ISO/ IEC 27001:2005 sets out requirements and guidance for use. ISO 27001 is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The standard was introduced to ensure adequate security controls were implemented in operating an organisation.
The principal objective of ISO/ IEC 27001 is to help establish, develop, maintain and continually improve an effective information management system. It employs principles and controls to govern security of information and network systems. This serves to minimise risk and ensures that security continues to fulfil necessary internal processes as well as customer and legal requirements.
The security controls are to implement confidentiality, integrity and ensure working practices are in place to safeguard any data and information of 'interested parties'. Included in this are customers, employees, partners (suppliers) and the general public.
Organisations that manage without significant controls and protected systems are more vulnerable to fraud and viruses, security breaches and lost data as critical information can be accessed without their permission.
An information security management system compliant to ISO/IEC 27001 can help show evidence to customers and partners that the organisation takes information security seriously.
ISO/IEC 27001 is suitable for any organization of any size in any sector. The standard is particularly popular where information protection is critical, such as in the finance, health, public and IT sectors (especially IT outsourcing companies).