The ISO 27001 standard was published in October 2005, permanently replacing the old BS7799-2 standard. It is the specification for an ISMS, an Information Security Management System. BS7799 itself was a long-standing standard, first published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems. It is this against which certification is granted. Today more than a thousand certificates are in place across the world.
ISO 27001 enhanced the content of BS7799-2 and harmonized it with other standards. Various certification bodies have introduced a scheme for conversion from BS7799 certification to ISO27001 certification.
The objective of the standard itself is to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System.” Regarding its adoption, this should be a strategic decision. Further, “The design and implementation of an organization’s ISMS are influenced by their needs and objectives, security requirements, the process employed, and the size and structure of the organization.”
The “process approach” is to unify the identification and interactions of these processes and their management. It employs the PDCA, Plan-Do-Check-Act model for structuring the processes, and reflects the principles set out in the OECG guidelines (see oecd.org).