ISO 27001 – Overview


ISO 27001 tells us what has to be done for risk identification and management but not how. How part will be dealt in ISO 27002.

ISO 27000 is a suite which has several modules , below are a few of them.

  • ISO 27001 – Information security management system (ISMS) specification
  • ISO 27002 – Controls
  • ISO 27003 – Implementation of controls
  • ISO 27004 – Metrics for measurement
  • ISO 27005 – Risk management


  • Identification of bussiness risk
  • Addressing the idenified risks in a disciplined way
  • Effective security and compliance management
  • Ensuring CIA

The key thing in ISO 27001 is to have a ISMS (Information Security Management System) in place.ISO 27001 defined guidelines to set up ISMS.Overall it helps to put the bussiness in order.


ISO is not a prescriptive conformance, It is a not a one size fit all. It has been designed in a way that it can be applied to any organisation.

Example : If standard prescribes that back up needs to be taken every 24 hours. For some organisations the frequency is too low but for some it may be too much.

Y do we NEED  ISMS..??

So that risk cam be Gauged, Monitored, Controlled and managed in an efficient way.

4 phase approach to implement ISMS


  • Involve management
  • Define scope
  • Set up ISMS policy
  • How risk will be measured and treated (high,med, low)
  • Set controls


  • Implement the above
  • Spread awareness


  • Monitor the above
  • Perform internal audits


  • Take corrective and preventive measures

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s