New ISO Standards on IT Security Management Systems 10/05
ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements specifies the processes to enable a business to establish, implement, review and monitor, manage and maintain an effective ISMS.
ISO/IEC 27001:2005 integrates the process-based approach of ISO's management system standards – ISO 9001:2000 and ISO 14001:2004 – including the Plan-Do-Check-Act (PDCA) cycle and requirement for continual improvement.
The new standard forms a complementary pair with the recently published ISO/IEC 17799:2005 "code of practice" on information security management.
Organizations that so wish can have their information security management systems independently certified as conforming to the requirements of ISO/IEC 27001:2005, although certification is not a requirement of the standard.
Up to now, organizations that wished to have their ISMS certified have done so in conformity with the British Standard BS 7799 Part 2. This is now possible against ISO/IEC 27001:2005, which is an International Standard.
27 October 2005