1. ISO 27001 By : Khawar NehalApplied Technology Research Center9 April 2006khawar@atrc.net.pkHttp://atrc.net.pk

2. BS 7799 and ISO 17799The BS 7799 / ISO 17799 standard wasdeveloped to create a common informationsecurity structure and thus cover technical,administrative and legal aspects alike. 3. BS 7799 and ISO 17799BS7799 was original a code of practiceissued by tehhe UK Government (DTI). 4. BS 7799 and ISO 17799When initially published as an ISO standard,BS7799 became ISO 17799, because astandard called ISO 7799 already existed. 5. BS 7799 and ISO 17799Through ten check points, this standardlists the optimal practices companies mustimplement to manage computer securityeffectively. 6. BS 7799 and ISO 17799Implementation of the principles laid out inBS 7799 / ISO 17799 makes it possible todetect, analyze and reduce informationrisks. 7. ISO 27001 and ISO 24743ISO 27001 was originally to be ISO 24743,until a change of direction. 8. The ISO 17799 SeriesISO 17799 was created as an internationalstandard for information security and iswidely regarded as the most completesecurity guideline in existence. Companiesthat adhere to this standard can apply for aBS 7799 certification. 9. Components of Security 10. Security Policy 11. Organizational Security 12. Asset Classification and Control 13. Access Control 14. Compliance 15. Personnel Security 16. Physical andEnvironmental Security 17. System Developmentand Maintenance 18. Communication andOperations Management 19. Business Continuity Management 20. ISO 27001ISO 27001, titled "Information SecurityManagement - Specification With Guidancefor Use", is the replacement for BS7799-2. Itis intended to provide the foundation forthird party audit, and is harmonized withother management standards, such as ISO9001 and ISO 14001. 21. ISO 27001The basic objective of the standard is tohelp establish and maintain an effectiveinformation management system, using acontinual improvement approach. 22. ISO 27001It implements OECD (Organization forEconomic Cooperation and Development)principles, governing security of informationand network systems. 23. The Contents of the Standard?The broad content is of course similar to theold BS7799. Included is: Cross reference with ISO 17799 controls Use of PDCA Information Management System Terms and definitions 24. ISO 27001 CertificationAs with BS7799-2, a robust audit andcertification scheme supports the standard.For those already certified against BS7799,accredited certification bodies will establishtransitional arrangements. 25. ISO 27001 CertificationIt essentially described how to apply thecontrols defined within ISO 17799, and ofcourse how to build and maintain and ISManagement System. 26. The ISO 27000 SeriesThe final version of ISO 27001 waspublished in October 2005 to a greatfanfare. A final draft version was publishedsome months prior to this. It should benoted, however, that this is in fact only thefirst of a series of standards to supportinformation security. 27. The ISO 27000 SeriesHaving stated this, it may well be the mostimportant, at least from a top downperspective, as it defines the informationsecurity management system. 28. The ISO 27000 SeriesISO27001 replaced the original standard,BS7799-2. The latter was a long establishedinformation security standard. Strictlyspeaking, this is a specification for an ISMS(IS Management System).It contains the following chapters: 29. The ISO 27000 SeriesIt contains the following chapters:0) Introduction1) Scope2) Normative References3) Terms and Definitions4) Information Security ManagementSystem5) Management Responsibility6) Management review of the ISMS7) ISMS improvement 30. The ISO 27000 SeriesThe standard also defines a 6 stage processand describes the PDCA approach. There isalso a mapping on to the 17799 securitycode of practice. 31. The ISO 27000 SeriesThe standard also defines a 6 stage processand describes the PDCA approach. There isalso a mapping on to the 17799 securitycode of practice. 32. PDCA 33. ISO 27001 CERTIFICATIONEXPLAINEDISO 27001 CERTIFICATION EXPLAINED