We're creating a single website for everything to do with BIS but, while we do that, you'll find information in three places. > Find what you're looking for
These are the most influential, globally recognised standard for information security management. The original British standards BS 7799 Part 1 and BS 7799 Part 2 are now both international standards. There are currently two parts:
The two parts are formally published as:
For further information on information security standards, see our Existing Standards page.
In this section, you can learn more about Part 1 of the standard. See information on:
The essence of ISO/IEC 27002 is that a sound Information Security Management System (ISMS) should be established within organisations. The purpose of this is to ensure that an organisation's information is secure and properly managed.
ISO/IEC 27002 is divided into eleven main sections (please note ISO/IEC 27002 was previously known as ISO/IEC 17799 but was renumbered in July 2007): :
Explains what an information security policy should cover and why each business should have one
Explains how information security management is organised
Considers information and information processing equipment as valuable assets to be managed and accounted for
Details any personnel issues such as training, responsibilities, vetting procedures, and how staff responded to security incidents
Physical aspects of security including protection of equipment and information from physical harm, as well as physical control of access to information and equipment
Examines correct management and secure operation of information processing facilities during day-to-day activities
Control of access to information and systems on the basis of business and security needs
Designing and maintaining systems so that they are secure and maintain information integrity
Concerned with ensuring information security events and weaknesses are communicated in a way which allows corrective action to be taken
10 Business Continuity Management
Concerns the maintenance of essential business activities during adverse conditions, from coping with major disasters to minor, local issues
Concerns business compliance with relevant national and international laws, professional standards, and any processes mandated by the Information Security Management System (ISMS)
Certification to ISO/IEC 27001 is a formal acknowledgement that your Information Security Management System (ISMS) reflects your organisation's information security needs.
Organisations can be formally certified for ISO/IEC 27001 by an appropriately accredited body. In the UK this means one accredited by UKAS (UK Accreditation Service).
A professional auditor completes an independent formal review of the Information Security Management System (ISMS). The aim of the review is to confirm that the ISMS is both effective and appropriate.
The auditor will check for:
1 Completeness. Have all parts of ISO/IEC 27001 been covered?
2 Relevance. Is the interpretation of ISO/IEC 27001 relevant for the organisation?
3 Implementation. Is the Information Security Management System (ISMS) being followed?
The auditor will require:
1 Self Audits
Each organisation must have a schedule of audits for the whole Information Security Management System (ISMS) over a reasonable period of time.
This involves checking that staff are actually following the ISMS, and can prove it with appropriate records.
The audits are internal, usually involve completing a standard checklist, and are conducted by the organisation's own staff, who are not required to have UKAS accreditation.
Where a failure to follow the ISMS, or a security breach is detected, a report should go through the normal management structure, described in organisational security.
The importance of self-monitoring is that the organisation can react quickly to problems in its own procedures - sometimes the procedures must be improved to take account of reality.
2 Accredited Audits
After the initial audit, the certification body makes a review every six months
3 Statement of Applicability (SOA)
This is a living document and must be kept up to date. It should always reflect the current status of the organisation's Information Security Management System (ISMS)
There are many options for certification. A small scope that addresses core business functions could be formally certified, but equally, the organisation as a whole could comply with the policies and procedures.
Only the formally certified scope of the Information Security Management System (ISMS) would be subject to six monthly reviews.
The benefits of using ISO 27001/27002 are straightforward. Using them well will result in:
This is achieved by ensuring that:
It is likely that a number of organisations, including the Government, may require suppliers and other partners be certified to ISO/IEC 27001 before they can be given government work.
This could make compliance (or certification) more of a necessity than a benefit.
Certification can also be used as part of a marketing initiative, providing assurance to business partners and other outsiders.
BSI has several publications that are specifically designed to help organisations achieve certification to ISO 27001.