ISO27001 
(the standard formerly known as BS7799 & ISO17799)

ISO27001 is a standard concerned with the management of information and data security systems. 

ISO27001 requires that you

  • define your policies for information security
  • define your objectives (which should be measurable targets relevant o information security)
  • define your procedures for 
    • controls of documents & records, 
    • management reviews of the system, 
    • internal audits, 
    • incident handling, 
    • preventive actions, 
    • corrective actions  
    • etc 
  • identify the types of data that your organization processes or owns (including IT related data, printed data, information which is "in people's heads" and so on
  • identify risks & threat levels to the data and balance them against the impact on the business and its customers (and others affected by the threat) that any damage, loss or disclosure would cause
  • prioritise the need to control those risks
  • identify the ways to control those risks (by selecting the controls from a list within the standard)
  • apply the controls
  • monitor the effectiveness of the system
  • continually improve the system

If you would like us to help you to set up and maintain an ISO27001 system, please contact us.
This is the typical "Plan-Do-Check-Act" cycle which is the basis of most management system standards (e.g. ISO9001, ISO 4001, OHSAS18001, etc).

The most difficult part of meeting the standard seems to be identifying all types of data and prioritising the need for controls. Then, actually applying those controls takes a lot of work, usually. Of course, you may already be applying suitable controls, in which case the workload may be less.

If you would like us to help you to set up and maintain an ISO27001 system, please contact us.
You might also be interested in some of the key legislation of which ISO27001 system creators should be aware. Please note that this list is just a starting point. You need to conduct research regarding the legislation that is relevant to your own circumstances. Please note that the following is very much UK-oriented. Even within the UK, there is different legislation for different countries. Scotland for example has different legislation to that of England & Wales.
  1. Computer Misuse Act 1990
    http://www.opsi.gov.uk/ACTS/acts1990/Ukpga_19900018_en_1.htm
  2. Data Protection Act 1998 and Data Protection (Amendment) Act 2003
    Guidance by the Information Commissioner:
    http://www.ico.gov.uk/for_organisations/data_protection_guide.aspx
  3. The Data Protection (Processing of Sensitive Personal Data) Order 2006
    http://www.opsi.gov.uk/si/si2006/draft/20064712.htm
  4. Electronic Commerce (EC Directive) Regulations 2002
    http://www.opsi.gov.uk/si/si2002/20022013.htm
    The Regulations refer to an "information society service" meaning "any service normally provided for remuneration at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, at the individual request of a recipient of the service."
  5. The Privacy and Electronic Communications (EC Directive) Regulations 2003
    These set out rules for people who who send you electronic direct marketing. (e.g. email and text messages)
    http://www.opsi.gov.uk/si/si2003/20032426.htm
  6. The Freedom of Information Act 2000
  7. http://www.ico.gov.uk/what_we_cover/freedom_of_information/legislation_in_full.aspx
    This Act gives you the right to obtain information held by public authorities unless there are good reasons to keep it confidential.
  8. Environmental Information Regulations 2004
    http://www.ico.gov.uk/what_we_cover/environmental_information_regulation/legislation_in_full.aspx
    The Environmental Information Regulations give you the right to obtain information about the environment held by public authorities, unless there are good reasons to keep it confidential.
  9. (Scotland) - http://www.itspublicknowledge.info/home/ScottishInformationCommissioner.asp
    Access to information held by Scottish public authorities is provided by the Freedom of Information (Scotland)) Act 2002 and the Scottish Environmental Information Regulations

All pages are © Centre for ISO9000 Ltd 1994 - 2009

This page was last updated on April 13, 2010