Everything you Need to Know about ISO 27001

ISO 27001 – Everything That You Need To Know

Just like any important business asset, information is also an asset that is valuable to an organization and needs to be protected. Information Security Management System [ISMS] is a fragment of the overall management system that is built on a business risk approach and helps establish, implement, operate, monitor, review, maintain and improve information security.

ISO 27001 being an ISMS Standard, is an overarching management framework, and a suite of activities concerning the management of information risks. Through this framework, the organization identifies, analyzes, and addresses its information risks. It ensures that the security arrangements are up-to-date to keep pace with changes to security threats, vulnerabilities, and business impacts. This is a crucial aspect in a dynamic field, and also a major advantage of its flexible risk-driven approach. ISO 27001 is the only auditable international standard that defines the requirements for an ISMS.

The Plan-Do-Check-Act Methodology

An ISMS should follow the Plan-Do-Check-Act methodology.

1. The Plan phase includes designing the ISMS, assessing information security risks, and selecting suitable controls that should be implemented.
2. The Do phase is about implementing and operating the controls.
3. The Check phase involves reviewing and evaluating the performance of the ISMS.
4. During the Act phase, changes are done where necessary to bring the ISMS back to peak performance.

History of ISO 27001

Derived from BS 7799 Part 2, ISO 27001 was first published as such by the British Standards Institute in 1999. BS 7799 Part 2 was revised in 2002, incorporating the Deming-Cycle or the Plan-Do-Check-Act [PDCA] Cycle. In 2005, it was adopted as ISO 27001 with various changes to reflect its new custodians. After being extensively revised, the second edition was published in 2013, which brought it in alignment with other ISO management systems standards and dropped the explicit reference to the PDCA Cycle.

The Structure of ISO 27001 Standard?

ISO 27001: 2013 contains the following Sections:

• Introduction: It explains a process for systematically managing information risks.
• Scope: It specifies general ISMS requirements that are suitable for organizations of any type, nature, or size.
• Normative References: Only ISO/IEC 27000 is considered essential to Users of 27001 while the other Standards in the  ISO 27000 Series are optional.
• Context of the Organization: This includes understanding the organizational context, the expectations and needs of Interested Parties, and defining the scope of ISMS. Section 4.4 states that “Organization should establish, implement, maintain and continually improve” the ISMS.
• Leadership: The Top Management should demonstrate leadership and commitment to the ISMS, mandate applicable & relevant Policies, and assign information security roles, authorities, and responsibilities.
• Planning: This includes outlining the processes to identify, analyze and plan so as to treat information risks, and clarifying the objectives of information security.
• Support:  Competent and adequate resources must be assigned, awareness about information security should be raised, appropriate documentation must be prepared and they must be controlled.
• Operation: This aspect includes more detail about assessing and treating information risks, managing changes, and documenting things so that it can be audited by the certification auditors.
• Performance Evaluation: This section includes monitoring, measuring, analyzing and evaluating the information security controls, processes, and management system, so as to systematically improve things where required.
• Improvement: This section is about addressing the findings of Audits and Reviews and making continual refinements to the ISMS.

Apart from this, there is another section called Annex A Reference Control Objectives and Controls that talks about implying certified organizations that are expected to use it. The main body of the Section states that organizations are free to deviate from or supplement it in order to address their particular information risks.

What are the expected features of an ISMS?

An ISMS should do all of the following:

1. Adopt the PDCA Model.
2. Adopt a Process-based Approach, instead of a People-based Approach.
3. Identify & manage Activities and Functions effectively.
4. Stress on Continual Improvement of Processes.
5. The scope should cover Information Security and not just IT Security.
6. Focus on People, Process & Technology.
7. Provide resistance to intentional acts designed to cause damage to the Organization.
8. Be a blend of Management Control, Technical Control, and Operational Control.
9. Become an overall management system to establish, implement, operate, analyze, review, maintain, and improve Information Security.

What are the benefits of ISO 27001 Certification?

Certifying the ISMS against ISO 27001 is beneficial to an organization in the following multiple ways:

1. It is an independent framework that accounts for all legal and regulatory requirements.
2. It provides the ability to demonstrate and independently assure the internal controls of the organization.
3. It helps in providing a competitive edge to the organization.
4. It proves Senior Management’s commitment to the security of business and customer information.
5. It formalizes and independently verifies the Information Security processes, documentation, and procedures.
6. Individually verifies that risks to the organization are properly identified and managed.
7. It validates to Clients & Customers that the security of their information is taken seriously.
8. It helps identify and meet contractual and regulatory requirements.

Neumetric, a cybersecurity services, consulting & products company based in Bangalore, recommends that certified compliance with ISO 27001 by an accredited and respected Certification Body is entirely optional. However, this is increasingly being demanded by Clients, Business Partners and Organizations that are concerned about the security of their information, and about information Security throughout the supply chain.

ISO 27001 Certification brings many benefits above and beyond mere compliance, and it says more than just “We are a Quality organization”. It has marketing potential that strongly demonstrates that the organization takes information security management seriously.