ISO 27001: Information Security Management System

The standard provides set of best management practices for protection of information residing in an organization whether information belongs to the organization itself or its clients. Although the standard is commonly related to Information Technology Sector, it still applies to any business and non-profit organization that understands the sensitivity of its information. Information is currently considered to be the most important asset of an organization; it may include communication and correspondence with clients, details of agreements with third parties, personnel bio-data, classified documents relating to an organization’s products / services, complaint records, network and security architecture designs, access control protocols (both physical and logical), and any type of information whose disclosure to irrelevant parties can effect an organization in an unexpected manner. Unlike usual ISO standards, this standard does not only come with basic requirements, but also provides extensive control objectives / controls and implementation guidelines to ensure that all related areas are effectively covered.

Main Areas covered in this standard by QMS.9000

  • Setting Information Security Objectives and plans to achieve them
  • Development of Information Security Policies covering all applicable Controls
  • Information Security System development
  • Development of Methodology for Risk Assessment based on ISMS requirements and business / operational activities
  • Development of Risk Treatment Plan
  • Development for system for Asset Valuation (based on criteria defined by standard)
  • Development of Business Continuity Plan to ensure unaffected ISMS in case of minor and major disasters
  • Development of Information Security Reporting, Investigating and Correction System
  • Development of Corrective and Preventive Action System against ISMS requirements
  • Plan for Disaster Recover Site
  • Development of system security and protection of documentation and records related to operational activities and ISMS
  • Defining Roles and Responsibilities of personnel for ISMS


Following sectors are recommended to apply ISMS; Information Technology Services Sector (Software Houses included), Financial Sector, Oil & Gas  Sector, Data Management Companies, Educational Sector, Defense Sector, Public Sector, etc

Related Trainings

  1. Introduction to ISMS requirements and Control Objectives (1 Day)
  2. Advanced Training on Implementation of ISMS based on ISO 27001 requirements and controls (3 Days)
  3. Risk Management, Business Continuity Planning and Disaster Recovery (1 Day)