It is becoming increasingly critical that information security is given the attention and level of importance it deserves. Most organizations are now absolutely dependent upon their information and business systems, so much so that serious disruption can mean disaster or critical loss. ISO 27001 / BS-7799 is the only internationally accepted worldwide standard/code dealing comprehensively with these issues.  

ISO 27001 / BS 7799 is a standard setting out the requirements for an Information Security Management System (ISMS). It helps identify, manage and minimize the range of threats to which information is regularly subjected. 

ISO 27001 / BS 7799 is organized into 11 domains:

• Security Policy - To provide guidelines and management advice for improving Information security.

• Organization of Information Security – To facilitate information security within the organization and manage security risks from external parties.

• Asset Management – To maintain an inventory of assets and protect these assets effectively.

• Human Resources Security - To minimize the risks of human error, theft, fraud or the abusive use of equipment and to maintain confidentiality of information during and after employment.

• Physical and Environmental Security - To prevent the violation, deterioration or disruption of information facilities and data.

• Communications and Operations Management - To ensure the adequate and reliable operation of information processing and communication devices.

• Access Control - To control access to information and to prevent unauthorized user access to information, information processing facilities, operating systems and networked services and compromise or theft of information.

• Information Systems Acquisition, Development and Maintenance - To ensure that security is incorporated into information systems and to prevent errors, loss, unauthorized modification or misuse of information in applications.

• Information Security Incident Management - Reporting information security events, weaknesses and management of information security incidents and improvements.

• Business Continuity Management - To minimize the impact of business interruptions and protect the company’s essential processes from failure and major disasters.

• Compliance - To avoid any breach of criminal or civil law, of statutory or contractual requirements, and of organization’s security requirements.     

In applying ISO 27001 / BS 7799 to an organisation, the objective of the exercise is to gain assurance that the appropriate controls have been built into the day-to-day operations, and that these controls work together effectively and provide an appropriate environment that supports the business processes. As ISO 27001 / BS 7799 addresses the full range of information security issues, the only pragmatic way to apply the Standard to a real environment is to define an area (or areas) of the business within which to focus the compliance activities.

Building up an Information Security Management System is a major exercise for any organization. It involves a culture-change in the way people view information security and because of a new system being installed, brings about changes in the operations. A critical success factor is senior management commitment.  

The diagram below would provide a broad overview of the entire process: (scroll below)

The following diagram below provides a broad overview of the steps involved: