ISO 27001 was published by the International Organization for Standardization (ISO) on 15 October 2005. Essentially, ISO/IEC 27001 defines an Information Security Management System (ISMS) and complements the ISO/IEC 17799 'code of practice' standard, itself first published as BS 7799-1. The two standards are closely aligned and related, but perform distinctive roles.
ISO/IEC 27001 is a standard setting out the requirements for an information security management system (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties including an organization's customers. It is suitable for several different types of organizational use, including the following:
- Formulation of security requirements and objectives;
- To ensure that security risks are cost effectively managed;
- To ensure compliance with laws and regulations;
- As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
- Identification and clarification of existing information security management processes;
- To be used by management to determine the status of information security management activities;
- To be used by internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization;
- To provide relevant information about information security policies, directives, standards and procedures to trading partners;
- To provide relevant information about information security to customers.
