The ISO 27001 standard was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.” The standard uses a topdown, risk-based approach and is technology-neutral. The specification defines a six-part planning process:
Define a security policy.
Define the scope of the ISMS.
Conduct a risk assessment.
Manage identified risks.
Select control objectives and controls to be implemented.
Prepare a statement of applicability.
The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. In an increasingly technology driven business environment, a secure approach to business is not only essential but mandatory.