The ISO/IEC 27001 standard was published in October 2005, essentially as a replacement for the old BS7799-2 standard. ISO 27001 is the specification for an ISMS, an Information Security Management System. The BS7799 standard was a long-standing standard, first published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems - and this is what certification is granted against. Thousands of certificates are in place today, all around the world.

ISO/IEC 27001 enhanced the content of BS7799-2 and harmonized it with other standards. A program has been introduced by various certification bodies for upgrading from BS7799 certification to ISO/IEC 27001 certification.

The Objective of ISO/IEC 27001

The objective of the standard itself is to be a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System. Regarding its adoption, this should be a strategic decision. Moreover, "the design and implementation of an organization's ISMS is influenced by its needs and objectives, security requirements, the process employed and the size and structure of the organization".

The ISO/IEC 27001 standard defines its 'process approach' as "The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management". ISO 27001 employs the PDCA (Plan-Do-Check-Act) model to structure the processes and reflects the principles set out in the OECD guidelines (see oecd.org).