ISO 27001 – Understanding the Basic Structure of the Standard for Certification Purposes
ISO 27001 certification is not compulsory, but it is recommended. Certification provides the recorded proof of compliance with the requirements of ISO 27001. It thus helps to gain credibility with customers, stakeholders, and suppliers regarding your organisation’s information security.
Why implement the standard?
The ISO 27000 family of standards has been developed to assist companies in keeping their information secure. By complying with the requirements of ISO 27001, whether for certification purposes or simply because your firm values its information assets, you are in a better position to protect information assets such as company details, employee information, intellectual property, financial data, and information given to your firm by a third party.
What is ISO 27001?
ISO 27001:2013 is the standard in the ISO 27000 family that provides the requirements for developing, implementing, and maintaining an information security management system (ISMS). An ISMS, for ISO 27001 certification purposes, is a specific approach followed in managing and protecting sensitive information. It is not just an IT system. It is more comprehensive and includes processes and people. Implementation entails having a specific risk management plan and process in place.
It involves a range of activities to manage various information risks. Having an ISMS in place is not just necessary for certification purposes, but to actively protect valuable information. The system helps the organisation keep up with the security threats and changes, possible weaknesses, and impacts. It affects every aspect of information security and it is important for modern businesses to become ISO 27001-certified. Medical practitioners, accountants, data server providers, hosting companies, and more benefit from compliance.
Keep in mind that ISO 27001 does not mandate specific controls. The organisations that implement ISO 27001-compliant information security management systems for certification purposes can choose which security controls are relevant to their risks. Organisations can decide which information risks to accept, transfer, or avoid rather than to lessen the risks through specific controls.
Structure of the standard
It is important to understand the structure of the standard if your organisation wants ISO 27001 certification. To this end, we provide extensive training, also pertaining to internal audits. To get you started, we briefly look at the standard’s structure. The standard consists of various sections with Section 0 forming the introduction wherein the process of information risk management is explained. Section 1 is the scope, which defines applicability to organisations regarding type, sector or size. This is followed by Section 2 dealing with normative references and Section 3 that covers the terms and definitions.
Section 4 is extremely important, as it deals with the context of the organisation and is highly relevant when it comes to ISO 27001 certification. Section 5 deals with leadership. As with all the new ISO standards, management involvement right from the start is essential. It details the commitment to the creation of the policy, security roles, and authorities.
Planning is dealt with in Section 6, wherein the process of identification, analysis, and planning for the treatment of information risks is discussed. It also provides details regarding the objectives of the organisation regarding information security. Section 7 covers the support aspect wherein it details requirements for the assignment of resources and development of awareness. It also covers the documents to be created and controlled for the purpose.
Section 8 focusses on operation and details the assessment and treatment of information risks in-depth. It also deals with the management of change and the recording of information for the purpose of ISO 27001 certification. Performance evaluation is dealt with in Section 9 of the standard. It covers the monitoring, measurement, analysis, and review of information security controls in place, the processes involved, and the systematic improvement of the management system.
Section 10 deals specifically with the improvement aspect of ISO 27001 for certification purposes. It addresses issues such as the reports on findings from management reviews and audits, corrective actions taken, and ongoing improvement of the ISMS. The standard also includes Annex A, which provides the reference for control objectives and controls. The bibliography forms the last part of the standard.
We provide training on all aspects of ISO 27001 certification, assist with the preparation process, help with management reviews, provide templates, and conduct audits.