ISO IEC 27001
IN PLAIN ENGLISH

INTRODUCTION

ISO and IEC

ISO is the International Organization for Standardization. It was set up in 1947 and is located in Geneva, Switzerland. Its purpose is to develop standards that support and facilitate international trade. IEC is the International Electrotechnical Commission. It was set up in 1906 and is also located in Geneva, Switzerland. Its purpose is to develop standards for all types of electrotechnologies. Both ISO and IEC are supported by national member bodies. These member bodies participate in the standards development process through technical committees.

ISO IEC 27001 vs. BS 7799-2

ISO IEC 27001:2005 was developed by ISO/IEC JTC 1, SC 27 (Joint Technical Committee 1, Subcommittee 27). JTC 1 is responsible for all kinds of information technology standards while SC 27 is specifically responsible for the development of standards related to IT security techniques.

ISO IEC 27001 2005 was officially published on October 15, 2005. This new ISO 27001 2005 standard cancels and replaces the old BS 7799-2 standard (published in 2002 by BSI). The old BS 7799-2 information security standard is now obsolete and has been officially withdrawn.

Introduction to ISO IEC 27001

ISO IEC 27001 is an information security management standard. It defines a set of information security management requirements. These requirements are defined in sections 4, 5, 6, 7, and 8.

The purpose of ISO IEC 27001 is to help organizations establish and maintain an information security management system (ISMS). ISO IEC 27001 applies to all types of organizations. It doesn’t matter what your organization does or what size it is. ISO IEC 27001 can help your organization meet its information security management needs and requirements.

ISO IEC 27001 is designed to be used for certification purposes. In other words, once you’ve established an ISMS that meets both the ISO IEC 27001 requirements and your organization’s needs, you can ask a registrar to audit your system. If your registrar likes what it sees, it will issue an official certificate that states that your ISMS meets the ISO IEC 27001 requirements. According to ISO IEC 27001, you must meet every requirement (specified in clauses 4, 5, 6, 7, and 8) if you wish to claim that your ISMS complies with the standard.

However, while you must meet every requirement, the size and complexity of information security management systems varies quite a bit. How you meet each of the ISO 27001 requirements, and to what extent, depends on many factors, including your organization’s:

• Size and structure
• Needs and objectives
• Security requirements
• Business processes

ISO IEC 27001 also lists a set of control objectives and controls. These are listed in Annex A (our Part 9) and come from the ISO IEC 27002 (17799 2005) information security standard.

In addition to control objectives and controls, ISO 27002 also provides implementation guidance and other information. These last two items are not included in ISO 27001. As a result, you may find it helpful to also purchase the ISO IEC 27002 (17799) standard.

While ISO IEC 27001 expects you to meet every requirement, it does allow you to exclude selected Annex A control objectives and controls (see our Part 9) if you can justify doing so. Briefly put, you may exclude or ignore Annex A control objectives and controls whenever they address risks you can live with, and whenever doing so will not impair your ability and obligation to meet all relevant legal and security requirements.

More precisely, you may ignore or exclude selected control
objectives and controls under the following circumstances:

• You may exclude selected control objectives and controls if they address security risks that you can accept and if you can show that your decision to accept these risks complies with your organization’s official risk acceptance criteria.

  • You must also be able to justify your exclusion decision.

  • You must also be able to show that accountable persons have accepted the associated risks.

• You may exclude selected control objectives and controls if you have used a risk assessment to identify your organization’s information security requirements and you believe that these requirements will, nevertheless, be met.

  • You may exclude selected control objectives and controls whenever this does not impair your ability and responsibility to meet your organization’s information security requirements.

• You may exclude selected control objectives and controls if you can show that all applicable legal and regulatory requirements will, nevertheless, be met.

  • You may exclude selected control objectives and controls whenever this does not impair your ability and responsibility to meet all applicable legal and statutory requirements.

The PDCA Model

ISO IEC 27001 uses the Plan-Do-Check-Act (PDCA) model. ISO IEC
has used this model to organize the standard and you can use it to
help you establish your information security management system
(ISMS). ISO IEC uses this model in the following way:

• PLAN. Section 4 expects you to plan the
  establishment of your organization’s ISMS.

• DO. Section 5 expects you to implement,
  operate, and maintain your ISMS.

• CHECK. Sections 6 and 7 expect you to monitor,
  measure, audit, and review your ISMS.

• ACT. Section 8 expects you to take corrective and
  preventive actions and continually improve your ISMS.

Since ISO IEC has used a PDCA model to organize the ISO IEC 27001 standard, it is conveniently designed to facilitate system development. If you follow the five general steps (sections 4 to 8) that make up the standard, you’ll automatically develop a comprehensive ISMS.

Your General Approach

The following material presents a brief information security management system development plan. It summarizes the general approach you will take to develop your own unique ISMS. It uses a PDCA approach and is taken directly from our plain English version of the standard. If you use our plain English standard to develop your organization’s ISMS, you will automatically take the following steps:

1. Define the scope and boundaries of your ISMS.

2. Define your organization’s ISMS policy.

3. Define your approach to risk management.

4. Identify your organization’s security risks.

5. Analyze and evaluate your security risks.

6. Identify and evaluate your risk treatment options.

7. Select control objectives and controls to treat risks.

8. Prepare a detailed Statement of Applicability.

9. Develop a risk treatment plan to manage your risks.

10. Implement your organization’s risk treatment plan.

11. Implement your organization’s security controls.

12. Implement your organization’s educational programs.

13. Manage and operate your organization’s ISMS.

14. Implement your organization’s security procedures.

15. Use procedures and controls to monitor your ISMS.

16. Use procedures and controls to review your ISMS.

17. Perform regular reviews of your organization’s ISMS.

18. Verify that your security requirements are being met.

19. Review your risk assessments on a regular basis.

20. Review your residual risks on a regular basis.

21. Review acceptable levels of risk on a regular basis.

22. Perform regular internal audits of your ISMS.

23. Perform regular management reviews of your ISMS.

24. Update your organization’s information security plans.

25. Implement ISMS improvements.

26. Take appropriate corrective actions.

27. Take appropriate preventive actions.

28. Communicate ISMS changes to interested parties.

29. Establish records that document your decisions.

30. Document your organization’s ISMS.

31. Protect and control your ISMS documents.

32. Establish records for your organization’s ISMS.

33. Maintain records for your organization’s ISMS.

To see a detailed version of the above ISMS development plan, please
see our plain English ISO IEC 27001 2005 standard (Parts 4 to 8).

Of course, you may already have an existing ISMS. If this is true, you don’t need to follow a detailed ISMS development plan. You would probably find it easier and more efficient to use a gap analysis approach, instead.

A gap analysis would compare your existing ISMS with the ISO IEC 27001 requirements. Such a comparison would pinpoint the areas that fall short of the standard (the gaps). By focusing on filling your unique information security gaps, you will soon comply with the ISO IEC 27001 standard.

If you already have an existing ISMS, a gap analysis is more targeted and efficient. It is more targeted and efficient because it ignores areas that already comply with the standard.

The Process Approach

ISO IEC 27001 also uses a process approach. The process approach is a management strategy. When managers use a process approach, it means that they control their processes, the interaction between these processes, and the inputs and outputs that “glue” these processes together. It means that they manage by focusing on processes and on inputs and outputs. ISO IEC 27001 suggests that you use a process approach to manage and control your ISMS processes.

In general, a process uses resources to transform inputs into outputs. In every case, inputs are turned into outputs because some kind of work or activity is carried out. And because the output of one process often becomes the input of another process, inputs and outputs are really the same thing.

ISO IEC 27001 suggests that you structure every ISMS process using the Plan-Do-Check-Act (PDCA) model. This means that every process should be:

• Planned (PLAN)

• Implemented, operated, and maintained (DO)

• Monitored, measured, audited, and reviewed (CHECK)

• Improved (ACT)

The PDCA model runs through every aspect of the ISO IEC 27001 standard. The standard not only recommends that the PDCA model be used to structure every ISMS process, it was also used to structure the standard itself. And since it was used to structure the standard, you will automatically use a PDCA approach as you use the standard to develop your own ISMS.

Overview of ISO 27001 2005 Information Security Standard

ISO IEC 27001 Plain English Information Security Definitions

Comparison of ISO 27001 2005 and ISO 27002 2005 Standards

ISO IEC 27001 2005 Security Standard Translated into Plain English

Complete List of Plain English Information Security Control Objectives

ISO IEC 27001 Plain English Security Standard - Section 8 (pdf sample)

ISO IEC 27001 Information Security Management Gap Analysis Tool

ISO 27001 Security Gap Analysis Tool - Section 7 (pdf sample)

ISO IEC 27001 2005 in Plain English - Table of Contents

Our Plain English Approach to ISO IEC 27001 2005

Our Plain English Product License Agreement

Introduction to ISO 27002 2005 Information Security Standard

Overview of the ISO 27002 2005 Information Security Standard

ISO 27002 2005 Information Security Management Definitions

ISO 27002 2005 Security Standard Translated into Plain English

ISO 27002 Information Security Incident Management - Section 13 (pdf)

Complete List of ISO 27002 2005 Information Security Control Objectives

ISO 27002 2005 Plain English Information Security Management Audit Tool

ISO 27002 Organizational Asset Management Audit - Section 7 (pdf)

ISO 27002 Physical and Environmental Security Audit - Section 9 (pdf)