The 27000 series has been populated with a range of individual standards, each one targeting the various Information Security controls. Facts:

• The objective of the ISO 27001 standard itself is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System" within the context of the organisation's overall business risks.
• The ISO 27001 standard was published in October 2005, essentially replacing and enhancing the content of the old BS7799-2 standard.
• The standard defines its 'process approach' as "The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management". It employs the PDCA, Plan-Do-Check-Act model to structure the processes.

ISO standards

ISO 27001

This is the specification for an information security management system (an ISMS) and replaces the old BS7799-2.

ISO 27002

This is the potential new standard number of the existing ISO 17799 standard (which itself was formerly known as BS7799-1) and outlines a code of practice for information security.

ISO 27003

This will be the official number of a new standard intended to offer guidance for the implementation of an ISMS (IS Management System).

ISO 27004

This is the designated number for a new standard covering information security system management measurement and metrics.

ISO 27005

This is the ISO number assigned for an emerging standard for information security risk management.

ISO 27006

This standard will provide guidelines for the accreditation of organizations offering ISMS certification.

Please visit this further information on each of the standards mentioned above and more relating to Information Security.

Recommendations

• The adoption of the ISO 27000 series of standards should be a strategic decision.
• It is recommended that working towards and in turn being certified to ISO/IEC 27001 standard will help you to manage and protect your valuable information assets. Please visit this further information for the steps of how to achieve certification.
• Organisations must demonstrate they are compliant or working towards compliance to show that information security is being taken seriously and that effective steps are in place. This also gives confidence to interested parties.
• An Information Security Management System (ISMS) is a basic requirement for compliance with the ISO/IEC 27001 standard. This must be in place in order to provide an appropriate level of governance for the services provided by an organisation. It is recommended that all organisations using NHS CFH digital services and/or have an N3 connection have a corporate document that describes their organisations ISMS.

An example template is available to download (Word 48Kb) that can be used as a basis to describe an ISMS.

Who is it relevant to?

• ISO 27001 covers and is suitable for all types of organisations consuming NHS CFH digital services and whom have an N3 connection (e.g. Acute Trusts, Foundation Trusts, County/City Councils, GPs, Commercial Enterprises, Government Agencies, not-for profit organisations).
• It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.
• The standard is particularly suitable where the protection of information is critical, such as in the Health sector.
• The standard should be upheld by the entire organisation through education, communication and awareness of comprehensive security policies and procedures, and should be controlled by those persons responsible for Information Governance within the organisation.
• ISO/IEC 27001 is also highly effective for organisations which manage information on behalf of others, such as IT outsourcing companies.
• It can be used to assure customers that their information is being protected.