ISO/IEC 27001:2005 is the international standard for an organization to manage it's information security. It sets out how an organization should address the requirements of confidentiality, integrity and availability of it's information assets and incorporate this into an Information management security system (ISMS).

ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. Certification to ISO/IEC 27001 is a powerful demonstration of an organization’s commitment in managing information security.

Attaining the standard makes a public statement of capability without revealing security processes or opening systems to second party audits. The standard ensures controls are in place to reduce the risk of security threats and to avoid system weaknesses being exploited. It will also help an organization to develop a business continuity plan that will minimize impact of any security breaches

Unprotected systems are vulnerable to computer assisted fraud, sabotage and viruses. Breaches in information security can allow vital information to be accessed, stolen, corrupted or lost. An organization needs to be confident that it has the appropriate controls and procedures in place to avoid such incidents. ISO/IEC 27001:2005 covers all types of organizations such as small businesses, commercial enterprises, government agencies and NGOs.

Organizations can use the standard to provide relevant information about information security to customers. An effective ISMS (Information Security Management System) will identify and clarify existing information security management processes and incorporate them into the procedures. An information security system to ISO/IEC 27001 will help to make staff aware of their individual duties in protecting the organizations sensitive data.

Information is critical to the operation and perhaps even the survival of the organization. Being certified to ISO/IEC 27001 will help the organization to manage and protect the valuable information assets. ISO/IEC 27001 is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls.

This helps the organization to protect the information assets and give confidence to any interested parties, especially the customers. The standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving the ISMS.

ISO/IEC 27001 is suitable for any organization, large or small, in any sector or part of the world. The standard is particularly suitable where the protection of information is critical, such as in the finance, health, public and IT sectors. ISO/IEC 27001 is also highly effective for organizations which manage information on behalf of others, such as IT outsourcing companies; it can be used to assure customers that their information is being protected.

The ISO/IEC 27001 standard has replaced the old BS 7799-2 standard. It is the specification for Information Security Management System. It is this against which certification is granted. ISO/IEC 27001 enhanced the content of BS 7799-2 and harmonized it with other standards.

The objective of the standard is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System". Regarding its adoption, this should be a strategic decision. Further, "The design and implementation of an organization's ISMS is influenced by their needs and objectives, security requirements, the process employed and the size and structure of the organization".

The standard defines its 'process approach' as "The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management". It employs the PDCA, Plan-Do-Check-Act model to structure the processes.

ISO/IEC 27001 is designed to harmonize with ISO 9001:2000 and ISO 14001:2004 so that management systems can be effectively integrated. ISO/IEC 27001 is the best Practice for Information Security Management Systems. IT Governance specializes in helping organizations, in all sectors and all over the world, design and implement best practice Information Security Management Systems that deliver identifiable returns on investment and which are capable of certification to ISO/IEC 27001.