Magazine article Risk Management

ISO 27001: Risk Management and Compliance

Magazine article Risk Management

ISO 27001: Risk Management and Compliance

Article excerpt

Almost all of us have heard in some way of either ISO 9000 or ISO 14000 certification. These standards have become commonplace in today's business world as accepted benchmarks for quality control and environmental friendliness. In the manufacturing and service sectors, these standards are almost expected and are taken as a sign that a company bearing these marks has been checked out and proven to follow an accepted code of best practices.

What many of us do not know is that there is another set of ISO standards that are beginning to play a more significant role in the risk management arena. These standards are, respectively, the code of practice for information security management (ISO 17799) and the requirements for information security management systems (ISO 27001). It has been accepted that there are very close ties between information security and risk management, and these standards contribute to this relationship.

What Is the Difference?

Both the ISO 17799 and 27001 standards were derived from multiple iterations of the originating British Standards Institute standard number BS7799. Originally this standard consisted of two parts. Part one was first adopted as ISO 17799. Part two was later adopted in 2005 as ISO 27001. The ISO 17799 standard will be renumbered under the ISO 27000 series of standards as ISO 27002 sometime in 2007 or 2008.

ISO 17799 is a code of practice. In essence, it is a set of guidelines that an organization may use in developing an information security management system. These guidelines have been developed over many years and have gone through many revisions. The guidelines are internationally accepted as one of the industry de facto best practice baselines. There is no certification for ISO 17799 as it is a set of guidelines that can be used to help ensure the compliance and successful implementation of the ISO 27001 specifications.

ISO 27001 is the set of requirements for developing an information security management system. This is the standard that an organization will need to adhere to in order to receive ISO 27001 certification. This standard has several key components that are required in order to achieve compliance. Of particular interest for this discussion are requirement for security policy and the requirement for a documented procedure for the assessment and treatment of risk.

Regulatory Compliance and Risk Management

Regardless of which regulatory standard you are dealing with, ISO 27001 gives a baseline paradigm. Compliance with or certification in ISO 27001 will give you strong IT-related controls that will also help satisfy the requirements of many regulatory standards. The depth to which ISO 27001 can help you in achieving compliance to other regulatory standards is dependent upon which controls you select and how you implement those controls.

One of the strongest values ISO 27001 brings is its agnostic approach. There are absolutely no requirements in ISO 27001 for any specified technology. In fact, compliance to the standard can be theoretically achieved without even owning a computer. What is required by the standard is the selection of IT-related controls and an implementation of these controls in a way that provides strength to them. This is how the standard ties so tightly into the risk management arena.

The following are three key excerpts from the standard dealing with the management of risk:

1. Organizations are required to define and document their risk assessment approach [4.2.1c].

2. "The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results." [4.2.1c]

3. Risk assessments are to be regularly reviewed at planned intervals [4.2.3d].

In addition to the above, the standard also requires that when selecting controls, there must be a demonstrated relationship between the selected controls to the results of the risk assessment and risk treatment process: "Control objectives and controls shall be selected and implemented to meet the requirements identified by the risk assessment and risk treatment process. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.