Just like any important business asset, information is also an asset that has value to an organization and consequently needs to be protected. Information Security Management System [ISMS] is a fragment of the overall management system that is built on a business risk approach and helps establish, implement, operate, monitor, review, maintain and improve information security.
ISO/IEC 27001 is an ISMS, an overarching management framework and a suite of activities concerning the management of information risks. Through this framework, the organization identifies, analyzes and addresses its information risks. It ensures that the security arrangements are up-to-date to keep pace with changes to the security threats, vulnerabilities and business impacts. This is a crucial aspect in a dynamic field, and also a major advantage of ISO27k’s flexible risk-driven approach. ISO/IEC 27001 is the only auditable international standard that defines the requirements for an ISMS.
The Plan-Do-Check-Act Methodology
An ISMS should follow the Plan-Do-Check-Act methodology.
- The Plan phase includes designing the ISMS, assessing information security risks and selecting suitable controls that should be implemented.
- The Do phase is about implementing and operating the controls.
- The Check phase involves reviewing and evaluating the performance of the ISMS.
- During the Act phase, changes are done where necessary to bring the ISMS back to peak performance.
History of ISO 27001
Derived from BS 7799 Part 2, ISO 27001 was first published as such by the British Standards Institute in 1999. BS 7799 Part 2 was revised in 2002, incorporating the Deming-Cycle or the Plan-Do-Check-Act [PDCA] Cycle. In 2005, it was adopted as ISO 27001 with various changes to reflect its new custodians. After being extensively revised, the second edition was published in 2013, which brought it into line with other ISO management systems standards and dropped the explicit reference to the PDCA Cycle.
The Structure of ISO 27001 Standard?
ISO/IEC 27001: 2013 contains the following Sections:
- Introduction: It explains a process for systematically managing information risks.
- Scope: It specifies general ISMS requirements that are suitable for organizations of any type, nature or size.
- Normative References: Only ISO/IEC 27000 is considered essential to Users of 27001 while the other Standards in the ISO27000 Series are optional.
- Context of the Organization: This includes understanding the organizational context, the expectations and needs of Interested Parties and defining the scope of ISMS. Section 4.4 states that “Organization should establish, implement, maintain and continually improve” the ISMS.
- Leadership: The Top Management should demonstrate leadership and commitment to the ISMS, mandate applicable & relevant Policies, and assign information security roles, authorities and responsibilities.
- Planning: This includes outlining the processes to identify, analyze and plan so as to treat information risks, and clarifying the objectives of information security.
- Support: Competent and adequate resources must be assigned, awareness about information security should be raised, appropriate documentation must be prepared and they must be controlled.
- Operation: This aspect includes more detail about assessing and treating information risks, managing changes, and documenting things so that it can be audited by the certification auditors.
- Performance Evaluation: This section includes monitoring, measuring, analyzing and evaluating the information security controls, processes, and management system, so as to systematically improve things where required.
- Improvement: This section is about addressing the findings of Audits and Reviews and making continual refinements to the ISMS.
Apart from this, there is another section called Annex A Reference Control Objectives and Controls that talks about implying certified organizations that are expected to use it. The main body of the Section states that organizations are free to deviate from or supplement it in order to address their particular information risks.
What are the expected features of an ISMS?
An ISMS should do all of the following:
- Adopt the PDCA Model
- Adopt a Process-based Approach, instead of a People-based Approach.
- Identify & manage Activities and Functions effectively
- Stress on Continual Improvement of Processes
- The scope should cover Information Security and not just IT Security
- Focus on People, Process & Technology
- Provide resistance to intentional acts designed to cause damage to the Organization.
- Be a blend of Management Control, Technical Control, and Operational Control.
- Become an overall management system to establish, implement, operate, analyze, review, maintain and improve Information Security.
What are the Benefits of ISO 27001 Certification?
Certifying the ISMS against ISO 27001 is beneficial to an organization in the following multiple ways:
- It is an independent framework that accounts for all legal and regulatory requirements.
- It provides the ability to demonstrate and independently assure the internal controls of the organization.
- It helps in providing a competitive edge to the organization.
- It proves Senior Management commitment to the security of business and customer information.
- It formalizes and independently verifies the Information Security processes, documentation and procedures.
- Individually verifies that risks to the organization are properly identified and managed.
- It validates to Clients & Customers that the security of their information is taken seriously.
- It helps identify and meet contractual and regulatory requirements.
Neumetric, a cyber security services, consulting & products company based in Bangalore, recommends that certified compliance with ISO 27001 by an accredited and respected Certification Body is entirely optional. However, this is increasingly being demanded by Clients, Business Partnersand by Organizations that are concerned about the security of their information, and about information Security throughout the supply chain.
ISO 27001 Certification brings many benefits above and beyond mere compliance, and it says more than just “We are a Quality organization”. It has marketing potential that strongly demonstrates that the organization takes information security management seriously.