ISO 27001

ISO 27000 is a series of informationsecurity standards regarding the evaluation and certification of IT-products and systems. The main standard in this series is ISO 27001 which defines threats such as loss of data, misuse of confidential information, IT downtime and a standstill of business operations and valid coutermeasures. The assesment of these threates and the coutnermeasures are implemented and checked in a continous "Plan, Do, Check, Act" cylce and are independent from the organizations type, size, mission and structure. The individual need and exact specficication of countermeasures that are implemented with the ISO 27000 series is evaluated on the individual situation of any organization with a stakeholder- and a riskanalysis with a custom security concept as a result. ³⁴

The Process of achieving ISO 27001 certification and maintaining high information security in an organization can be achieved by a PDCA-Cylcle.

During the Plan-Phase the policies, objectives, processes, and procedures necessary for keeping a high level of information security need to be defined.

In the Do-Phase, these defined elements need to be implemented and put in place and then checked for their effectivness and ability to achieve the desired objectives in the Check-Phase.

If any corrective measures are to be taken, this can be done during the Act-Phase after whicht his cycle is iterativley repeated.

In line with other related standards the ISO defines 10 core clauses to be aware of and adhere to for a successful implementation and maintainance of ISO 27001 standards.

These are:

1. Scope
2. Normative References
3. Terms and Definitions
4. Context of the Organisation
5. Leadership
6. Planning
7. Suppport
8. Operation
9. Performance
10. Improvement

For more information on how to achieve ISO 27001 certification you can refer to the ISO website, the implementation guide by NQA or PECBs White Paper on the standard.

All information for the desctiption of the ISO 27001 Process are taken from: ^{49; 50; 51}