ISO 27001 Certification: Information Security Management System
What is ISO 27001?
ISO 27000 consists of multiple standards that are a series of documents that comprise guidance on how to implement an information security management system.
The ISO 27000 series is comprised of the following six most commonly used standards:
- ISO 27000:2016 – Describes the terminology and vocabulary used for information security management systems;
- ISO 27001:2013 – Specific requirements for the implementation of an information security management system and controls for information security risks that each organization must consider to maintain the confidentiality, integrity and availability of information assets;
- ISO 27002:2013 – Commonly referred to as the Code of Practice, ISO 27002 provides guidance on the application of security controls in an information security management system;
- ISO 27003:2010 – Guidance on the implementation of ISO 27001 and ISO 27002 for organizations;
- ISO 27004:2009 – Guidance on the use of metrics to manage the health of information security management systems.
- ISO 27005:2011 – Guidance on risk management methodologies and techniques.
In the last several years’ multiple additional standards have been published in the ISO 27000 series including sector specific guidance for healthcare and telecommunications, and more specific information on technical control management around applications and networks to name a few.
Most organizations typically work with ISO 27001 and ISO 27002 when implementing an information security management system
Benefits of ISO 27001 Registration
Organizations are continuing to look for methods to address information security and reduce the likelihood of a breach through risk-based management of services and offerings. Since 2005, interest in ISO 27001 certification has grown rapidly. Numerous reasons are behind the increasing popularity of the information security management standard, some of which include:
- Demonstrates a commitment to protecting the confidentiality, integrity, and availability of information to stakeholders, customers, and partners;
- Increased focus on preventative measures to circumvent damage to a company’s reputation when a security incident occurs;
- Increased interest in understanding security risks and plan for investments on a needs-based system;
- Increased desire to ensure that staff at all levels are aware of organizational security responsibilities; and
- Increased interest in maintaining continuous security risk reduction through planned and predictable activities that monitor performance to expectations.
ISO 27001 Implementation Requirements
The rise of globalization, cloud, and internet have required companies to protect and monitor the various systems used to collect, manage and/or analyze information.
The ability to aggregate more information easily, however, has made companies more vulnerable to threats as they aim to protect their information from accidental exposure or from being victimized in crime-related losses. ISO 27001 was created to help companies define expectations on how to manage information security, mitigate risks, and prevent negative outcomes.
Each organization will have a defined implementation that is based on the types of infrastructure, information, products and services provided, all by applying a risk-based approach to information security management.
ISO 27001 is comprised of eight major sections of guidance that must be implemented by an organization, as well as an Annex, which describes controls and control objectives that must be considered by every organization:
|1-3||ISO Scope, References, Terms||
|4||Context of the Organization||
Within ISO 27001, the sections outlined above constitute the management system elements or mandatory ISO 27001 requirements, which are designed to set expectations and provide guidance on how to implement an information security management system that provides predictable results.
Based on operations, services and the risk levels associated with an organization and sector, each company will select controls from ISO 27001 Annex A; the controls are intended to help to reduce the likelihood of a harmful information security incident. The Annex A controls and control objectives are applied to organizationally defined risks to help provide mitigation of risks to assets with the intent to provide a system that defines how information security is managed, what steps are taken, and the results that are intended to be achieved.
In many cases, organizations may have already invested time and resources to control specific requirements. For example, a company that has invested in firewalls to protect networks, implemented background checks for new employees, and/or created access profiles on existing systems to segregate access to information to those that “need to know”.
Since many organizations have started the implementation process to meet customers’ demands, the most pragmatic way to approach ISO 27001 is to evaluate the current system against each of the mandatory processes and Annex A controls. The Annex A controls are grouped as follows:
ISO 27001 Annex A Domain
- A.5 – Information Security Policies
- A.6 – Organization of information security
- A.7 – Human resources security
- A.8 – Asset management
- A.9 – Access control
- A.10 – Cryptography
- A.11 – Physical and environmental security
- A.12 – Operations Security
- A.13 – Communications Security
- A.14 – System acquisition, development and maintenance
- A.15 – Supplier Relationships
- A.16 – Information Security Incident Management
- A.17 – Business Continuity
- A.18 – Compliance
After implementing the guidance of an information security management system, ISO 27001 certification or ISO 27001 registration is a method in which a company can prove that they have successfully implemented the requirements. After documenting processes and performing reviews, a company may hire an independent auditing company to review their processes and ensure that the company is adhering to the developed processes. At the end of the audit, the company is presented with a certificate that they can then provide to existing and potential customers as proof of their commitment to information security.
Challenges of ISO 27001 Certification
The challenge that many organizations face in preparing for ISO 27001 certification is the speed and level of depth that needs to be implemented to meet requirements. ISO 27001 is risk-based, situation-specific standard. Many companies review the requirements and work to fulfill every one, rather than evaluate the organization’s needs to determine which requirements would improve the success of the organization. When an organization begins to apply the standard to their operations, unnecessary or complicated solutions can be created for simple challenges. By over applying the standard to your operations, organizations expend precious resources and time, and have a less favorable opinion of the benefits of implementing ISO 27001.
ISO 27001 is still a relatively new standard; thus, many organizations seek a consultant to help understand the most practical and cost-effective approaches to information security management, which can:
- Reduce the timeframe for implementation to meet customer requirements;
- Reduce the costs for implementation and maintenance of requirements;
- Convert existing practices to meet requirements, while minimizing impacts to the organization’s operations;
- Educate staff on expectations of the standard;
- Alignment of ISO 27001 with compliance requirements, and;
- Ensure successful initial achievement of ISO 27001 certification.