Understanding ISO 27001 and Auditing the Security Program

Date:  2021-03-19 08:38:39
3 pages  (723 words)
Back to categories
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Company information such as financial information, information entrusted to the company by third parties, employee information and intellectual information amongst others are all crucial information assets which must be kept securely by a company. International and industry standards have come up with information security management systems (ISMS) to help companies manage this sensitive information. The standards have also come in handy to serve as a reassurance sign to third parties and other stakeholders that indeed all of their sensitive information are securely kept and by the industry and world standards. This paper is going to assess international standards in a bid to understand the ISO 27001 and auditing of the security program.

BS 7799 is standard developed by the British Standards Institute and was first printed in 1995. The standards were meant to provide direction and best practices to be followed when a company is protecting its information. These standards provided the code of practice or guidelines for information security management systems. BS 7799 was revised and late taken up by International Organization for Standardization (ISO) and International Electron-technical Committee in 2000. Hence, BS 7799 was changed to as ISO/IEC 17799 or simply ISO 17799 but today it is referred to as ISO 27002. Owing to the different sizes and circumstances of companies, BS 7799 or ISO 17799 provide a list of control or suggestions which companies can choose to adopt according to their needs (Lamphere, 2007). The main control areas for BS 7799 include information security policy, security organization, compliance, personal security, system accesses, and control. Others are computer and network management, Asset classification and control, systems development and maintenance, physical and environmental security and business community planning (SAS70, 2016).

One main difference between ISO 27001 and BS 7799 is that ISO 27001 provides more of requirements i.e. use a lot of shall or shall not. This means that the requirements are mandatory unlike BS 7799 which is a list of control, code of practice i.e. uses a lot of should and should not meaning that its contents are optional. ISO 27001 is a list of requirements that are to be followed when a company wants to establish ISMS. As such the requirements are mandatory hence the use of shall in the document. BS 7799, on the other hand, is concerned with how the ISMS are to be implemented. It defines different procedures which are to be followed during implementation of information security management systems. Hence provide guidelines or controls which one can choose to follow when implementing ISMS. As such, BS 7799 uses a lot of should in the document to provide room for choice and adjustment in the guidelines followed during implementation of ISMS (IT Governance, 2016).

Given the current technological height the world has reached such as cloud computing, companies must be careful with how they secure customer information. As such I believe that all companies should strive to adopt ISO 27001. These international standards will not only befit the company but will also provide a sound way of maintaining company information particularly the sensitive information such financial, intellectual and third party information. Application of these international standards will provide an excellent evidence of security on information and compliance something which is very crucial to external consumers (Schouboe, 2014). By applying these standards, the company will positively influence its trustworthiness enabling them to associate with other companies and stakeholders well. The adoption of these international standards usually comes with several benefits. Apart from creating trust between the company and its customers, adoption of these standards helps organizations efficiently manage their business information and improve their internal business processes increasing workers efficiencies and productivity. Information security protects business information from several threats ensuring the firms continuity, minimal business risks, and maximization of returns and also helps to improve business prospects.

In conclusion, adoption of these international standards is very important for the sustainability and survival of business organizations in the current economy. As such, all companies regardless of their size, market share or stature should strive to adopt these standards.


Lamphere, P (2007). ISO 17799 -- it's a control, not a standard. Retrieved from http://www.computerworld.com/article/2545034/security0/iso-17799----it-s-a-control--not-a-standard.htmlIT Governance (2016). The difference between ISO 17799 and ISO 27001 or ISO 27000. Retrieved from http://www.itgovernanceonline.com/information-security/difference-iso-17799-iso-27000/

SAS70 (2016). About SAS 70. Retrieved from http://sas70.com/FAQRetrieve.aspx?ID=33293Schouboe H (2014). What is ISO 27001 and why should a company adopt it? Retrieved from http://jscconsultant.co.uk/what-is-iso-27001-and-why-should-a-company-adopt-it11/



Request Removal

If you are the original author of this essay and no longer wish to have it published on the ProEssays website, please click below to request its removal: