ISO/IEC 27001, is a framework for information security management systems (ISMS). An ISMS is meant to manage sensitive company information to ensure that it remains secure. These are meant to be inclusive of all policies pertaining to legal, technical and physical controls within a company’s information risk management processes.
Developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system,” ISO/IEC 27001 does this using an extensive 6 part approach or planning process. As the specification addresses a range of sections such as documentation, the need for internal audits, corrective action as well as stresses upon the universal ideal of continual improvement it inspires the need for a cooperative effort within an organization.
What are the requirements of ISO/IEC 27001?
According to IT Governance, the two most important activities when implementing ISO/IEC 27001 are:
- Scoping your ISMS (clause 4.3), in which you define what information needs to be protected; and
- Conducting a risk assessment and defining a risk treatment methodology (clause 6.1.3), in which you identify the threats to your information.
Organisations are also required to complete the following mandatory clauses:
- Information security policy and objectives (clauses 5.2 and 6.2)
- Information risk treatment process (clause 6.1.3)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement of results (clause 9.1)
- Internal audit programme (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
What are the benefits of ISO 27001?
Implementing an effective information security management system as outlined in the standard, protects your organization and minimizes any potential risks of security breaches which could have large-scale implications by implementing a system of policies to ensure security regardless of the format. The benefits of this include increased customer and business confidence, improved information management processes, and increased business resilience.
The format of any ISO standard and the emphasis on continual improvement also works to ensure the security processes will be updated and constantly improved upon so as to dismiss the possibility of outdated security measures.
If you have made the decision to implement ISO/IEC 27001 into your organization and reap the rewards of a robust information security management system, you need to start considering certification. Certification is proof to your interested parties of your conformity to the standard and provides a third-party, impartial assessment of your organization that is meant to be a means of improvement to your inner system to ensure it is working at its peak capacity. Certification is also a great way to motivate your team to work towards a goal and set stringent deadlines for achievement and improvement and give your organization a purpose and end goal for the management of your information security.
Because certification requires the stringent implementation of the procedures outlined in the standard as well as the production of all the mandatory documents and records, the process can be made simpler by having a detailed guide to follow or a checklist to reference.
Recommended references for ISMS
- ISO/IEC 27001:2013 Information security management systems – Requirements
- ISO/IEC 27002:2013 Code of practice for information security management
- ISO/IEC 27004: 2016 Information security management – Measurement
- ISO/IEC 27005:2018 Information security risk management
Implementation of ISO 27001 allows you to reap numerous benefits and advantages, but to assess whether certification makes sense for your organization you need to investigate what your security goals are and if the integration of ISO 27001 allows you to cover them. Other factors to consider are the experience and qualifications of your team and whether they will be able to implement the standard appropriately. If you do not think your team is capable, you should consider hiring the help of a new internal team member for your quality team, or search for an external consultant. ISO Update has a directory of highly qualified consultants and auditors for you to hire within your region.
A detailed evaluation of your goals and how closely they align with those of ISO/IEC 27001 will help your team or consultant help you properly implement the standard and effectively utilize it to ensure certification year after year and the safety of your system for your company’s future. If these are realistic, and you are certain you can incorporate the standard with reasonable efforts it is well worth the resources and work to seek certification to ISO/IEC 27001. Read more about ISO 27001 from IT Governance
To the novice quality manager, ISO jargon can be extremely overwhelming. What is an NCR? What do you mean by OFI? Are we certified or accredited? But before you go and pull out your hair, let’s take a moment to go over some of the most frequently used terms and their definitions with regards to ISO and Management System Certification.