Information security management systems ( ISO 27001 ) — Requirements

Information technology — Security techniques — Information security management systems  ( ISO 27001 ) — Requirements

1    Scope

1.1 General

This International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). This International Standard specifies the requirements for  establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented  ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

NOTE 1:      References to ‘business’ in this International Standard should be interpreted broadly to mean those activities that are core to the purposes for the organization’s existence.

NOTE 2:      ISO/IEC 17799 provides implementation guidance that can be used when designing controls.

1.2 Application

The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size and nature. Excluding any of the requirements specified in Clauses 4,

5, 6, 7, and 8 is not acceptable when an organization claims conformity to this International Standard.

Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and evidence needs to be provided that the associated risks have been accepted by accountable persons. Where any controls are excluded, claims of conformity to this International Standard are not acceptable unless such exclusions do not affect the organization’s ability, and/or responsibility, to provide information security that meets the security requirements determined by risk assessment and applicable legal or regulatory requirements.

NOTE:         If an organization already has an operative business process management system (e.g. in  relation with ISO 9001 or ISO 14001), it is preferable in most cases to satisfy the requirements of this International Standard within this existing management system.

2    Normative references

The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 17799:2005, Information technology — Security techniques — Code of practice for information security management

3 .   Terms and definitions

For the purposes of this document, the following terms and definitions apply.

3.1 . asset

anything that has value to the organization

[ISO/IEC 13335-1:2004]

3.2.  availability

the property of being accessible and usable upon demand by an authorized entity

[ISO/IEC 13335-1:2004]

3.3.  confidentiality

the property that information is not made available or disclosed to unauthorized individuals, entities, or processes

[ISO/IEC 13335-1:2004]

3.4.  information security

preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved

[ISO/IEC 17799:2005]

3.5. information security event

an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant

[ISO/IEC TR 18044:2004]

3.6. information security incident

a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security

[ISO/IEC TR 18044:2004]

3.7. information security management system


that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security

NOTE:         The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

3.8 integrity

the property of safeguarding the accuracy and completeness of assets

[ISO/IEC 13335-1:2004]

3.9. residual risk

the risk remaining after risk treatment

[ISO/IEC Guide 73:2002]

3.10. risk acceptance

decision to accept a risk

[ISO/IEC Guide 73:2002]

3.11. risk analysis

systematic use of information to identify sources and to estimate the risk

[ISO/IEC Guide 73:2002]

3.12. risk assessment

overall process of risk analysis and risk evaluation

[ISO/IEC Guide 73:2002]


risk evaluation

process of comparing the estimated risk against given risk criteria to determine the significance of the risk

[ISO/IEC Guide 73:2002]

3.14. risk management

coordinated activities to direct and control an organization with regard to risk

[ISO/IEC Guide 73:2002]

3.15. risk treatment

process of selection and implementation of measures to modify risk

[ISO/IEC Guide 73:2002]

NOTE:         In this International Standard the term ‘control’ is used as a synonym for ‘measure’.

3.16. statement of applicability

documented statement describing the control objectives and controls that are relevant and applicable to the organization’s ISMS.

NOTE:   Control objectives and controls are based on the results and conclusions of the risk  assessment and risk treatment  processes,  legal  or  regulatory  requirements,  contractual  obligations   and  the  organization’s  business requirements for information security.

Continued to Next Page…..!!



Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s