ISO 27001 (formerly BS 7799 Part 2)

BS 7799 has just been superseded by ISO 27001 (2005)

ISO 2701 is the 'Specification for Information Security Management' and should an organisation wish to become certified to ISO 27001 then this is the standard that certification is carried out against.

Part of the process of achieving accredited certification to ISO 27001 is the creation of an Information Security Management System (ISMS). Then the process given in Section 4 below must be followed

Whilst the certification process mandates the use of a risk assessment on the assets within the scope for certification the implementation of ISO 27002 does not

If we accept that all organisations are different and deliver their respective goods and services in different ways, how can one standard apply across the board?

The answer is that each organisation must understand and define their own need for information security by using risk assessment and risk management to set the level of protection required for the assets.

The risk process is further explored in Section 5 below.