What is ISO/IEC 27000/27001?
ISO/IEC 27001 is an internationally recognized standard that was formulated and published by ISO (International Organization for Standardization) in cooperation with the IEC (International Electrotechnical Commission) and is constantly being further developed.
ISO/IEC 27001 deals with:
Evaluation of information security using standardized criteria
Simplified management of information security activities in organization
Who is the ISO/IEC 27001 standard aimed at?
ISO/IEC 27001 is aimed at a wide range of organizations. In particular, the two main documents can be used for all types of organizations. Sometimes, however, publications have been issued that have a very strong industry focus. This is explained in more detail in the following questions.
How is the ISO/IEC 27001 standard structured?
The ISO/IEC 27001 standard comprises a series of documents that deal with the information security management of service organizations in a normative (demanding) or informative way. The respective documents pursue different objectives and are also addressed to different target groups. Of central importance for the entire standard is document ISO/IEC 27001, which explains the minimum requirements for an information security management system (ISMS) (chapters 4 to 10). Appendix A explains 114 security measures - so-called controls. The second main document, ISO/IEC 27002, describes on about 90 pages implementation guidance for the controls mentioned in ISO/IEC 27001 and is known as "Code of Practice".
Basic information on ISO/IEC 27001
ISO/IEC 27001 is the only standard that deals with the topic of information security.
ISO/IEC 27001 comprises a series of documents on this topic.
The central document is the ISO/IEC 27001 standard ("Specification"). Here the definition of the controls and the minimum requirements for information security management is made.
ISO/IEC 27002 ("Code of Practice") contains instructions for the implementation of measures for maintaining information security.
ISO/IEC 27001 has no industry-specific focus. However, extensions with a strong industry focus have been published, e.g. ISO/IEC 27799 for organizations operating in the health care sector.
ISO/IEC 27001 regulates the uniform terminology. It defines central terms such as "value (asset)", "information security", "risk analysis", "risk acceptance" or "risk treatment".
ISO/IEC 27001 certification ensures that an organization has implemented a comprehensive and effective information security management system (ISMS) that is capable of dealing with security risks.
ISO/IEC 27001 is based on ISO/IEC 20000 (IT Service Management) and ISO 9000 (Quality Management). Among these three standards, ISO/IEC 27001 shows the strongest specialization.
The availability of information, confidentiality and integrity are the central partial aspects of information security according to ISO/IEC 27001.
An ISO/IEC 27001 certification can be of great importance in connection with similar frameworks (e.g. BSI basic protection catalogues, ITSM, COBIT).
What is an ISMS (Information Security Management System)?
A management system is the totality of all processes, resources (manpower, machines) and tools available to management. By coordinating these resources in a targeted manner, the management tasks that arise should be planned, executed and documented in a way that is as goal-, customerand quality-oriented as possible. On the basis of these findings, a continuous improvement of the management system is to take place. The term ISMS thus encompasses all processes, procedures and measures (controls) in an organisation that serve to ensure the necessary information security. The controls are of particular importance in this context.
Proven information security according to ISO/IEC 27001
By certifying your ISMS according to ISO 27001, you demonstrate that it meets international security standards for information, data and systems. In this way you present yourself to your customers as a sustainable company whose services meet high security standards. In a time when theft, misuse and disclosure of confidential data are permanent risks, you can make a statement about information security in your organization with an ISO 27001 certification.
What is the ISMS certification according to ISO 27001?
ISO 27001 is the leading international standard for information security management systems (ISMS). It provides guidelines for all types of organizations to plan, implement, monitor and continuously improve information security. ISO 27001 is not industry-specific and can therefore be used for private, public or even non-profit organizations
The background of an ISO 27001 certification is not only to protect your ISMS from targeted attacks, but also to prevent unplanned failures. This gives you an enormous competitive advantage over other service organizations. With ISO 27001 you can optimize your entire IT security in a systematic and structured way and adapt it to your individual requirements. The protection of operational data as well as your entire IT infrastructure is improved. If applied accordingly, the protection of personal data is also improved.
Stakeholder and risk analyses are used to determine the specific situation of your organization. This represents the central starting point for your ISMS. On this basis, a tailor-made security concept is designed for the expectations and risks identified. This process, which is carried out on a regular basis, ensures that your security concept is always up to date and meets the constantly changing requirements.
All your business processes are based on data and information. Some of this data and information is highly sensitive and must be treated as strictly confidential, while others are classified as far less confidential. The balancing act between availability and protection of this data and information is extremely important in a current and dynamic IT infrastructure. An ISMS helps to solve this problem. Risk management is used to determine the respective priority and make it visible to the user. You can derive great benefit from this:
Constant information security: An ISMS developed according to the principles of ISO 27001 is not rigid, but goes through a continuous improvement and adaptation process. It is subject to the PDCA cycle (Plan - Do - Check - Act). Internal auditors regularly analyse the current situation and thus recognise the need for adjustments at an early stage. This constant selfcontrol and the resulting optimisation measures create security.
Minimization of risks: With the help of ISO/IEC 27001, you structure your ISMS and can thus identify and eliminate weaknesses at an early stage - even before they become a security gap.
Increase of information security: With ISO/IEC 27001 you reduce the effects of hacker attacks, data loss and misuse to a minimum. Should an incident occur, you will be able to detect the data leak in a timely manner and initiate appropriate countermeasures. This minimizes the damage and guarantees a fast recovery of your systems.
Security as part of the corporate culture: ISO/IEC 27001 considers the entire organization. All hierarchical levels and departments are involved in the protection of sensitive data. Management responsibility, employee training and internal audits are given high priority. The combination of these standard requirements anchors information security firmly in the day-to-day running of the company and thus its full effectiveness can be developed.
Implementation of external requirements: An ISO/IEC 27001 based ISMS ensures the three central characteristics of information: integrity, confidentiality and availability. It ensures that information is available at all times when needed, but also that it is stored securely. An ISMS constructed according to the principles of ISO/IEC 27001 thus contributes to protection against operational risks. This is not only required by your auditor, but also internationally applicable regulations such as Basel II place these demands on service organisations.
Trust through information security: The handling of sensitive data is often the main criterion for potential customers and partners of a service organization. Gain a competitive advantage and have your ISMS certified according to ISO/IEC 27001 and show your customers and partners that they can rely on you - now and in the future.
The experts of the BFMT also hold the title "ISO 27000 Lead Auditor". The ISO/IEC 27000 Auditor certifications are references for professionals who can audit a Service Management System (SMS). As an "ISO 27000 Lead Auditor" you are also able to lead a team of auditors.