What does ISO/IEC 27001 stand for?
ISO/IEC 27001:2013 is an international standard that provides requirements for information security management in an organization. Using this standard enables organizations of any type to manage the security of assets such as financial data, intellectual property, employee data or information entrusted by third parties. The standard was published in 2013.
This article examines how the ISO 27001 standard, also known as ISO/IEC 27001:2017, can be used to provide requirements for the creation, implementation, maintenance and continuous updating of an information security management system (ISMS). An Information Security Management System, also known as ISMS, is a methodical approach to managing an organization’s crown jewels (e.g. valuable assets and data) and sensitive information to ensure it is kept safe through a risk management strategy. In addition, a company should strive for the following three primary security goals with the help of the ISMS:
– Confidentiality: only authorized persons can make changes to the information.
– Integrity: Information must not be altered without authorization or unintentionally.
– Availability: The information must be available at all times to authorized employees so that they can access it when needed.
ISO 27001 requirements
The part of the standard entitled “Requirements” sets out the essential characteristics that a company must possess in order to effectively manage its ISMS. The Prerequisites section is divided into eleven concise sections ranging from 0 to 10. Sections 0 to 3 (introduction, scope, normative references, and terms and definitions) provide an overview of the ISO 27001 standard and its sections. Paragraphs 4 to 10 outline the mandatory requirements for an ISMS that an organization must put in place in order to comply with the standard.
To ensure that an organization’s information is confidential and secure, the standard uses a risk management strategy. After conducting a risk assessment to identify possible threats to information, the next step is risk treatment, that is, mitigating such threats by implementing security measures. Policies, procedures and technological controls are the types of security controls used to protect assets. These controls are designed to mitigate the risk. The ISMS must meet all of the essential standards listed below.
ISO 27001 management framework
context of the organization
Definition of the intended scope of the standard within an organization and the requirements for external and internal concerns and interested parties. Understanding the organization and the environment in which it operates, as well as the expectations of the various stakeholders and the scope of management systems can help achieve this goal.
Defining the roles and responsibilities of top-level management and the key elements of information security policy and the roles they play. This can be achieved by having top-level management commit to an effective Information Security Management System (ISMS) and security policy, and explicitly identifying the roles and responsibilities associated with security.
In the sixth step of the planning process, the objectives of information security as well as the requirements for risk assessment, risk treatment and a declaration of applicability are defined. Defining a strategy to achieve information security objectives and taking action to address risks and opportunities within the organization are two ways of setting information security objectives.
Establishing the requirements for the availability of resources, competencies, awareness, communication and control of documents and records by providing the necessary resources, communication and training related to information security awareness. This is achieved by defining the requirements.
Determine the implementation of risk assessment and treatment, as well as controls and other processes required to achieve information security objectives. The eighth step of the information security process is operation. This can be achieved by using a risk-based methodology for the assessment, determining the risk and the possible treatments for it, developing a risk treatment plan, and implementing that plan for the risks identified.
The periodic performance review, which includes setting the requirements for monitoring, measurement, analysis, evaluation, internal audit and management review.
Setting standards for nonconformities, corrections, remedial actions and continuous improvement by taking advantage of opportunities to make security procedures and controls more effective over time.
Controls to Ensure Security (Appendix A)
Appendix A, often referred to as the Controls section, is a part of ISO 27001 that contains a collection of 114 security controls or safeguards that are the standard for the industry. These controls are divided into 14 parts and grouped into the following categories:
Information Security Policies
These include determining the management direction and rules for information security in accordance with the needs of the organization and applicable laws and regulations.
Establishing an organizational structure
Establishing an organizational structure to start and control the implementation of information security. This is referred to as the “organization of information security”.
Personnel security involves ensuring that employees and contractors are aware of their responsibilities and are qualified for the positions for which they are eligible; they must also be aware of and fulfill their information security responsibilities before, during and after their employment with the company.
Asset management is the process of identifying corporate assets and determining appropriate protection responsibilities, such as preventing unauthorized disclosure, alteration, removal, or destruction of information stored on media. This is known as “preventing the unauthorized disclosure, alteration, removal or destruction of information”.
Access control is the process of restricting user access to information and information processing facilities to allow only authorized users to use those facilities and prevent unauthorized users from gaining access to other systems and services.
Ensuring the correct and effective use of cryptography to maintain the validity and integrity of information and its confidentiality.
Physical and environmental security
The prevention of illegal physical access, damage and interference with the information and information processing facilities of the organization. This also includes protection against environmental hazards such as fire and flooding.
This refers to the process that ensures that the information processing facilities are operated correctly and securely.
Communication security involves ensuring the security of data stored on networks and the information processing facilities employed to support those networks, as well as maintaining the confidentiality of data transmitted both within an organization and to third parties.
Acquisition, development and maintenance of systems
Ensuring that information security is an integral part of information systems throughout the lifecycle of information systems. This also includes the standards for information systems that must be met in order to provide services over public networks.
Protecting the organization’s information assets provided to suppliers while maintaining positive relationships with those companies
information security incidents
Information security incident management ensures a consistent and effective approach to information security incident management, including communication about security incidents and vulnerabilities. This task falls under the broader category of information security.
Business Continuity Management (BCM)
The incorporation of information security continuity into an organization’s business continuity management (BCM) systems. This relates to the information security components of business continuity management.
Compliance refers to preventing breaches of legal, statutory, regulatory or contractual obligations associated with information security and security requirements. This includes compliance with legal and contractual requirements and assessment of information security.
How to meet the requirements of ISO/IEC 27001
- Who: An organization that wants to strengthen its information security management system using the well-known standard of best practices in information security and achieve the required level of security should consider implementing ISO/IEC 27001.
- When: ISO/IEC 27001 can be implemented and certified at any time, but is not mandatory. If the organization is required to do so by regulations, or if it wants to increase customer and client confidence through enhanced security assurances, it can choose to implement the standard first and get certified later. This may be the case when the organization is forced to do so due to regulations.
- Where: The Standard can be accepted and implemented in any organization, regardless of its size, type and nature, whether private or governmental, and whether making a profit or not.
- Why: ISO/IEC 27001 is beneficial to organizations because it requires them to take a holistic approach to security. It helps organizations comply with government regulations, gives them a marketing advantage by assuring consumers of security, saves costs by preventing incidents, and improves organizational efficiency by creating policies and procedures for a coordinated approach to information security.
- As? An organization that uses ISO/IEC 27001 as the standard for its safety management system would take the actions listed below to improve its safety management system.
Performing a GAP Analysis: This is the very first action that needs to be taken to achieve compliance. A gap analysis can be performed either in-house or by an external information security specialist. Through a gap analysis, an organization can better determine which standards and controls it is complying with and which are not.
Addressing the gap: If there are requirements or controls that the organization is not meeting, it has the ability to make changes to its people, processes, and technology to ensure compliance with those requirements and controls.
Measure, monitor and check
It is expected that the performance of the ISMS will be continuously evaluated and assessed for effectiveness and compliance, and that improvements to current processes and controls will be identified. This is a requirement that must be met at all times.
The ISMS requires practical knowledge of the leading audit process at planned intervals. It is also critical for those responsible for implementing and maintaining ISO/IEC 27001 compliance before a certification audit is conducted by an external auditor or organization authorized to certify an organization as ISO/IEC 27001 compliant and to register. This knowledge is required for the ISMS at planned intervals.
During the first stage certification audit, the auditor will assess whether the documents meet the criteria of the ISO/IEC 27001 standard. The auditor will also point out areas where the management system is non-compliant and can be improved. After all necessary adjustments have been made, the organization will be prepared for a second stage audit once this point is reached. In the second stage of the audit, the auditor makes a comprehensive assessment to determine whether the company is compliant with the ISO/IEC 27001 standard or not.