What is ISO 27001?
For organisations that are interested in implementing an Information Security Management System (ISMS) to manage the information security risks that could impact the confidentiality, integrity and availability of information then ISO 27001 should be your first consideration. ISO 27001 is the international standard that sets the requirements for establishing, implementing, maintaining and continually improving an ISMS.
Protecting an organisation's information is vital and it is often difficult to provide assurance to Senior Management and the Board as to the level of risk across the organisation without an Information Security Management System.
This standard helps you identify the threats toward your information security and create plans to address them. For any specific risk, you will have someone who is responsible capable enough to control the situation in case something goes wrong. This kind of process can manage and minimise risk exposure and automatically lead to a safer information exchange.
Information security is the responsibility of everyone in the organisation. For businesses, having optimal security can help them maintain a lead on the competition. It can also create better partnerships with other organisations, shareholders, customers, and stakeholders.
It is probably the case that sometimes you are asked by a client, third party or by law to show your organisation capability information security. In situations like this, ISO 27001 could be an excellent choice. This standard is recognised and used by many organisations worldwide, and by applying its clear and practical instructions, you can prove your trustworthiness concerning information security.
Requirements for ISMS
ISO 27001 is made up of 10 clauses and Annex A which outlines 114 security controls across 14 security domains. In clauses 1-3, terminology and definitions are explored and introductory information is given but there are no requirements that can be audited. Clauses 4-10 are outlined below:
- Clause 4 - Context of the Organisation: This outlines how to identify and analyse the organisation and its environment. It explores internal and external ISMS issues, scope, and expectations of other parties.
- Clause 5 - Commitment and Leadership: This outlines getting management involved for effective business strategies, allocating resources, and ways to establish ISMS policies.
- Clause 6 - ISMS Planning: This outlines how to manage risks, improve operations, and how to establish information security goals and objectives.
- Clause 7 - ISMS Support: This outlines how to ensure adequate resources, communication, and competencies within the organisation.
- Clause 8 - ISMS Operation: This outlines how to execute various controls and processes, how to meet requirements for ISMS, and actions to take for changes in scope.
- Clause 9 - Performance Evaluations: This outlines evaluating if predefined outcomes are occurring or if they need to be reevaluated.
- Clause 10 - ISMS Improvements: This outlines any areas that need to be reevaluated or improved upon. As context and scope may need adjusting, the process can be ongoing for ISMS to be fully effective.
- Information security policies
- Organisation of information security (includes mobile devices and teleworking)
- Human resource security (before, during and after a worker’s employment)
- Asset management (includes physical media)
- Asset control
- Physical and environment security
- Operations security (including backups, monitoring and malware)
- Communications security
- System acquisition, development and maintenance (includes test data)
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management (includes intentional redundancy to protect against interruptions)
- Compliance (includes legal and contractual requirements)