BS ISO/IEC 27001:2005 - Frequently asked questions


What is BS ISO/IEC 27001?

BS ISO/IEC 27001:2005 is the international standard that specificies the requirements for an information security management system (also known as an ISMS).

This is the foundation for third-party audit and certification. 

In short, an effective ISMS requires that senior management:

• systematically examine the organization's information security risks, taking account of the threats, vulnerabilities and impacts;

• design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and

• adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

Is ISO/IEC 27001 the same as BS ISO/IEC 27001?


ISO/IEC 27001 is the "base" international standard. BS ISO/IEC 27001 is the version published by the UK National Standards Body (BSI British Standards). The content is identical.

What is covered by BS ISO/IEC 27001?

- Introduction

- Scope

- Normative references

- Terms and definitions

- Information Security Management System

- Management responsibility

- Management review of the ISMS

- ISMS improvement


What is the process for implementing BS ISO/IEC 27001?

1) Define an information security policy

2) Define scope of the information security management system

3) Perform a security risk assessment

4) Manage the identified risk

5) Select controls to be implemented and applied

6) Prepare an SoA (statement of applicability)


Is BS ISO/IEC 27001 “harmonized” with the other ISO Management systems?

The standard provides a specification for ISMS and the foundation for third-party audit and certification. It is harmonized to work with other management system standards such as ISO 9001 and ISO 14001 and will assist in the integration and operation of an organization’s overall management system.

It implements the Plan-Do-Check-Act (PDCA) model and reflects the principles of the OECD guidance on the security of information systems and networks.

 Your basket
Your basket is empty