ISO 27001 is an Information Security Management Systems (ISMS) standard that is promulgated by the International Organization for Standardization (ISO).  It is a formal specification for an ISMS in that it mandates a particular set of controls that need to be in place.  Therefore, organizations that claim to have adopted 27001 can be formally audited and certified compliant with the standard.  It is this ability to certify the operation of an ISMS that makes 27001 unique and makes it ideal to be used as a form of independent attestation to the design and operation of an Information Security program.

ISO 27001 requires that management:

• Systematically examines the organization's information security risks, taking account of the threats, vulnerabilities and impacts;
• Designs and implements a coherent and comprehensive suite of information security controls (defined by ISO 27002 (formerly 17799)) and/or other forms of risk treatment to address unacceptable risks; and,
• Adopts an overarching management process to ensure that the information security controls meet the organization's information security needs on an ongoing basis.

Another benefit to 27001 is that an organization adhering to the 27001 standard can also simultaneously fulfill other compliance requirements including HIPAA, PCS, Sarbanes Oxley, and Identity Theft/Personally Identifiable Information regulations with minimal additional effort.

If you require more information please call 888-PivotPoint and ask to speak with one of our Practice Area Managers or send us an email.

The "cloud economy", a "flatter world" and the growth of increasingly ambiguous and overlapping information security regulations are the three main "pain" points driving organizations to the ISO-27001 framework as a simple and logical response. This presentation explores how and why ISO 27001 is poised to change information security. 

This presentation was given by John Verry to the Unisys Community of Practice group on June 15, 2010. Click here to view the pdf.