What is ISO 27001 ?
ISO/IEC 27001:2013 is an information security standard that was published on the 25th September 2013. It supersedes ISO/IEC 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.
It is a specification for an information security management system (ISMS). Organizations which meet the standard may be certified compliant by an independent and accredited certification body on successful completion of a formal compliance audit.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defense, healthcare, education and government). This is clearly a very wide brief.
ISO 27001 Structure
ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover:
1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organizational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system’s performance
10. Corrective action
Annex A: List of controls and their objectives.
In effect (without actually using the term “metrics”), the 2013 edition of the standard requires the use of metrics on the performance and effectiveness of the organization’s ISMS and information security controls. Section 9, “Performance evaluation”, requires the organization to determine and implement suitable security metrics but gives only high level requirements.
When the revised version is released, ISO/IEC 27004 will offer advice on what and how to measure in order to satisfy the requirement.
Certified compliance with ISO/IEC 27001 by an accredited and respected certification body is entirely optional but is increasingly being demanded from suppliers and business partners by organizations that are (quite rightly!) concerned about the security of their information, and about information security throughout the supply chain or network.