Skip to main content

ISO/IEC 27000 Series of International Standard for Information Security Management Systems

5th Oct 2016

ISO/IEC 27000 Series of International Standard for Information Security Management Systems

 

This new addition to the ISO/IEC 27000 series contains some very important features that can be applied to nearly any system that specializes in information security management (including a comprehensive overview of the ISO/IEC 27000 family's Information Security Management Systems (ISMS) standards). The ISO/IEC 27000 series also details the essential standards inherent to the ISO/IEC 27000 family of Information Security Management Systems (ISMS). Another distinguishing feature of the new ISO/IEC 27000 series is a unique set of vocabulary. It is equipped with each fundamental term that is being (or has been) used by the entire ISO/IEC 27000 family up to this point.

Unfamiliarity of (or ignorance of) the fundamental tools used in Information Security Management Systems is a common hurdle faced by many users (due to the ever changing constant influx of newer and more complex web terminologies). Confusion and troublesome errors in producing efficient and successful systems for managing information security systems are the principal issues being addressed in this version.

Authors utilizing aspects from the previous ISO/IEC 27000 series were observed to be incorporating unacceptable methods and practices (as far as standards are concerned). For example; some of them refrain from expounding on specific terms used and/or neglect to sufficiently define their purposes. This is unacceptable because what is being discussed relates to formal assessment and potential certification; thusly, discrepancies must be eliminated at all costs. Many of the previous formal assessments (that were devalued) were noted to have used terms that were purposefully used in a confusing way (which was subsequently revealed by some of the authors). Previous series, like the ISO 9000 and ISO 14000, solved this problem by using the base '000' standard.

The appended overview and vocabulary seeks to expand the information database associated with the Information Security Management Systems of international standards (which is the ISO/IEC 27000 series, with the development of ISO/IEC 27000).

Information security (not to be confused with computer security), has a long history of development. It has reached its current state through improvisation and trial and error. Unlike computer security (where defensive sets are specifically made to protect the computer system and ensure that access to the machine's operations is not made available), information security protects data by ensuring confidentiality, integrity and availability. The goal is to make sure that data cannot be stolen in any way (copied using external devices, print, etc). Computer and information security differ in their functionalities, mechanisms and directions in achieving their objectives; however, both systems can work collectively (for example, sharing in the protection of the CIA triad for information security. The CIA triad is an important information security service that assists big operational agencies, companies, governmental agencies, finance organizations, businesses as well as the military).

Protecting and maintaining security, privacy and confidentiality has been a critical venture which many individuals and organizations wish to uphold. It could even be stated that the success of an organization lies in its ability to protect its secrets, as well as ensuring that individual members (of the organization) are granted access to private, confidential data streams and other informational assets which are affiliated with a capable Information Security Management System. The need to keep this critical information secure, confidential, and private will eventually lead to the implementation of security Standards (for an effective Information Security Management System (ISMS) such as the International Standard, ISO/IEC 27001).

The International Standard ISO/IEC 27001 is also unique in that it is the only International Standard edition that is 'editable'. ISO/IEC 27001 provides a framework as well as requirements that set any Information Security Management System into motion (thus certifying an organization, group, business, agency, and the like as a fully competent and secure organization.

Another notable benefit to adhering to the International Standard (ISO/IEC 27001) is its ability to direct the design of a system, (as well as the selection of sufficient, effective and well-balanced security controls). The requirements requested by the ISO/IEC 27001 International Standard demand the implementation of a mechanism that will establish, implement, operate, monitor, review, maintain and improve upon the ISMS. Applicable laws and regulations should also be observed at all times.

ISO/IEC 27001 standard for Information Security Management System has been conveniently constructed for large or small groups wherever they may be located. This member of the ISO/IEC 27000 series of International standard is perfectly suited for big time information security situations, such as finance, office; IT, office works, or to any IT outsourcing companies (which guarantees information non-disclosure and makes potential costumers feel much more at ease). An organization possessing ISO/IEC 27001 certification is really;

  • Providing independently assessed assurances for their clients
  • Demonstrating that laws and regulations are being upheld
  • Revealing their competitive edge
  • Assisting in monitoring performance and potential improvement of said standards

ISO/IEC 27002 was revised last 2005 and renumbered in 2007 for uniformity purposes. As a member of the ISO/IEC 27000 series, it is also the International standard reference for Information Security Management Systems (created by users responsible for the initiation, implementation, and/or maintenance of the ISMS itself). It divulges the best practices and solutions for managing information security. This standard is concretely centered within the confidentiality, integrity and availability triad (C-I-A triad). In preserving confidentiality, a service ensures that access to certain information is accessible to an authorized individual only. Upholding integrity involves providing accurate and complete information (and processing methods). Availability involves only allowing access to information when it is requested by an authorized account owner.

The 'standards outline' contains 12 main sections:

  1. Risk assessment
  2. Security Policy
  3. Organization of information security
  4. Asset management
  5. Human resources management
  6. Physical and environmental security
  7. Communications and managements
  8. Access control
  9. Information systems
  10. Business Continuity
  11. Community Management
  12. As well as an assurance of incorporating only the best information security policies, standards, laws, and regulations.

________________

Want to know more about the ISO/IEC 27002 standard and want to prepare for a formal certification exam? Register for the ISO/IEC 27002 Foundation Class.

!