ISO/IEC 27001:2005

The international standard ISO / IEC 27001 Information technology - Security techniques - Information security management systems - Requirements specifies the requirements for production, implementation, operation, monitoring, maintenance and improvement of documented Information Security Management System, taking into account the IT risks within the organization. Here, all types of organizations (eg commercial enterprises, government organizations, non-profit organizations) are considered. The standard was published as DIN standard and is part of the ISO / IEC 2700x family.

The standard specifies requirements for the implementation of appropriate security mechanisms, which are to be adapted to the circumstances of individual organizations. The German contribution to this international standardization project is supervised by DIN NIA 01-27 IT security procedures.

The ISO / IEC 27001:2005 is designed to the selection of appropriate security mechanisms to protect all values ​​(assets) in the value chain (see Scope of ISO / IEC 27001, ... organization 's overall business risk ) to ensure.

Historical development

The ISO / IEC 27001:2005 emerged from the second part of the British Standards BS 7799-2:2002. It was first published as International Standard on 15 October 2005.

Since September 2008, the standard is also known as DIN standard DIN ISO / IEC 27001:2008 ago in the German translation. The German edition is held by DIN NIA 01-27 IT security procedures, the 1/SC 27 participates in international standardization of the responsible Committee ISO / IEC JTC.

On September 25, 2013, the revised version of ISO / IEC 27001:2013 was published in English.

On 10 January 2014, the revised version of ISO / IEC 27001:2014 was published in German language. This is still a design with an opposition period to 10 March 2014. Fundamental changes are not expected. Section A.8.3.4 was forgotten in the translation and will appear in the final version certainly. In the German version ISO / IEC 27002:2014, the section was not forgotten.

Application

The ISO / IEC 27001 shall be applicable to various fields, especially:

  • For the formulation of requirements and objectives for information security
  • For cost-effective management of security risks
  • To ensure compliance with laws and regulatory systems
  • As a process framework for the implementation and management of measures to ensure specific objectives for information security
  • For the definition of new information security management processes
  • For the identification and definition of existing information security management processes
  • For a definition of information security management activities
  • For use by internal and external auditors to determine the level of implementation of guidelines and standards

Certification

Many (large ) firms have internal security policies for their IT. An internal assessment (also called audit ) firms can verify their correct approach in comparison with their own specifications. Ventures can thus although their skills in the field of IT security public not effective against (possible) to show customers. This requires a certification, for example, according to ISO / IEC 27001 or ISO / IEC 27001 certification on the basis of IT baseline protection necessary.

It should be noted that the ISO itself does not perform certification. Rather An organization has three ways to show the conformity to a norm:

International Electrotechnical Commission ISO/IEC 27000-series
419429
de