The standard ISO 27001:2005 is an international standard that establishes requirements for
Information Security Management System, particularly the aspects of physical security,
logical and organizational (Information Security Management System − ISMS).
The ISO 27001:2005 is the certification standard to which the organization should refer to make an Information Security Management System that can be certified by an accredited independent body.
The standard is applicable to all private and public companies as independent of a specific sector of the business or organization.
Since the information is an asset that adds value to the company, and now most of the information is stored electronically, each organization must be able to guarantee the security of their data, in a context where the risks caused by breaches of computer security systems are constantly increasing. The aim of the new ISO 27001:2005 standard is exactly to protect data and information from threats of all kinds, in order to ensure the integrity, confidentiality and availability, and give the requirements to adopt an information security management system (ISMS) for effective management of sensitive corporate data.
The setting of ISO/IEC 27001 is consistent with that of the Quality Management System ISO 9001:2008 and Risk Management, based on the process, structured in security policy, identification, risk analysis, evaluation and treatment of risks, review and reassessment of the risks, PDCA model, use of procedures and tools such as internal audits, non-conformity, corrective and preventive actions, monitoring, view to continuous improvement.
Compliance with ISO 27001, although accredited by an approved body does not relieve the organization from complying with the minimum safety measures and the production of the documentation required by the Privacy Law.
The main difference between the Privacy Law and ISO 27001 standard is that the Privacy Law protects sensitive personal data, while the ISO 27001 while requiring that it be done, is also interested organization's business data that must be safeguarded for the interest of the organization.