International standards prescribe baselines for securing assets, digital as well as physical. The ISO (International Organization for Standardization) 27001 information security (IS) management systems standard, in particular, focuses on securing information assets – but offers physical security controls, as well. First, a little background: the ISO 27000 series is a family of IS management standards, focused on Information Systems Management (ISM). Originally dubbed as BS7799, ISO 27001 was eventually included in the set of ISO standards when the organization began adding ISMS standards.
What does ISO 27001 define precisely? The standard lays out methods and practices of implementing information security in organizations, providing flexible guidelines – targeted at companies from all sectors and of all sizes – for how those methods and practices should be implemented. The standard also aims to provide a means of enabling secure, reliable communications of security risk. Included in the standard are the requirements that an ISMS must fulfill in order to achieve certification. Those specifications are broad, however. Specific requirements are not given in this generic standard as it is applicable to all businesses in all sectors. As is the case with ISO standards in general, requirements are left to individual companies to develop and implement – here, ISO 27001 provides supplementary guidelines.
What ISO 27001 outlines, instead, is the broad requirement for planning, implementation, operation, and continuous monitoring and improving of a process oriented ISMS. It calls on organizations to identify and assess risks, as well as define control objectives (for physical security among other matters).
Download the guide to continue reading >>