Before you learn more about ISO 27001:2013, let's talk about the standard-setting bodies that have facilitated the development of the ISO standards themselves. First, the Internal Standard for Standardization (ISO) is an international standard-setting body comprised of various representatives from a numerous standards organizations. These "standards organizations" have an explicit mission in developing, coordinating, promulgating, revising, amending, reissuing, interpreting, along with producing - and other supporting activities and directives as needed - technical standards that many organizations and individuals alike rely on throughout the world. According to the International Organization for Standardization (www.iso.org), they are "the world's largest developer of voluntary International Standards...founded in 1947...have published more than 19,000 International Standards covering almost all aspects of technology and business".
As for ISO 27001:2013, which is technically known as ISO 27001 | IEC | Information Technology - Security Techniques - Information Security Management Systems - Requirements, it effectivel replace the ISO 27001:2005 publication and is now seen as a somewhat more efficient, streamlined, and easier-to-digest framework than its predecessor.
Learn more about our signature product, the Global Information Security Compliance Packet (GISCP), the world's most complete security policy packet containing over 2,850 + pages of in-depth information security policies, procedures, forms, checklists, templates, provisioning and hardening documents, and much more.
Learn more today about the GISCP by viewing sample policies, forms, hardening documents, and more.
Additionally, the International Electrotechnical Commission (EIC), is also a major contributor, as it too is a standards organization responsible for preparing and publishing international standards related to "electrotechnology" technologies (i.e., electrical or electronic). According to the International Electrotechnical Commission (www.iec.ch), it is the world's "leading organization for the preparation and publication of International Standards for all electrical, electronic and related technologies."
History of ISO 27001 | "Information Security Management System" (ISMS)
Together, ISO and EIC helped lay the groundwork for today's ISO 27000 standards. As for the history of ISO 27001, which is technically known as "Information technology - Security techniques - Information security management systems - Requirements.", it began initially as a British Standard (BS), developed by the United Kingdom government and published by BSI Group (British Standards Institution). This was actually the second part of the original BS standards publication (BS7799), and it was eventually adopted into the ISO family of standards. The original first part of the BS standards publication eventually became ISO 27002 in July, 2007. ISO 27002 is technically known as "Information technology - Security techniques - Code of practice for information security management." ISO 27001 and ISO 27002 form a very close relationship indeed, but there's notable differences you'll need to know, such as the following:
First and foremost, ISO 27001 is standard whereby certification is possible (which can be a time-consuming process if not properly planned), while ISO 27002 does not allow for any type of formalized certification. Furthermore, ISO 27001 is a management standard; one that clearly defines the requirements for "...establishing, implementing, maintaining and continually improving an information security management system." Source: Page v: ISO/IEC 27001:2013(E).
Furthermore, it's this very "ISMS" that is designed to ensure the use of adequate and proportionate security controls for effectively protecting an organization's information assets.
In fact, under "Scope" on page 1 of ISO 27001:2013, it states the following:
This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
ISO 27002:2013 | Code of Practice | Guidelines and General Principles
As for ISO 27002, its best viewed as a "code of practice"; guidelines and general principles for initiating, implementing, maintaining, and improving security management within an organization. Furthermore, ISO 27002:2013 contains detailed descriptions of controls, coupled with guidance on implementation, and other information for the following fourteen (14) security control clauses (with introductory sections listed prior to these clauses):
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
Information Security Policies are Critical for ISO 27001 and ISO 27002 Adherence
As such, Flat Iron Technologies, LLC provides an abundance of technical, operational, and information security policy and procedure documents, forms, templates, and more for businesses seeking to certify against ISO 27001, while also implementing many of the controls stated within ISO 27002. It’s called our Global Information Security Compliance Packet (GISCP) set of documents and it contains literally hundreds of operational, business specific, and information security material - policies, procedures, forms, checklists, templates, provisioning and hardening documents - and more. Download a sample policy today to see how in-depth and comprehensive our documents are. Additionally, learn more about our ISO 27001 pre-certification services.