ISO 27001 is a standard designation for information security management system in an organization. ISO 27001 belongs to the family of ISO 27000 and it is part of the international standards issued by the International Organization for Standardization (ISO). ISO 27001 has replaced a standard BS 7799 and became an international standard for information security management systems.
ISO 27001 is the main standard of the whole family ISO 27000 and provides a comprehensive approach to information security in the organization. It includes data from all assets, paper documents, information and communication technologies to knowledge. It also includes staff qualification development and technical protection against computer fraud.
Principles of information protection according to ISO 27001 are based on three principles of information security:
- Confidentiality - which means that information is accessible only to those who are allowed ( who have authorized access)
- Integrity - which means that there is accuracy and completeness of the information
- Availability - which means that authorized users have access to information when they need it
ISO 27001 is in accordance with other management systems like ISO 9001. It involves a continuous process of improving the entire information security management system using integrated PDCA model.
Use of the ISO 27001 in practice: ISO 27001 is designed for organizations from private and public sector, regardless of their size or location. It specifies requirements for information security management system. It is used in the certification to an independent assessment of the organization’s ability to create and maintain a comprehensive information security system.
ISO 27001 is commonly used for certification.
The revised version is called ISO 27001:2005.