Standard ISO 27001:2005 is an international standard that gives requirements for a Safety Management System of Information (Information Security Management System - ISMS).

Features
The standard has been created and published in October 2005 for certification, so as to form a complete system for the management of information security: with its publication has replaced the British standard BS 7799:2 (which contained the guidelines and the standard itself), which until then was the primary reference standard for the application of a management system for information security. The new standard has absorbed both sides: the guideline has become ISO 17799:1 (Information Technology-Security Techniques - Code of practice for information security management), while the second part, the standard itself, in October 2005 became ISO 27001:05. Wanting to be more precise, ISO 177991 provides for the conservation and protection of information resources of an enterprise; ISO 27001:05 regulatory document is the certification to which a company must make reference.

Since the information is an asset that adds value to the company, and now that most of the information is stored on media, each organization must be able to guarantee the security of their data in a context where the risks information caused by breaches of security systems are still rising. The aim of the new standard ISO 27001:2005 is to protect the data and information from threats of all types to ensure the integrity, confidentiality and availability, and provide the requirements for an adequate system management of information security, aimed at proper management of sensitive data.

The rule is applicable to companies operating in most business and industrial sectors, like finance and insurance, telecommunications, services, transport and government sectors.

The standard ISO / IEC 27001 is consistent with that of the Management System to ISO 9001:2000 Quality and Risk Management, based on processes, structured policy for security, identification, risk analysis, evaluation and treatment of risks, review and reassessment of risks, PDCA model, use of procedures and tools such as internal audits, non-conformity, corrective and preventive actions, monitoring, with continuous improvement.

Controls

Of fundamental importance is the Annex A Control objectives and controls "that contains the 133" controls "to which the organization intends to apply the rule, must comply.

They range from the politics and organization for security management of assets and security of human resources, the physical security and environmental management of communications and the operator, the control of physical and logical access to the management of monitoring and treatment accident (related to information security).

The management of business continuity and regulatory compliance complete the list of control objectives.

The organization must substantiate which of these controls are not applicable within its ISMS, such an organization is not implementing its internal 'electronic commerce' can not be applied to declare the controls of the 1-2-3 that A.10.9 refer specifically to e-commerce.

Privacy-Safety
Compliance with ISO 27001, although accredited by a body, does not relieve the organization from compliance with the minimum safety measures and the production of the documentation required by the Privacy Act; A.15.1.4 control requires that "Data protection and privacy should be ensured as required in the legislation, rules and, where applicable, in contract terms."

The main difference between Privacy Act and the ISO 27001 standard is that the law on personal data privacy protection, sensitive, ... of citizens, while the ISO 27001 while demanding that this be done, even an interest, if not mainly, of the data business of the organization that must be safeguarded for the interests of the organization.

The D. Lgs. 81/2008, which in Italy regulates safety in the workplace, is usually detected between those rules which should be explicitly defined and documented as provided in the control A.15.1.1 speaking precisely of applicable legislation.

It is worth remembering, for example, that an anti-fire place to protect an environment in which they are installed the server or client, which contain information included in domain certification that meets the requirements of the law, not is automatically ok for expressing the requirements under ISO 27001, which is equally concerned about the "salvation" of the "facts" contained in the server and client, which is not automatically guaranteed by a fire in accordance with the laws of the state.