We live in the digital age and no company can afford to ignore the importance of proper information security management. Risks range from virus attacks to outright company information theft. Customers rely on the service provider to ensure that information they supply to the company is kept safe. Any breaches in the company’s information security also put its customers at risk. ISO 27001 of 2013, which has replaced the 2005 version, is an international standard that provides the framework for setting up and managing an information security management system (ISMS) to mitigate and protect against such risks.
Publisher
The International Organisation for Standardisation and the International Electro-Technical Commission worked together through a subcommittee to develop the specification.
Certification
It is not compulsory for an organisation to get certified, though it is recommended. Certification must be done by an accredited and independent certification body.
Structure
The standard consists of ten parts and an annexure. The first part deals with the scope, the second with referencing, and the third with reusing of terms and definitions, while the fourth clause covers the organisational context and the stakeholders. The fifth part of ISO/IEC 27001 covers information security leadership and top-level policy support with the sixth clause dealing with the ISMS followed by the seventh clause covering the support of the ISMS. Clause 8 covers the requirements for making the ISMS operational, the ninth with performance reviews, and the last part deals with corrective steps. The controls and objectives are listed in Annex A. Annexes B and C from the 2005 version of ISO 27001 are no longer valid.
How ISO/IEC 27001:2013 Differs from the 2005 Version
More focus is placed on the measurement and evaluation of the ISMS performance. The 2013 version also contains a section dedicated to outsourcing. This is to address the risks associated with usage of third parties for management of specific aspects of the organisation’s information technology. With more and more companies making use of outsourced solutions, it has become important to include outsourcing in the standard.
Whereas the 2005 version used the Plan-Do-Check-Act cycle approach, the 2013 version allows for continuous processes using the Six Sigma approach. The new version makes provision for placing the security risks in an organisational context. It is also better aligned with other international standards such as ISO 9001, making integration of the various ISO-compliant management systems easier, and thus also the administration and management thereof. A full range of new controls has been added, including project management information security, secure development policy, response to security incidents, and several others.
What is ISMS?
To fully understand the importance of ISO 27001, it is essential to understand what an information security system is. In a nutshell, such a system is put in place for management of the company’s information security. It includes monitoring, reviewing, maintaining, and improving the organisation’s management of security risks in line with its organisational goals. It includes the people involved, the processes followed, and technologies used. It isn’t just about installation of antivirus or virus-detection methods. It is about firewalls, authorisation protection, policies regarding sharing of information, prioritising of security, authentication, asset protection, and more. It entails the full coordination of the information security, including the technology, people, policies, physical protection, and procedures.
Implementation
With each organisation having its own information security risks to manage, which differ from that of other companies, even in the same industry, it is essential to put the ISMS in organisational context. The first step is to determine what is already in place and what must still be done. This is called the GAP analysis. Integral to successful implementation is training of personnel to understand ISO/IEC 27001, internal auditing, external auditing, leading auditing teams, managing the ISMS, and complying with statutory regulations.
Types of Information
Implementation can help with the management of security risks related to financial, customer, employee, and intellectual property information.
Statutory Requirements
Implementation of ISO 27001 helps the company to be statutorily compliant regarding acts such as the Data Protection, Regulation of Investigatory Powers, Freedom of Information, Copyright, Designs & Patent, Human Rights, and Telecommunications Regulations acts.
What Next?
Call on our experts to assist your organisation in identifying and addressing the steps needed for successful implementation of ISO/IEC 27001:2013 and to become certified.