The internationally recognized information security management system ISO 27001:2005 (better known as ISO/IEC 27001:2005) is suitable for any organization, large or small, in any sector or part of the world where managing sensitive company information, keeping it secure from outsiders seeking that information is important. The standard is particularly suitable where the protection of information is critical, such as in the finance, health, public and IT sectors.
In order to ensure the continuity of your operations and the safety of your data and systems, the security of information systems and critical business information must be constantly and actively managed. Unprotected systems are vulnerable to many threats, including computer-assisted fraud, sabotage and viruses.
These threats can be internal or external, accidental or malicious. Breaches in information security can allow vital information to be accessed, stolen, corrupted or lost. It is crucial that every company institutes appropriate controls and procedures in place to avoid such incidents.
ISO 27001:2005 contains a number of control objectives and controls. These include:
- Security policy
- Organizational security
- Asset classification and control
- Personnel security
- Physical and environmental security
- Communications and operations management
- Access control
- System development and maintenance
- Business continuity management