How Implementation of ISO 27001 Applies to Information Security Management Systems
ISO 27001 is an internationally recognised standard for the setting up, implementation, and maintenance of information security management systems. Information security management systems are essentially frameworks for the development of policies and procedures in organisations for managing information risks. The policies and procedures related to the physical, legal, and technical controls must be in place to mitigate and manage the information security risks.
Compliance with ISO 27001 is not compulsory, but is recommended. The standard follows a top-down approach and can be applied regardless of the level of technology involved. It is specifically designed to be applicable to any type or size of organisation, regardless of the industry in which the organisation operates. The standard thus provides a comprehensive framework or model for implementation, operation, reviewing, maintenance, and improvement of organisations’ information security management systems. The process to be followed can be divided into phases. First, the organisation defines its security policy and then sets the scope of their information security management system. Once done, the organisation does a risk assessment and then manages the risks that have been identified. The organisation must then choose the control objectives, as well as the controls that must be used. Finally, the organisation prepares the statement of applicability.
The first step in implementing and ISO 27001-compliant information security management system is to study the standard in detail. We provide relevant templates for implementation, along with video-based instructions for such. It is also important to gain a full understanding of what the standard entails and, to this end, we provide the relevant training. One of the misconceptions that exists regarding ISO 27001 is that it provides for specific information security controls. In order to be applicable to all organisations, the standard instead provides a checklist of controls that the organisation can use.
Along with ISO 27001, organisations should also study ISO 27002, which provides the security control objectives and the good-practice controls. It is important to study all parts of the standard, including the risk assessment, security policy and organisation of information security, in addition to asset management and HR security. The standard furthermore covers physical and environmental security, access control, communications, and operations management, information security incident management, and information systems acquisition and maintenance. It also covers business continuity management and compliance requirements.
To ensure compliance, organisations must apply the controls of ISO 27002 relevant to their information security risks. Certification to ISO 27001 is recommended to ensure that the organisation’s information security management system is up to standard to mitigate risks and to improve overall credibility with clients, as their information is also at risk, once in the organisation’s system. Organisations will furthermore benefit from studying ISO 27003, which provides guidance regarding implementation of the ISO 27001-compliant information security management system.
Also relevant is ISO 27004, which provides the metrics for the improvement of the information security management system’s performance, and ISO 27007, which provides the guidelines for auditing an ISO 27007 ISMS. It is important to understand that ISO 27001 is not prescriptive in nature, because companies have different information security risks. What is applicable to one company may not work for another. A firm may, for instance, work with relatively low volumes of data, which do not often change. As such, the firm may only have to do weekly backups. Another firm of the same size in a different industry may work with large volumes of critical data that changes about every hour. The latter will thus have to do hourly backups. To ensure that the standard can be applied to both firms, it does not prescribe every detail of managing the information security risks.
We offer expert consultancy services to firms wanting to implement ISO 27001-compliant information security management systems. In addition, we provide a range of templates and video-based instructions. We also perform internal and supplier audits, independent third-party audits, legal audits, and GAP analyses. In addition, we provide training and certification preparation services. Once certified, companies also benefit from our consultancy assistance in integrating their information security management systems with their current and ISO-compliant management systems, in addition to helping the organisations maintain their systems, and improve upon them for ongoing compliance with the requirements of the ISO 27000 series of standards.