Formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. We fully adopted ISO 27001 and have been formally audited and certified compliant with the standard.
Most organisations have a number of information security controls. Without an ISO 27001 however, the controls tend to be somewhat disorganised and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Maturity models typically refer to this stage as "ad hoc". The security controls in operation typically address certain aspects of IT or data security, specifically, leaving non-IT information assets (such as paperwork and proprietary knowledge) less well protected. Business continuity planning and physical security, for example, may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organisation.
ISO 27001 requires that management:
- Systematically examine the organisation's information security risks, taking account of the threats, vulnerabilities and impacts;
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security controls continue to meet the organisation's information security needs on an ongoing basis.