The standard specifies a set of control objectives and controls aimed at protection of information assets against the threats of breach of confidentiality, integrity, and availability.

The controls involve a number of different security related disciplines, including technical, personnel, physical and procedural.

In applying ISO 27001 to an organisation, the objective of the exercise is to gain assurance that the appropriate controls have been built into the day-to-day operations, and that these controls work together effectively and provide an appropriate environment that supports the business processes. As ISO 27001 addresses the full range of information security issues, the only pragmatic way to apply the Standard to a real environment is to define an area (or areas) of the business within which to focus the compliance activities.

Building up an Information Security Management System is a major exercise for any organization. It involves a culture-change in the way people view information security and because of a new system being installed, brings about changes in the operations. A critical success factor is senior management commitment.

As with any Standard, the approach towards a ISO 27001 certification would involve

• Identifying where we are
• Identifying where we want to be
• Planning the steps to reach the target
• Doing what it takes to execute the plan
• Reviewing the achievements periodically

Conducting a gap analysis against the ISO 27001 Standard is the recommended first step in this process. Here, an objective view is taken of the current state of information security within the organization. The major benefits include a quick return in terms of awareness of the security requirements as well as significant gaps, and a more reliable estimate of the requirements in terms of schedule and effort, when a full ISO 27001 implementation is considered necessary.