Evaluation of Information Management Systems in Isfahan University of Medical Science by ISO/IEC 27001 Standard

considering the information threats and the need to procedures for develop and improve security and confidentiality، international standard organization (ISO) established information security standard ISO/IEC 27001. Getting ISO/IEC 27001 standard certificate helps the organization to identify the problems and defeats in its departments and processes، in addition to promoting organization’s competitive position and giving the organization the competitive advantage that it needs. The goal of this study is to evaluate information management systems in Isfahan University of Medical Science using ISO/IEC 27001 standard. This applied research is a descriptive study. Research community is all departments of information technology at Isfahan University of Medical Science، computer centers of faculties and hospitals، in 2011. In this research we used ISO/IEC 27001:2005 international checklist as a tool for collecting the information. The checklist includes 11 primary parts and each part includes several additional parts and questions. The information was gathered through interviewing، observation and documents of researchers and was analyzed by Excel 2010. the assessment results indicates that in standard main parts including security policy، organization of information security، asset management، human resources security، physical and environmental security، communications and operations management، access control، information system acquisitions، development and maintenance، information security incident management، business continuity management and compliance، the organizations implemented 31، 40، 28، 65، 73، 54، 54، 44، 58، 38 and 54 percent of the requirements. considering the importance of developing information security management in organizations that deliver information technology services and also the importance of international standard ISO/IEC 27001 in establishing the organization’s processes based on information security and confidentiality protection، integrity and accessibility، the organization should put more effort into implementing this standard in its processes. The results indicate that except for the human resources security and physical and environmental security areas، the organization didn’t develop information security management requirements properly in its internal processes.