Information security has become an inseparable part of any information system due to not only legal and statutory requirements of countries around the world, but also due to moral and ethical issues surrounding data and information that is stored and processed. ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements is part of set of standards developed to handle information security: the ISO/IEC 27000 series.
The standard provides companies with the necessary know-how for protecting their most valuable information and a company that is certified against the ISO 27001 standard prove to its customers and partners that it safeguards their data in an internationally accepted way. Individuals can also get ISO 27001-certified by attending a course and passing the exam and, in this way, prove their skills to potential employers. Because it is an international standard, ISO 27001 is easily recognized all around the world, increasing business opportunities for organizations and professionals.
ISMS security objectives?
The basic goal of ISO 27001 is to protect three aspects of information:
- Confidentiality: only the authorized persons have the right to access information.
- Integrity: only the authorized persons can change the information.
- Availability: the information must be accessible to authorized persons whenever it is needed.
What is an ISMS?
An Information Security Management System (ISMS) is a set of rules that a company needs to establish in order to:
- identify stakeholders and their expectations of the company in terms of information security
- identify which risks exist for the information
- define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks
- set clear objectives on what needs to be achieved with information security
- implement all the controls and other risk treatment methods
- continuously measure if the implemented controls perform as expected
- make continuous improvement to make the whole ISMS work better
This set of rules can be written down in the form of policies, procedures, and other types of documents, or it can be in the form of established processes and technologies that are not documented. ISO 27001 defines which documents are required, i.e., which must exist at a minimum.
ISO/IEC 27001 Mandatory Requirements
|4.1||Determine the organization’s ISMS objectives and any issues that might affect its effectiveness|
|4.2 (a)||Identify interested parties including applicable laws, regulations, contracts etc.|
|4.2 (b)||Determine their information security-relevant requirements and obligations|
|4.3||Determine and document the ISMS scope|
|4.4||Establish, implement, maintain and continually improve an ISMS according to the standard!|
|5.1||Leadership & commitment|
|5.1||Top management must demonstrate leadership & commitment to the ISMS|
|5.2||Document the information security policy|
|5.3||Organizational roles, responsibilities & authorities|
|5.3||Assign and communicate information security rôles & responsibilities|
|6.1||Actions to address risks & opportunities|
|6.1.1||Design/plan the ISMS to satisfy the requirements, addressing risks & opportunities|
|6.1.2||Define and apply an information security risk assessment process|
|6.1.3||Document and apply an information security risk treatment process|
|6.2||Information security objectives & plans|
|6.2||Establish and document the information security objectives and plans|
|7.1||Determine and allocate necessary resources for the ISMS|
|7.2||Determine, document and make available necessary competences|
|7.3||Establish a security awareness program|
|7.4||Determine the need for internal and external communications relevant to the ISMS|
|7.5.1||Provide documentation required by the standard plus that required by the organization|
|7.5.2||Provide document titles, authors etc., format them consistently, and review & approve them|
|7.5.3||Control the documentation properly|
|8.1||Operational planning and control|
|8.1||Plan, implement, control & document ISMS processes to manage risks (i.e. a risk treatment plan)|
|8.2||Information security risk assessment|
|8.2||(Re)assess & document information security risks regularly & on changes|
|8.3||Information security risk treatment|
|8.3||Implement the risk treatment plan (treat the risks!) and document the results|
|9.1||Monitoring, measurement, analysis and evaluation|
|9.1||Monitor, measure, analyze and evaluate the ISMS and the controls|
|9.2||Plan & conduct internal audits of the ISMS|
|9.3||Undertake regular management reviews of the ISMS|
|10.1||Nonconformity and corrective action|
|10.1||Identify, fix and take action to prevent recurrence of nonconformities, documenting the actions|
|10.2||Continually improve the ISMS|