Over a period of time business houses have realised that if their information and assets are not safe, the future of the business is not secure. No matter how well protected and secure the organization appears to be, but confidential and sensitive information can be compromised. The problem is grave as the organisation learns about the compromise when it is too late. This problem is faced practically by all organizations, regardless of their size, sector or culture.

The above problem usually occurs due to highly vulnerable working environment exposed to inherent and outside threats. The probability of occurrence and the severity determines the impact of the situation. To overcome this problem, organisations require a good Management Assurance Mechanism to maintain Confidentiality, Integrity and Availability of Information. This mechanism is termed as INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS).

The goal of ISO/IEC 27001:2005 / BS 7799-2 is to provide a common base for developing organizational information security policies and procedures resulting in effective security management practices and also to provide confidence in intra and inter organizational dealings. This is can be achieved by implementing ISMS.

Who can adopt ISO/IEC 27001:2005 ?

This standard can be used by any organization, institution or a company. The standard is meant for any company that uses Internal or External Computer Systems, possesses / processes confidential data, depends on information technology to carry out its business activities, or simply wishes to adopt information security.

Organizations like Banks, Call Centres, IT companies, Tax offices, Automobile Manufacturing Companies, Consultancy Firms, Research and Development institutions, Hospitals, Schools, Universities, Examination Boards, Finance and Insurance companies need ISMS in place.

Advantages of adopting ISO/IEC 27001:2005

One distinct advantage of this standard has to do with public confidence. Just as ISO 9001 is indicative of the organisation’s Quality System being in place, this standard contributes towards the confidence in a Company’s Information Security. Other advantages experienced are:

1. Systematic identification of Information Security Risks and its mitigation.
2. Availability of Business Continuity Plans in case of manmade and natural disasters.
3. Potentially lower premium of computer risk insurance.
4. Better protection of Confidential Data.
5. Faster and easier recovery from the attacks and improved ability to survive disasters.
6. Reduced risks from Hacker’s attack.
7. Compliance with legal and contractual requirements

A structured and globally recognized Information Security Methodology. Putting your security issues first. The purpose of information security management is to ensure business continuity and reduce business damage by preventing and minimising the impact of security incidents. The Audit Commission Update report (1998) shows that fraud or cases of IT abuse often occur due to absence of basic control, with one-half of all detected frauds found by accident. Ensuring the storage of your knowledge capital, and protecting it through a management system, will strengthen the competitive edge of your company.