In an increasingly networked world, "information" holds the key to competitive advantage. Information however can be a double-edged sword when it falls in the hands of unintended entities either by accident or by deliberate methods. Under these circumstances, the very same "information" may lead to the fall of the organization. In the information era that we are in, technology does have the solution to answer many situations but cannot provide all answers especially since "Processes" and "People" are involved. There is thus the need to address the softer aspects of securing the information assets of an organization.

Recognizing this need, the International Organization for Standardization (ISO) has brought out the ISO/ IEC 27001:2005. Essentially this is a set of best practices for protecting information. Information Security Management Systems (ISMS) is the means by which Senior Management monitor and control their security, minimizing the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements. It helps organization to protect proprietary information, common basis for organization security standards development, enhances security management practice and increases confidence and trust in inter-organizational dealing.

Who can adopt the ISO/ IEC 27001:2005 standard?
ISO/ IEC 27001:2005 can be used by any organization. The standard is meant for any organization that uses internal or external computer systems, possesses confidential data and/or depends on information systems to carry out its business activities. In simple terms, it can be used by any organization that deals with information and recognizes the importance of securing that information in an appropriate manner relevant to that business. In a broad sense ISMS (Information Security Management Systems) forms an integral part of any business strategy in corporate warfare.

Control Objectives and Controls in ISO 27001
The basic intent of ISO 27001 is to ensure the "Confidentiality", "Integrity" and "Availability" of information within an organization. The standard recommends a fairly long list of 134 controls to support the 39 control objectives to achieve this. The organization is free to choose the controls as applicable to their business and justify the same. However it is possible that there may be additional controls that are not included here that the organization may choose to implement. The accompanying standard ISO 17799:2005 is prescriptive in nature and provides guidelines for implementation of the controls.

Structure of ISO 27001:2005
The standard is developed around the famous "Plan-Do-Check-Act Cycle" (PDCA) of Dr. Edward Deming. First published in October 2005, it replaces the popular British Standard BS 7799-2:2002 that served as a well-accepted standard for ISMS.

I. PLAN
The most important part in Plan is to define the scope or area to be covered. It can be:

• A full organization spanning across multiple facilities, or
• A single facility, or
• A particular service in a multi-service provider company.

What company wants to achieve in terms of confidentiality, integrity and availability? What is an acceptable level of risk? Are there any constraints, such as laws and regulations, or particular ways in which you wish to do things? It should be a short document but signed by the CEO. The controls flow from top to bottom.

Risk assessment: Depending upon the information we want to protect and what is acceptable level of risk, what is actual risk? Evaluate the risks. If you plot the likelihood of the impact occurring against the magnitude of the impact, you may consider that there are risks that of not of any great concern.

Statement of Applicability (SOA): Identify all the security controls, which are applicable to an organization and justify why they are appropriate, and show why those BS7799 controls that have not been chosen are not relevant. The control sets are required to relate the selection of the controls back to the risk assessment.

II. DO
The Do part of the cycle requires you to operate the controls. The organization will need a procedure, as mentioned above, to ensure the prompt detection and response to incidents. You will also need to ensure that all staff are security aware, and are appropriately trained and are competent to carry out their respective security tasks. To ensure all of this is carried out you will need to manage the necessary resources.

III. CHECK
The purpose of the Check phase is to ensure that the controls are in place and are achieving their objectives. There are a variety of possible check activities, but only internal ISMS audit and management review are mandatory requirements.

IV. ACT
The outcomes of the Check activity are actions. There are three varieties:

• Corrective action
• Preventive action
• Improvements

Conclusion
ISO 27001:2005 provides organizations in any line of business a tool to help prevent information security lapses and mitigate risks associated with the same. A formal implementation of the same followed by certification has the following benefits (not all-inclusive):

• Confidence that suitable controls in line with International Standards have been put in place to minimize information security lapses in an organization
• Systematic approach to address legal compliance — reduce risk exposure to legal liability
• Systematic approach to plan and manage business continuity
• Assurance to customers, partners and stakeholders
• Increase revenue and business opportunities.