.

 

A new International Security Standard ISO 27001, titled "Information Security Management - Specification With Guidance for Use", has been launched in replacement of BS7799-2.

It is intended to provide the foundation for third party audit, and is 'harmonized' with other management standards, such as ISO 9001 and ISO 14001.The final version of ISO 27001 was published in October 2005 and is only the first of a series of standards to support information security. It is however the most important,  from a 'top down' perspective, as it defines the information security management system. ISO 27002 and ISO 27004 are expected to be produced in the next few years. However, BS 7799 will cease to be used as a name with the introduction of ISO 270001.

It contains the following chapters:

0) Introduction
1) Scope
2) Normative References
3) Terms and Definitions
4) Information Security Management System
5) Management Responsibility
6) Management review of the ISMS
7) ISMS improvement
 

The standard also defines a 6 stage process and describes the pdca approach. There is also a mapping on to the 17799 security code of practice.

The six stage process described by ISO 27001 consists of the following

1) Define an information security policy

2) Define scope of the information security management system

3) Perform a security risk assessment

4) Manage the identified risk

5) Select controls to be implemented and applied

6) Prepare an SoA (a "statement of applicability").

 

PDCA (Plan-Do-Check-Act) is a formal approach suggested by ISO 27001.

BS7799 was the original code of security practice issued by the UK Government. When initially published as an ISO standard, BS7799 was called ISO17799.

Techno Legal Cyber Security specialists need to watch out developments in ISO270001 as a part of their professional requirements.