The ISO 27001 – Information Security
The ISO 27001 standard is the specification for an ISMS, an Information Security Management System. The information security management system will assist in maintaining the confidentiality, integrity and availability of information and assets by applying a risk management approach using a formal risk methodology and thereby provides confidence for interested parties that risks are adequately managed.
The standard has recently been revised to ISO27001:2013 to be compliant with Annex SL Directives. The revised standard now has 14 sections and 114 controls in Annex A.
The objective of the standard is to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System”.
It is important that the information security management system is part of and integrated with the organization’s business processes and management structure. Furthermore it is imperative that information security is considered in the design of processes, information systems, and controls. The information security management system implementation should be appropriately scaled in accord with the needs of the organization and business requirements.
The standard defines its ‘process approach’ as “The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management”.
The implementation follows a defined six part ‘process’, roughly as follows:
- Define a security policy
- Define the scope of the ISMS
- Define and document a risk approach
- Identify how to manage the risks
- Select control objectives and controls to be implemented
- Prepare a statement of applicability
- Manage and maintain the ISMS
Mitec has implemented an ISMS for numerous clients and can facilitate an ‘appropriate’ approach which does need to expansive – but in alignment with business requirements and objectives.