ISO 27001: Risk management and compliance

Abstract

Almost all of us have heard in some way of either ISO 9000 or ISO 14000 certification. These standards have become commonplace in today's business world as accepted benchmarks for quality control and environmental friendliness. In the manufacturing and service sectors, these standards are almost expected and are taken as a sign that a company bearing these marks has been checked out and proven to follow an accepted code of best practices. What many of us do not know is that there is another set of ISO standards that are beginning to play a more significant role in the risk management arena. These standards are, respectively, the code of practice for information security management (ISO 17799) and the requirements for information security management systems (ISO 27001). It has been accepted that there are very close ties between information security and risk management, and these standards contribute to this relationship. What Is the Difference? Both the ISO 17799 and 27001 standards were derived from multiple iterations of the originating British Standards Institute standard number BS7799. Originally this standard consisted of two parts. Part one was first adopted as ISO 17799. Part two was later adopted in 2005 as ISO 27001. The ISO 17799 standard will be renumbered under the ISO 27000 series of standards as ISO 27002 sometime in 2007 or 2008. ISO 17799 is a code of practice. In essence, it is a set of guidelines that an organization may use in developing an information security management system. These guidelines have been developed over many years and have gone through many revisions. The guidelines are internationally accepted as one of the industry de facto best practice baselines. There is no certification for ISO 17799 as it is a set of guidelines that can be used to help ensure the compliance and successful implementation of the ISO 27001 specifications. ISO 27001 is the set of requirements for developing an information security management system. This is the standard that an organization will need to adhere to in order to receive ISO 27001 certification. This standard has several key components that are required in order to achieve compliance. Of particular interest for this discussion are requirement for security policy and the requirement for a documented procedure for the assessment and treatment of risk. Regulatory Compliance and Risk Management Regardless of which regulatory standard you are dealing with, ISO 27001 gives a baseline paradigm. Compliance with or certification in ISO 27001 will give you strong IT-related controls that will also help satisfy the requirements of many regulatory standards. The depth to which ISO 27001 can help you in achieving compliance to other regulatory standards is dependent upon which controls you select and how you implement those controls. One of the strongest values ISO 27001 brings is its agnostic approach.