| ISO/IEC 27001 |
 |
 |
|
What is ISO/IEC 27001?
ISO/IEC 27001 is an international standard for an Information Security Management System (ISMS). The ISMS
provides assurance of adequate security controls over information assets. ISO/IEC 27001 has evolved from British
Standard BS 7799-2. Organizations can be certified against ISO/IEC 27001. ISO/IEC 27001 is related to ISO/IEC 17799.
ISO/IEC 27001 consists of one document:
This document can be purchased from the http://www.iso.org/. ISO/IEC 27001 describes 133 specific controls, categorized into 39 control objectives, listed in 11 distinct chapters of ISO 17799. These controls were directly derived from those listed in ISO/IEC 17799.
Process Mapping
|
| ISO/IEC 27001 Controls | PRM-IT Process(es) | Specific Activity or Activities |
|---|---|---|
|
A.5.1 Provide security policies in accordance with laws, regulations, and the business |
Produce and Maintain Security Policy |
A.6. Organization of Information Security
| ISO/IEC 27001 Controls | PRM-IT Process(es) | Specific Activity or Activities |
|---|---|---|
|
A.6.1 Manage internal information security |
Monitor, Assess, Audit and Report Security | |
|
A.6.2 Manage security for information accessed by external parties |
Monitor, Assess, Audit and Report Security |
A.7.1 Protect organizational assets
| ISO/IEC 27001 Controls | PRM-IT Process(es) | Specific Activity or Activities |
|---|---|---|
|
A.7.1 Protect organizational assets |
all | |
|
A.7.2 Ensure appropriate level of information protection |
A.8. Human Resources Security
| ISO/IEC 27001 Controls | PRM-IT Process(es) | Specific Activity or Activities |
|---|---|---|
|
A.8.1 Ensure understanding by all internal and external parties concerning responsibilities to reduce theft, fraud, and misuse |
||
|
A.8.2 Ensure understanding by all internal and external parties concerning security threats and concerns |
||
|
A.8.2 Ensure an orderly process for exiting the organization or changing employment |
A.9. Physical and Environmental Security
| ISO/IEC 27001 Controls | PRM-IT Process(es) | Specific Activity or Activities |
|---|---|---|
|
A.9.1 Prevent damage and unauthorized physical access to premises and information |
Operate and Maintain Facilities | |
|
A.9.2 Prevent loss, damage, theft, or compromise of equipment |
A.10. Communications and Operations Management
| ISO/IEC 27001 Controls | PRM-IT Process(es) | Specific Activity or Activities |
|---|---|---|
|
A.10.1 Ensure secure operation of facilities through operational procedures and responsibilities |
||
|
A.10.2 Provide appropriate level of security according to service delivery agreements |
|
|
|
A.10.3 Minimize risk of system failure during system planning and acceptance |
Plan and Implement Security Practices | |
|
A.10.4 Provide protection against malicious and mobile code |
||
|
A.10.5 Provide appropriate backups to maintain information integrity and availability |
Data Management | Backup and Restore Data |
|
A.10.6 Protect information within networks and related infrastructure |
Classify Information Asset Security |
|
|
A.10.7 Provide secure handling of media to prevent unauthorized information access |
||
|
A.10.8 Maintain secure information exchange with external parties |
Control, Deploy and Maintain Data | |
|
A.10.9 Ensure secure use of electronic commerce services |
||
|
A.10.10 Monitor and detect unauthorized information processing activities |
Monitor, Assess, Audit and Report Security |
A.11. Access Control
| ISO/IEC 27001 Controls | PRM-IT Process(es) | Specific Activity or Activities |
|---|---|---|
|
A.11.1 Control information access |
Operate Security Protection Mechanisms | |
|
A.11.2 Prevent unauthorized user access to information |
Operate Security Protection Mechanisms | |
|
A.11.3 Prevent compromise or theft of information |
Operate Security Protection Mechanisms | |
|
A.11.4 Prevent unauthorized network access |
Operate Security Protection Mechanisms | |
|
A.11.5 Prevent unauthorized operating system access |
Operate Security Protection Mechanisms | |
|
A.11.6 Prevent unauthorized application system access |
Operate Security Protection Mechanisms | |
|
A.11.7 Ensure information security for mobile users |
Operate Security Protection Mechanisms |
A.12. Information Systems Acquisition, Development and Maintenance
| ISO/IEC 27001 Controls | PRM-IT Process(es) | Specific Activity or Activities |
|---|---|---|
|
A.12.1 Integrate security with information systems |
n/a | |
|
A.12.2 Prevent misuse of information in applications |
|
|
|
A.12.3 Use cryptography to protect information confidentiality, authenticity, and integrity |
Operate Security Protection Mechanisms | |
|
A.12.4 Ensure security of system files |
||
|
A.12.5 Maintain security of application systems |
||
|
A.12.6 Reduce exploitation of published technical vulnerabilities |
Analyze Security Threats, Vulnerabilities and Risks |
A.13. Information Security Incident Management
| ISO/IEC 27001 Controls | PRM-IT Process(es) | Specific Activity or Activities |
|---|---|---|
|
A.13.1 Report security events to allow timely corrective action |
Monitor, Assess, Audit and Report Security | |
|
A.13.2 Provide a consistent and effective approach to managing security incidents |
Establish Security Management Framework |
A.14. Business Continuity Management
| ISO/IEC 27001 Controls | PRM-IT Process(es) | Specific Activity or Activities |
|---|---|---|
|
A.14.1 Reduce effects of major failures or disasters to business processes |
all |
A.15. Compliance
| ISO/IEC 27001 Controls | PRM-IT Process(es) | Specific Activity or Activities |
|---|---|---|
|
A.15.1 Comply with legal, statutory, regulatory, and security requirements |
all | |
|
A.15.2 Comply with organizational security policies and standards |
all | |
|
A.15.3 Minimize interference from auditing |
Compliance Management |
| Supporting Materials |
|---|
©Copyright IBM Corp. 2005, 2008. All Rights Reserved. |