ISO 27001:2005 Information Security
There are two parts to this standard and they are summarised as:
- BS ISO/IEC 17799:2000 Code of practice for information security management.
- BS 7799-2:2002 Specification for information security management systems.
Part 1
An introduction to the practice of Information Security and describes the
key controls necessary to ensure an effective security implementation.
Part 2
Specifies the requirements for establishing, implementing and documenting an
information security management system (SMS) and forms the basis for an
assessment of the ISMS. The standard requires a Risk Assessment and the
identification of appropriate controls. A set of detailed controls are then
described that can be used to achieve the control necessary. The controls needed
are:
- Security Policy
- Security organisation
- Assets classification & control
- Personnel security
- Physical & Environmental security
- Communications & Operations management
- Systems access control
- System development & maintenance
- Business continuity management
- Compliance
