ISO / IEC 27001

Area	Information technology
title	IT security procedures - Information security management systems - Requirements
Latest edition	2017-06
ISO	ISO / IEC 27001: 2013 + Cor. 1: 2014 + 2: 2015

The international standard ISO / IEC 27001 Information technology - Security techniques - Information security management systems - Requirements specifies the requirements for the establishment, implementation, maintenance and continuous improvement of a documented information security management system taking into account the context of an organization. In addition, the standard contains requirements for the assessment and treatment of information security risks according to the individual needs of the organization. All types of organizations (e.g. trading companies, government organizations, non-profit organizations) are taken into account. The standard was also published as a DIN standard and is part of the ISO / IEC 2700x family .

The standard specifies requirements for the implementation of suitable security mechanisms, which are to be adapted to the circumstances of the individual organizations. The German part of this international standardization project is supervised by DIN NIA-01-27 IT security procedure.

ISO / IEC 27001: 2005 was designed to ensure the selection of suitable security mechanisms to protect all values (assets) in the value chain (see scope of ISO / IEC 27001, ... organization's overall business risk).

Historical development

ISO / IEC 27001: 2005 emerged from the second part of the British standard BS 7799-2 : 2002. It was first published as an international standard on October 15, 2005.

Since September 2008, the standard has also been available as the DIN standard DIN ISO / IEC 27001: 2008 in German translation. The German edition is supervised by DIN NIA-01-27 IT security procedure, which is involved in the international standardization work in the responsible committee ISO / IEC JTC 1 / SC 27 . Currently valid edition: 2015-03.

On September 25, 2013, the revised version ISO / IEC 27001: 2013 was published in English.

On January 10, 2014, the revised version DIN ISO / IEC 27001: 2014 was published as a draft in German.

In March 2015, the revised version DIN ISO / IEC 27001: 2015 was published in German.

The current version of DIN EN ISO / IEC 27001: 2017 has been published in German since June 2017 .

application

ISO / IEC 27001 should be applicable to various areas, in particular:

For the formulation of requirements and objectives for information security
For cost-effective management of security risks
To ensure conformity with laws and regulations
As a process framework for the implementation and management of measures to ensure specific goals for information security
To define new information security management processes
To identify and define existing information security management processes
To define information security management activities
For use by internal and external auditors to determine the degree of implementation of guidelines and standards

Certification

Management systems

Many (large) companies have internal security guidelines for their IT. An internal assessment (also known as an audit ) enables companies to check their correct procedure in comparison with their own specifications. However, companies cannot use it to demonstrate their competencies in the field of IT security to (potential) customers in a publicly effective manner. To do this, a certification z. B. ISO / IEC 27001 , ISO / IEC 27001 certificate based on IT-Grundschutz or IT-Grundschutz makes sense.

It should be noted that the ISO itself does not carry out any certification. Instead, an organization has three options for demonstrating compliance with a standard:

it can proclaim its conformity of its own accord,
she can ask her customers to confirm compliance and
an independent external auditor can verify conformity.

people

There are various, mostly modular, schemes for training and certification of people in the area of the ISO / IEC 27000 series . These are designed by different certification companies, see list of IT certificates .

Web links

Individual evidence

↑ DIN ISO / IEC 27001: 2015-03 - Beuth.de. In: www.beuth.de. Retrieved November 24, 2016 .
↑ The new version of ISO / IEC 27001: 2013 is here. In: bsigroup.com. September 25, 2013, accessed October 1, 2013 .
↑ DIN ISO / IEC 27001: 2014-02 [NEW]. In: beuth.de. January 10, 2014, accessed November 15, 2014 .
↑ DIN ISO / IEC 27001: 2015-03 [NEW]. In: beuth.de. Retrieved March 26, 2015 .
↑ DIN EN ISO / IEC 27001: 2017-06 - Beuth.de. Retrieved November 21, 2017 .
↑ Certification according to BSI-IT-Grundschutz. In: www.bsi.bund.de. Federal Office for Information Security, August 5, 2016, accessed on August 5, 2016 .
↑ Management system standards. In: iso.org. International Organization for Standardization, 2013, accessed September 27, 2013 .

[1] DIN ISO / IEC 27001: 2015-03 - Beuth.de. In: www.beuth.de. Retrieved November 24, 2016 .

[2] The new version of ISO / IEC 27001: 2013 is here. In: bsigroup.com. September 25, 2013, accessed October 1, 2013 .

[3] DIN ISO / IEC 27001: 2014-02 [NEW]. In: beuth.de. January 10, 2014, accessed November 15, 2014 .

[4] DIN ISO / IEC 27001: 2015-03 [NEW]. In: beuth.de. Retrieved March 26, 2015 .

[5] DIN EN ISO / IEC 27001: 2017-06 - Beuth.de. Retrieved November 21, 2017 .

[6] Certification according to BSI-IT-Grundschutz. In: www.bsi.bund.de. Federal Office for Information Security, August 5, 2016, accessed on August 5, 2016 .

[7] Management system standards. In: iso.org. International Organization for Standardization, 2013, accessed September 27, 2013 .