What ISO 27001 Implementation Means for Information Security Management
ISO 27001 is an international specification or standard for the development and implementation of an information security system, which is most often referred to as an ISO 27001-compliant ISMS. The ISMS, in turn, as our consultants will explain in detail, is a framework of policies and procedures of the company for the management of information risks. It includes the physical and technical, as well as legal, controls that must be in place for optimal management of the information risks.
Firms that want to become ISO 27001-compliant will do well to seek advice from experienced ISO 27001 consultants regarding implementation of the ISO 27001 standard. It follows a top-down approach to information risk management and is not specific to any type of technology. Essentially, the standard provides for a comprehensive planning process, which consists of six parts. The first entails defining the security policy, followed by setting the scope of the ISMS. This is followed by a risk assessment and then the management of the risks that were identified. The next phase entails choosing the control objectives and selecting which controls to implement. The final phase in the planning process entails the preparation of a statement of applicability.
What the Standard Does Not Do
It does not state which security controls to choose or implement. Instead, it merely provides a checklist of controls that the firm can use. It is also important to consult ISO 27002, as it gives detailed information on the security control objectives and controls. Since organisations are required to implement the controls, it goes without saying it will also be important to study the sections of ISO 27002. To prevent misunderstanding, it is best to seek guidance from ISO 27001 and 27002 consultants regarding implementation.
The standard has twelve sections with various sub-sections. The first section covers the risk assessment, with the second focussing on the security policy, and the third on information security. This is followed by asset management, HR security, the physical and environmental security, and communication and operations management. The eighth section deals with access control, while the ninth section covers the acquisition of information systems and the development and maintenance thereof. The tenth section deals extensively with incident management regarding information security breaches, with eleventh covering business continuity management. The final section addresses compliance.
Companies seeking compliance with ISO 27001 will benefit from the expertise of ISO 27000 consultants regarding which standards to consult related to the compliance with ISO 27001. ISO 27003, for example, provides implementation guidance, while ISO 27004 is the information security measurement standard that provides a framework of metrics for ISMS improvement, and ISO 27005 is the information security risk management standard. Companies will also benefit from studying the contents of ISO 27007, which provides a guideline for auditing a firm for ISMS 27001 compliance.
Misunderstanding ISO 27001
Consultants often find that clients think of ISO 27001 as a prescriptive standard. They think the standard will tell them exactly what must be done in every situation, such as how often backups must be made or what type of technology must be implemented to protect their networks. The truth is that the standard is not technology-specific and does not prescribe the exact details. The reason is simple. The standard must be applicable to all organisations, regardless of the industry in which they operate and regardless of the technology used, or the size of the firm.
Data changes extremely fast and some companies may need to back up more than others. Some may even need to back up in real time, while other companies do not have that much data, or changes in data, to necessitate real-time or even hourly backups. They can still get by with daily backups. As such, the standard cannot prescribe details, as it must fit every type of company.
What Is At the Heart of ISO 27001
As our consultants will be able to explain, the core of ISO 27001 is to provide a framework for the correct level of information security and protection to suit the company’s specific needs. This is possible if the company performs risk assessments according to the specific risks likely to be encountered. In essence, it provides the company with a framework for setting up a systematic approach to risk management by giving the appropriate framework for safeguard implementation to prevent the risks, deal with the risks, manage them, or completely eliminate them, according to their specific situations. The aim is to implement the controls needed, because of the specific risks and not because some standard lists and mandates them. It is essential to only implement the relevant controls. That being said, it is also important to implement all the relevant controls and not to discard some simply out of preference.
It Is about More than the IT Department of the Organisation
The IT division of the company already takes the technical steps to safeguard against risks. They implement relevant technical controls. However, information breaches often occur, not because of failure on the technical side, but because of people. Employees share information without authorisation, or do not follow correct procedures when distributing sensitive information. For this reason, it is essential to create policies and procedures for all employees. It is also important to train employees, develop awareness, implement disciplinary measures, and get legal protection in place.
The above is important, since not all information is stored in the cloud or on computers. It also pertains to paper-based sensitive information. Focussing on technical safeguards only, will thus not be enough. ISO 27001 covers all information security and thus enterprise-wide implementation of policies and procedures regarding information security and risk management. For the company’s information security management system to be effective, it must cover the entire organisation at all levels.
As experienced ISO 27001 consultants, we assist companies in the design, development, implementation, integration, improvement, and maintenance of a fully compliant ISMS. We also assist with gap analyses, internal and external auditing and training in ISO 27001, internal audit lead teams development, and more.
Avoid pitfalls in the implementation of ISO 27000 standards. Make use of our expertise in all the above aspects.