ISO 27001 is an Information Management Security System setting the objective to establish standard for enterprise information security as to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System.
ISO 27001 requires that management:
- Systematically examine the organization's imminent and potential information security risks, after analyzing threats, vulnerabilities and impacts;
- Design and implement a coherent and comprehensive information security controls and/or other forms of information security risk management program to avert those risks that are unacceptable; and
- Establish a management policy to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
- Alignment of information technology services and business strategy resulting improved information security.
- Provides a benchmark type comparison with best practices
- Creates competitive advantage via the promotion of consistent and cost-effective services.
- By requiring ownership and responsibility at all levels, it creates a progressive ethos and culture.
- Reduction of risk and thus cost in terms of external service receipt
- Through the creation of a standard consistent approach, aids major organizational changes.
- Enhanced reputation and perception
- Fundamental shift to pro-active rather than re-active processes
- Improved relationship between different departments via better definition and more clarity in terms of responsibility and goals.
- Creation of a stable framework for both resource training and service management automation.