What standards should be referred to for ISMS implementation?
ISMS is based on two international standards:
- ISO/IEC 27001:2005
- ISO/IEC 27002:2005
ISO/IEC 27001:2005 is the Requirements for Information Security Management Systems. It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization's overall business risks. The ISMS processes are based on the following Plan-Do-Check-Act model:
Figure 1: PDCA Model
ISO/IEC 27002:2005 is the Code of Practice for Information Security Management. It provides a catalogue of controls that can be implemented for ISMS. The standard comprises of 11 security areas, 39 controls objectives and 133 controls. The 11 security areas of ISO/IEC 27002 are listed in Figure 2:
Figure 2: ISO/IEC 27002:2005 Security Areas