ISO 27001 Standard
This standard was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC); two leading organizations that publish international standards. ISO 27001 is a certifiable standard; although not obligatory, many companies choose to get certified as a means of reassuring clients of their care for thorough information security.
ISO 27001 provides a framework for organizations to follow in order to implement an ISMS, or information security management system. This system is the basis for managing the security of all information assets within a company. Any organization, no matter the size or industry, can use ISO 27001 to protect their information using a strong ISMS.
The fundamental objectives of ISO 27001 are as follows:
Confidentiality: Only authorized persons can access information.
Integrity: only authorized persons can change information.
Availability: authorized persons can access information whenever it is needed.
ISO 27001 Framework
The framework for ISO 27001 standard is a combination of processes, policies, and procedures that are required for an organization to successfully implement an information security management system. ISO 27001 framework is about assessing and treating risk, based on the provided controls and guidelines. The standard can be broken down into two sections; the management clauses (the requirements) and supporting guidelines (called Annex A).
The clauses in ISO 27001 provide a structured framework that guide organizations in the implementation of an ISMS. The company is required to thoroughly outline and discuss the topics of these management clauses.
Annex A is a list of controls that supports the required clauses. These are not mandatory, however they provide guidelines for identifying, treating, and managing risk; an integral part of the risk management process. Annex A offers safeguards by which the requirements of ISO 27001 can be met. The list consists of 114 controls, which all fall under the sections listed below:
A.5 Information security policies
A.6 Organization of information security
A.7 Human resources security
A.8 Asset management
A.9 Access control
A.11 Physical and environmental security
A.12 Operational security
A.13 Communications security
A.14 System acquisition, development, and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
The two-part framework is essential for the development of an information security management system, which is a set of rules that are put into place for a company. The actual ISMS process includes:
- Defining objectives for information security
- Identifying and assessing information security risks
- Implementing controls and safeguarding methods to mitigate potential risk
- Measuring performance of security management
- Improving the ISMS continuously
ISO 27001 is deeply thorough yet completely customizable; the guidelines and requirements that are provided are the building blocks for every organization’s information security management system.
ISO 27001 Requirements
4. Context of the Organization – Understanding the internal and external issues and culture. Interested parties or stakeholders must be identified and considered.
5. Leadership – Top management must be committed to information security. Establishing objectives that are aligned to the strategies/goals of the organization is essential, as well as the promotion of these objectives.
6. Planning – Potential risks and opportunities must be outlined and taken into account. Information security efforts should be based on risk assessment/analysis.
7. Support – Resources, awareness, and communication for and among employees is required. Information needs to be documented and updated to support the ISMS.
8. Operation – Implementing processes and policies is mandatory; they must be planned and controlled. These should prioritize assessing and treating risk.
9. Performance Evaluation – The performance of the ISMS must be monitored, measured, analyzed, and evaluated. Conducting internal audits is essential, especially by top management.
10. Improvement – A process for continual improvement should be implemented, in order to keep the system successful and up-to-date. The PDCA (Plan-Do-Check-Act) process is recommended.
These management requirements are the crucial building blocks for an information security management system that protects the most valuable assets; whether that be financial information or employee details. These, along with the supporting guidelines found in Annex A, have helped organizations all over the world protect their information to the best of their capability.
When it comes to information security, ISO 27001 is a leading standard for a reason. ISO is an established organization that helps companies align their risk management measures to an internationally recognized benchmark. More than 40,000 organizations around the globe are ISO 27001 certified.
An ISO 27001-compliant information security management system will:
- Respond to evolving information security risks.
- Protect all forms of information. (digital, paper-based, etc.)
- Reduce an organization’s cyber security risks significantly.
- Demonstrate your organization’s commitment to the security of information assets.
- Help employees become more aware of information security risks across all silos of the organization.
- Reduce costs spent on damage control from lack of extensive security or on defensive technology that may not work.
With the ever-evolving security risks in this digital age, the benefits of information security are vast.