The ISO 27001 was published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC), to set the international standard for information Security. The full name is “ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements” and was last updated in September 2013.
The ISO 27001 framework is a combination of policies and processes for organizations to use. it provides a framework to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).
The information security management system standard’s best-practice approach helps organisations manage their information security by addressing people, processes and technology. Not only does the standard provide companies with the necessary know-how for protecting their most valuable information, but a company can also get certified against ISO 27001 and, in this way, prove to its customers and partners that it safeguards their data.
The basic goal of ISO 27001 is to protect three aspects of information:
Confidentiality: only the authorized persons have the right to access information.
Integrity: only the authorized persons can change the information.
Availability: the information must be accessible to authorized persons whenever it is needed.
To achieve those goals, the ISO 27001 recommend the assessment of risks related to various policies and processes, and estimate if those risks are relevant for the organization or not.
Here below are some examples (not limited to) of control sets:
· Information security policies
· Organisation of information security
· Human resource security
· Asset management
· Access control
· Cryptography
· Physical and environmental security
· Operations security
However, compliance to the ISO 27001 is not straight forward. There are processes to follow and lot of requirements to fulfill. Here below are some examples (not limited to):
· Conducting a risk assessment.
· Reviewing and implementing the required controls.
· Developing the appropriate documentation.
· Conducting staff awareness training.
· Reporting (e.g. the Statement of Applicability and risk treatment plan).
· Continually measuring, monitoring, reviewing and auditing the ISMS.
· Implementing the necessary corrective and preventive actions.
Certification to the ISO 27001 Standard is recognised worldwide as an indication that your ISMS is aligned with information security best practices. Individuals can also get ISO 27001-certified by attending a course and passing the exam and, in this way, prove their skills to potential employers.
If you would like to have your organisation ISO27001 certified or you simply want to have a proper information security management system implemented, Ascentrix Consulting can help you. Please do not hesitate to contact us.