ISO 27001 is a management system that, at its core, revolves around information assets and business risk management. It calls for stringent requirements in the setting up, implementation and documentation of a corporation’s information security management. The predecessor of the ISO 27001 is the BS 7799 Information Security Management System Standard, which was drafted by the authoritative standards development and international certification provider, BSI. Subsequently, the latter was adopted by the International Organization for Standardization (hereinafter “ISO”), and refined as the ISO 27001. The ISO 27001 has since become the most rigorous and recognized - as well as extensively accepted and applied – prevailing global system certification standard in respect of information security.
In recent years, emerging IT technologies have developed rapidly worldwide, bringing along with it new security threats. As such, the ISO organization took the step to formally upgrade the ISO 27001:2005 to the ISO 27001:2013. Comparatively, the former is more applicable to traditional IT frameworks, while the latter supplements the information security management requirements pertaining to new technologies that are lacking in the 2005 edition. What this means, is that the ISO 27001:2013 certification is better placed to reflect the industry’s commitment to security and indicates that information security management for corporations is now equipped with an established scientific and effective system of management which better enables the corporation to provide users with reliable information services. At present, a number of governmental organizations, banks, securities, insurance, telecommunications and internet companies both domestic and foreign as well as various multinational corporations have all incorporated this ISO standard, so as to manage their information security in a systemic manner.