ISO/IEC 27001:2005 Information Security Management System [ISMS]

Request an ISO/IEC 27001:2005 Guideline document


Information is the lifeblood of all organizations and can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by mail or by electronic means, shown in films, or spoken in conversation. In today's competitive business environment, such information is constantly under threat from many sources. These can be internal, external, accidental, or malicious.

There is a need to establish a comprehensive Information Security Policy within all organizations. You need to ensure the confidentiality, integrity, and availability of both vital corporate information and customer information.

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems.

ISO/IEC 27001:2005 (formerly BS 7799-2:2002) establish best practices of control objectives and controls in the following areas of information security management:

  • Security policy;
  • Organization of information security;
  • Asset management;
  • Human resources security;
  • Physical and environmental security;
  • Communications and operations management;
  • Access control;
  • Information systems acquisition, development and maintenance;
  • Information security incident management;
  • Business continuity management;
  • Compliance.


This International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations). This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented  ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

References to ‘business’ in this International Standard should be interpreted broadly to mean those activities that are core to the purposes for the organization’s existence.


The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size and nature.

Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and evidence needs to be provided that the associated risks have been accepted by accountable persons. Where any controls are excluded, claims of conformity to this International Standard are not acceptable unless such exclusions do not affect the organization’s ability, and/or responsibility, to provide information security that meets the security requirements determined by risk assessment and applicable regulatory requirements.

If an organization already has an operative business process management system (e.g. in  relation with ISO 9001 or ISO 14001), it is preferable in most cases to satisfy the requirements of this International Standard within this existing management system.

Features Of ISO 27001 [ISMS]

ISO 27001 is the standard generic in nature applicable to all business sectors which globally recognized standard for information security management systems. Information security management system certification may be combined with certification to other management system standards, e.g. ISO 9001, ISO 14001 and OHSAS 18001.

The standard provides a comprehensive approach to security of information needing protection, ranging from digital information, paper documents, and physical assets (computers and networks) to the knowledge of individual employees. Subjects to address include competence development of staff, technical protection against computer fraud, information security metrics and incident management as well as requirements common to all management system standards such as internal audit, management review and continuous improvement.

General Requirements

Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and the recorded results are reproducible.

It is important to be able to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives.

Documentation Requirements

The ISMS documentation shall include:

  1. Documented statements of the ISMS policy and objectives
  2. The scope of the ISMS
  3. Procedures and controls in support of the ISMS
  4. A description of the risk assessment methodology
  5. The risk assessment report
  6. The risk treatment plan

ISO/IEC 27001:2005 Implementation Benefits

ISO/IEC 20000 certification demonstrates that an organization has adequate controls and procedures in place to consistently deliver a cost effective, quality IT service. ISO 27001 implementation improves / leads to

  • Management Understanding of the Value of Organisational Information
  • Customer Confidence, Satisfaction and TRUST
  • Business Partner Confidence, Satisfaction and TRUST
    e.g. Handling Sensitive Information of Customers & Business Partners
  • Level of Assurance in Organisational Security & QUALITY
  • Conformance to Legal and Regulatory Requirements
  • Organisational Effectiveness of Communicating Security Requirements
  • Organisational Effectiveness of Communicating Security Requirements
  • Employee Motivation and Participation in Security (Best Practices)
  • Organisational Profitability
  • Management and Handling of Security Incidents
  • Ability to Differentiate Organisation for Competitive Advantage
  • Organisational Credibility & Reputation
  • Ability to Differentiate Organisation for Competitive Advantage
  • Organisational Credibility & Reputation

Why Choose 4C Consulting ?

  • Team 4C has IRCA certified 27001:2005 auditors for Consulting Services
  • 800+ certifications in different industries
  • Hands on experience of Team 4C in implementing other information security tools such as ISO 20000, CMMi would help to gain early benefits


We offer a customized training program on ISO 27001:2005 for

4C Consulting Private Limited is one of the leading professional consulting firm for ISO/IEC 27001 Information Security Management System (ISMS) certification. We are the ISO/IEC 27001 consultant and consulting for ISO/IEC 27001 Certification, ISO/IEC 27001 Training, ISO/IEC 27001 Implementation, ISO/IEC 27001 Documentation in Ahmedabad, Baroda Vadodara, Rajkot, Surat, Vaapi, Ankleshwar, Mumbai Bombay, Pune, Bangalore, Maharashtra, Gujarat, India USA, Canada, Europe, U.K., France, Japan, China,UAE, Kuwait, Middle East, Asia & Africa.

ISO/IEC 27001:2005 Know More

What is ISO/IEC 27001 (BS 7799), and how does an ISMS relate to it?

British Standard 7799 (BS 7799) is an internationally-recognized standard describing the protection of information assets:

  • ISO/IEC 17799 (also known as BS 7799 Part 1), a code of practice for information security management. It will be renumbered to ISO/IEC 27002.
  • BS 7799 Part 2, the specification for an ISMS that can be used as the basis for certification. It has been adopted as an international standard, ISO/IEC 27001.

How does ISO/IEC 27001 (BS 7799) relate to other management system standards (ISO 9001 and 14001)?

ISO/IEC 27001 (BS 7799-2) is aligned with both the ISO 9001 (quality management systems) and ISO 14001 (environmental management systems) standards. The three standards share system elements and principles, including adopting the PLAN, DO, CHECK, ACT cyclic process. This approach makes it possible to integrate the systems to the extent it makes sense.

Why should I invest in implementing an ISMS and certifying it using ISO/IEC 27001 (BS 7799-2)?

If information assets are important to your business, you should consider implementing an ISMS in order to protect those assets within a sustainable framework.

If you implement an ISMS, you should consider going through the process to be certified against the ISO/IEC 27001 standard. ISO/IEC 27001 and BS 7799 continues to build a reputation for helping to model business practices that enhance an organization’s ability to protect its information assets. A growing number of organizations around the world have already gone through the certification process.