The current version of ISO/IEC standard 27001 was published in 2005. It defines a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The standard can be used to assess conformance of a company by interested internal and external parties.

The standard adopts a process approach, meaning the application of a system of processes within an organization, together with the identification and interactions of these processes, and their management.

ISO 27001 especially emphasizes the importance of:

• Understanding an organization’s information security requirements and the need to establish policy and objectives for information security.
• Implementing and operating controls to manage an organization’s information security risks in the context of the organization’s overall business risk.
• Monitoring and reviewing the performance and effectiveness of the ISMS.
• Continual improvement based on objective measurement.

The standard adopts the well-known and proven Plan-Do-Check-Act (PDCA) model to structure all ISMS processes as shown in Figure 1.

Figure 1: The PDCA model of ISO 27001.

Clauses 4-8 of ISO 27001 detail the necessary requirements that have to be fulfilled by an organization that claims conformity to the standard.

Section 4 contains the requirements to be met during establishing and managing the ISMS. The main requirements to establish the ISMS are to:

• Define the scope and boundaries of the ISMS.
• Define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets and technology that (i) includes a framework for setting objectives and establishes a sense of direction and principles for action, (ii) takes business and legal or regulatory requirements as well as contractual security obligations into account, (iii) aligns with the organization’s strategic risk management context (iv) establishes criteria against which risk will be evaluated and (v) has been approved by management.
• Define the risk assessment approach of the organization.
• Identify the risks.
• Analyse and evaluate the risks.
• Identify and evaluate options for the treatment of risks.
• Select control objectives and control for the treatment of risks.
• Obtain management approval of the proposed residual risks.
• Obtain management authorization to implement and operate the ISMS.
• Prepare a Statement of Applicability.

The main requirements to implement and operate the ISMS are to:

• Formulate a risk treatment plan.
• Implement the risk treatment plan.
• Implement the selected controls.
• Define how to measure the effectiveness of the selected controls.
• Implement training and awareness programmes.
• Manage operation of the ISMS.
• Manage resources for the ISMS.
• Implement procedures and other controls capable of enabling prompt detection of security events and response to security events.

The main requirements to monitor and review the ISMS are to:

• Execute monitoring and reviewing procedures to (i) detect errors, (ii) identify attempted and successful security breaches and incidents, (iii) enable management to determine whether security activities are performing as expected, (iv) help detect security events and (v) determine whether the actions taken to resolve a breach of security were effective.
• Undertake regular reviews of the effectiveness of the ISMS.
• Measure the effectiveness of the controls.
• Review risk assessments at planned intervals taking into account any relevant changes of internal and external factors.
• Conduct internal ISMS audits at planned intervals.
• Undertake a management review of the ISMS on a regular basis.
• Update security plans to take into account the findings of monitoring and reviewing activities.
• Record actions and events that could have an impact on the effectiveness or the performance of the ISMS.

The main requirements to maintain and improve the ISMS are to:

• Implement the identified improvements in the ISMS.
• Take appropriate corrective and preventive actions to improve the ISMS.
• Communicate the actions and improvements to all interested parties at an appropriate level.
• Ensure that the improvements achieve their intended objectives.

The main documentation requirements of the standards also apply to all records of management decisions. Documentation is important to demonstrate the relationship from elected controls back to the results of the risk processes and subsequently back to the ISMS policy and objectives. The documentation shall include:

• Documented ISMS policy and objectives.
• The scope of the ISMS.
• Procedures and controls in support of the ISMS.
• A description of the risk assessment methodology.
• The risk assessment report.
• The risk treatment plan.
• Document procedures of the security processes and description of how the effectiveness of controls is measured.
• Records to provide evidence of conformity to requirements and the effective operation of the ISMS
• Statement of Applicability.

The required documents of the ISMS shall be protected and controlled using a documented procedure.

Section 5 of ISO 27001 explicitly states the management responsibility for the ISMS and details the necessary requirements pertaining to:

• Management commitment.
• Resource Management, including provision of resources as well as training, awareness and competence.

Section 6 of the standard maintains that internal ISMS audits shall be conducted at planned intervals to determine whether the control objectives, controls, processes and procedures of the ISMS of the organization are conformant and perform as expected. The management responsible for the area being audited shall ensure that detected nonconformities and their causes are eliminated without undue delay.

Section 7 of ISO 27001 mandates a management review of the ISMS at planned intervals but at least once every year. The input to the review has to consist of the following information:

• Results of ISMS audits and reviews.
• Feedback from interested parties.
• Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness.
• Status of preventive and corrective actions.
• Vulnerabilities or threats not adequately addressed in the previous risk assessment.
• Results from effectiveness measurements.
• Follow-up actions from previous management reviews.
• Any changes that could affect the ISMS.
• Recommendations for improvement.

The output of management review shall include any decisions and actions related to:

• Improvement of the effectiveness of the ISMS.
• Update of the risk assessment and risk treatment plan.
• Modification of procedures and controls that effect information security.
• Resource needs.
• Improvements to how the effectiveness of controls is being measured.

Section 8 of the standard cites all requirements for ISMS improvement and mandates that the organization shall continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review. Organizations must take corrective actions to eliminate the cause of nonconformities with ISMS requirements. Therefore, a documented procedure shall define requirements for:

• Identifying nonconformities.
• Determining the causes of nonconformities.
• Evaluating the need for actions to ensure that nonconformities do not recur.
• Determining and implementing the corrective action needed.
• Recording results of action taken.
• Reviewing of corrective action taken.

Additionally, organization shall have preventive actions in place to eliminate the cause of potential nonconformities with the ISMS requirements in order to prevent their occurrence. Therefore, a documented procedure shall define requirements for:

• Identifying potential nonconformities and their causes.
• Evaluating the need for action to prevent occurrence of nonconformities.
• Determining and implementing preventive action needed.
• Recording results of action taken.
• Reviewing of action taken.

Finally, an organization shall identify changed risks and identify preventive action requirements focusing attention on significantly changed risks.

Appendix A of ISO 27001 lists all of the control objectives and controls which are derived from and aligned with ISO 17799:2005 which has since been superseded by ISO 27002:2007 which just renamed ISO 17799 while not changing any content. The control objectives and control of Appendix A have to be selected as part of establishing the ISMS. While Appendix A only lists the control objectives and controls ISO 27002 provides implementation advice and guidance on best practice. Appendix A contains 11 control objectives, sub-divided into 39 categories with a total number of 133 controls. Table 1 gives an overview of the contents and Table 2 contains a detailed break up of control objectives, categories and controls. 

Table 1: Overview of control objectives, categories and controls in ISO 27001.

Table 2: Detailed break-up of control objectives, categories and controls in PCI DSS.

ISO 27001 is one of the main standards of the ISO 27000 standard’s family that has been established to cover information security. The standards of this series are developed by JTC 1/SC 27/WG 1, which is Working Group 1 of Subcommittee 27 of the Joint Technical Committee 1 of ISO (International Organization for Standardization). JTC 1 is the ISO committee that develops all ISO information technology standards, together with IEC (International Electrotechnical Commission). Subcommittee 27 of JTC 1 is tasked to develop all standards related to IT Security Techniques. The name of WG 1 is Information security management systems and its work items are solely related to ISMS.

While ISO 27001 only defines the requirements for an ISMS, additional standards of the ISO 2700 family of standards support the implementation of an ISMS:

• ISO 27002 gives implementation advice and guidance on best practice for the controls of ISO 27001.
• ISO 27005 covers information security management but does not provide or recommend a specific methodology as this depends upon a number of factors that will differ within every organization, e.g. because of different industries.

Additionally, planned standards which are currently under development are:

• ISO/IEC FCD[1] 27000, which will serve as an introductory document for the 27000 series of standards giving an overview and defining the vocabulary used throughout the other documents.
• ISO/IEC CD[2] 27003, which will give guidance and best practice for the implementation of an ISMS.
• ISO/IEC FCD 27004, which covers management measurements for ISMS.

Some of those standard could be available as soon as 2009.

At mostly a very early stage of development are the following standards of the 2703x set of the series that will cover cybersecurity, IT Network Security and application security:

• ISO/IEC NP[3] 27032, Guidelines for cybersecurity.
• ISO/IEC NP 27033, IT Network security which will cover all aspects of network as a multipart standard, including the following parts:
  
  a. ISO/IEC CD 27033-1, Guidelines for network security
  
  b. ISO/IEC WD 27033-2, Guidelines for the design and implementation of network security
  
  c. ISO/IEC WD 27033-3, Reference network scenarios – Risks, design techniques and control issues
  
  d. ISO/IEC NP 27033-4, Securing communications between networks using security gateways – Risks, design techniques and control issues
  
  e. ISO/IEC NP 27033-5, Securing Remote Access – Risks, design techniques and control issues
  
  f. ISO/IEC NP 27033-6, Securing communications across networks using Virtual Private Networks (VPNs) – Risks, design techniques and control issues
  
  g. ISO/IEC NP 27033-7, Guidelines for securing (specific networking technology topic heading(s) to be inserted3) – Risks, design techniques and control issues

• ISO/IEC NP 27034, Guidelines for application security

As standardization efforts may have an impact for how an ISMS is operated it is a prudent approach to check for the availability of influencing standards regularly. Especially, since standardization of ISMS and related operations is today taking on speed and a very dynamic environment