Skip to Content

A Glimpse at the ISO/IEC Standard 27001:2005 on ISMS

For, a well secured Information System, may facilitate willing adoption of BPM!

Part 2Reference to earlier blog is: A well secured Information System, may facilitate willing adoption of BPM!


Ahead >>>

One of the steps for establishing ISMS is ‘selecting control objectives and controls for the treatment of risks’.

To quote from the Standard:

“Annexe A contains a comprehensive list of control objectives and controls that have been found to be commonly relevant in organizations. Users of this International standard are directed to Annexe A as a starting point for control selection to ensure that no important control options are overlooked.”

There are 13 major control objectives, 39 sub-objectives and a total of 133 sub-sub-objectives with controls provided for each. (We may also term them as Level I, Level II and Level III). An organization is required to make a selection from these as appropriate to their context.

The 13 major control objectives are:

    1. – Security policy
    2. – Internal organization
    3. – External parties
    4. – Asset management
    5. – Human resources security
    6. – Physical and environmental security
    7. – Communications and operations management

Access control

    1. – Information systems acquisition, development and maintenance
    2. – Information security incident management
    3. – Business continuity management
    4. – Compliance

For example under Access Control, there are 7 sub-objectives are included. They are:

  • User access management
  • User responsibilities

Network access control

    1. Operating system access control
    2. Application and information access control
    3. Mobile computing and teleworking

Each sub-objective has certain number of sub-sub objectives (if we may call them so) and against each of them the controls to be implemented are indicated in the Standard.

For example under ‘Network access control’ 7 sub-sub-objectives are mentioned. They are:

    1. 1. Policy on use of network services
    2. 2. User authentification for external connections
    3. 3. Equipment identification in networks
    4. 4. Remote diagnostic and configuration port protection
    5. 5. Segregation in networks

*6.  <strong>Network connection control</strong></li><li>7.  *Network routing control

    Now just to see a few of the controls mentioned, we may take up what is under ‘Network routing control’ and the control mentioned is:

    ‘Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications.’

    For ‘Network connection control’ the control indicated is:

    ‘For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications.’

    Controls are mentioned as above for all the control objectives.

    It may be inferred from the above and such other 133 control objectives and controls mentioned in the Standard, that the standard is quite comprehensive, which in turn may generate the required confidence in the security obtainable through the ISMS.

    When the appropriate control objectives and controls are selected and documented, one gets the Statement of Applicability and when these control objectives and controls are assigned to appropriate roles in the organization it would result in a Responsibility Matrix. These two documents would make implementation and the coordination of the activities by the Chief Information Security Officer and the Management Representative smooth, and the ISMS would be in place.

    Generally security arrangements are seen as outside one’s work and restricting one’s movements. It appears to be time to see it as part of business process and as ‘permitting with purpose’.

    Members of SCN may like to view through the following, as a sequel to reading this blog:

    OECD, Guidelines for the security of Information Systems and Networks – Towards a Culture of Security. Paris, July 2002.


    In the next blog it is proposed to cover the Supportive clauses, informative clauses and the documentation requirements and complete the overview on the Standard. (Please be with me, I won’t be long, as I already have!) 



    Sam Anbazhagan





    Be the first to leave a comment
    You must be Logged on to comment or reply to a post.