ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS7799-2. It is intended to provide the foundation for third party audit, and is 'harmonized' with other management standards, such as ISO 9001 and ISO 14001.
The basic objective of the standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organization for Economic Cooperation and Development) principles, governing security of information and network systems.
This particular standard defines and specifies an 'Information Security Management System', known as an ISMS. It compliments the existing ISO 17799 security standard, and specifies a general framework for the creation and maintenance of the security process within an organization.
These two standards (ISO 17799 and ISO 27001) are closely related, and although their scope is wide, they have very distinct roles.
ISO 27001 defines the overall requirements for the security management system itself, the focus being on management. It is this standard, rather than ISO 17799, against which certification is offered. It was based upon an earlier standard, known as BS7799-2, but has been more closely aligned with other quality management standards.
operational risk
No comments:
Post a Comment