ISO 27001 History
The ISO/IEC 27000 series consists of information security standards published by the International Standards Organisation (ISO) and the International Electrotechnical Commission (IEC). The series is designed to give best practice recommendations on information security management including risks and controls within the context of an overall Information Security Management System (ISMS), in a similar way to management systems for quality assurance (ISO 9000) and environmental protection (ISO 14000).
There are seven published standards within the ISO 27001 family, with ISO 27001 being the standard organisations can be certified to. ISO 27001 can be traced back to the British Standard 7799, which was published in 1995. Originally written by the DTI, after several revisions ISO took it on as ISO/IEC 17799.
There was a second part to BS 7799 which formed the implementation of an ISMS. This element was what ISO 27001 became in November 2005 (therefore named ISO 27001:2005). In the same year ISO 27001 was published, a third part of BS 7799 was released. This covers risk analysis and management, aligning with the ISO 27001 standard.
The basic objective of the ISO 27001 standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organisation for Economic Cooperation and Development) principles, governing security of information and network systems.
In October 2013 the latest revision of the standard titled ISO 27001:2013 was published. Based on ISO's new high-level Annex SL structure, it is designed to be even more compatable with other Management System Standards. The update also takes into account the changing world of information security, where cyber crime, cloud computing and smartphones have changed the landscape considerably. More than ever, it is recognised as the best practice standard for demonstrating information security credentials.