ISACA’s article on ISO 27001 implementation.
Planning for and Implementing ISO 27001
Charu Pelnekar, CISA, CISM, ACA, AICWA, BCOM, CISSP, CPA, MCSE, QSA
ISO/IEC 27001:2005 Information Technology— Security techniques—Information security management systems—Requirements is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).1, 2 The potential benefits3, 4 of implementing ISO 27001 and obtaining certification are numerous. Implementing ISO 27001 can enable enterprises to benchmark against competitors and to provide relevant information about IT security to vendors and customers, and it can enable management to demonstrate due diligence. It can foster efficient security cost management, compliance with laws and regulations, and a comfortable level of interoperability due to a common set of guidelines followed by the partner organization. It can improve IT information security system quality assurance (QA) and increase security awareness among employees, customers, vendors, etc., and it can increase IT and business alignment. It provides a process framework for IT security implementation and can also assist in determining the status of information security and the degree of compliance with security policies, directives and standards.