn.


ISO IEC 27001 uses the Plan-Do-Check-Act (PDCA) model. ISO IEC
has used this model to organize the standard and you can use it to
help you establish your information security management system
(ISMS). ISO IEC uses this model in the following way:

•  PLAN. Section 4 expects you to plan the
establishment of your organization’s ISMS.

•  DO. Section 5 expects you to implement,
operate, and maintain your ISMS.

•  CHECK. Sections 6 and 7 expect you to monitor,
measure, audit, and review your ISMS.

•  ACT. Section 8 expects you to take corrective and
preventive actions and continually improve your ISMS.

Since ISO IEC has used a PDCA model to organize the ISO IEC 27001
standard, it is conveniently designed to facilitate system development.
If you follow the five general steps (sections 4 to 8) that make up the
standard, you’ll automatically develop a comprehensive ISMS.


ISO IEC 27001 also uses a process approach. The process approach
is a management strategy. When managers use a process approach,
it means that they control their processes, the interaction between these
processes, and the inputs and outputs that “glue” these processes
together. It means that they manage by focusing on processes and
on inputs and outputs. ISO IEC 27001 suggests that you use a
process approach to manage and control your ISMS processes.

In general, a process uses resources to transform inputs into
outputs. In every case, inputs are turned into outputs because
some kind of work or activity is carried out. And because the
output of one process often becomes the input of another
process, inputs and outputs are really the same thing.

ISO IEC 27001 suggests that you structure every ISMS process
using the Plan-Do-Check-Act (PDCA) model. This means that
every process should be:

•  Planned (PLAN)

•  Implemented, operated, and maintained (DO)

•  Monitored, measured, audited, and reviewed (CHECK)

•  Improved (ACT)

The PDCA model runs through every aspect of the ISO IEC 27001
standard. The standard not only recommends that the PDCA model
be used to structure every ISMS process, it was also used to structure
the standard itself. And since it was used to structure the standard, you
will automatically use a PDCA approach as you use the standard to
develop your own ISMS.

ISO IEC 27001 2013 PAGES

Introduction to ISO IEC 27001 2013

Plain English Outline of ISO IEC 27001 2013

Plain English Overview of ISO IEC 27001 2013

ISO IEC 27000 2012 Definitions in Plain English

ISO IEC 27001 2013 Translated into Plain English

ISO IEC 27001 2013 versus ISO IEC 27001 2005

Introduction to ISO IEC 27001 2013 Annex A

Information Security Gap Analysis Tool

ISO IEC 27002 2013 PAGES

ISO IEC 27002 2013 Introduction

Overview of ISO IEC 27002 2013 Standard

Information Security Control Objectives

How to Use ISO IEC 27002 2013 Standard

ISO IEC 27002 2013 versus ISO IEC 27002 2005

ISO IEC 27002 2013 Translated into Plain English

ISO IEC 27002 2013 Information Security Audit Tool

Plain English ISO IEC 27002 2013 Security Checklist

Updated on April 23, 2014. First published on June 12, 2006.

Home Page

Our Libraries

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

Praxiom Research Group Limited        780-461-4514

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2006 - 2014 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited