What is ISO27001?
ISO27001 is an international standard for an Information Security Management system (ISMS), in exactly the same way as ISO9001 is a quality management system standard. ISO27001 is embedded within the organisation at a corporate risk governance layer. It ensures that the organisation’s own approach to information risk management is controlled, measurable, transparent and represented in a formal management system. It is intended to focus on information security risk, but the best instantiations put core business processes at the centre of the management system and do not consider information risk in isolation.
A board of directors that does not understand the information risks it faces, or chooses to ignore them, cannot claim to be managing them, and that is indefensible in a court of law.
Why do clients need it?
For a board of directors to knowingly and objectively manage information risk, there must be assurance around the adopted risk management framework. ISO27001 is internationally recognised, ubiquitous in its coverage of different security aspects and will fit any organisation, of any type. The standard can be independently certified by an accredited certification body and that external independent verification is one of the few forms of due diligence that can be verified and argued in a court of law.
The scope of the ISMS can be shrunk to include a single process, system or activity, or expanded to include the entire organisation. It is possible to start with a small pilot scope and then grow this depending on client appetite.
The Net-Defence specialist consultanct help you with the creation, implementation and embedding of the management system within your organisation to fulfil the requirements of ISO27001:2013. The standard is arranged across the following areas:
- Information security policies
- Organisation of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
The implementation process has the following key stages:
Stage 1: Site Visit and Organisational Scoping
The objective of this phase is to understand the required organisational scope for your organisation and the activities that are performed at each physical location. A secondary objective of the site visit is to understand the physical security that is in place at each of those locations.
Stage 2: Information Security Analysis
There are two objectives of this stage of the security project. The first is to baseline the scope of the operating environment using business process mapping and the creation of both the data asset register and impact assessments. The second objective for this phase is to perform a vulnerability analysis of the internal and external ICT systems including networks, infrastructure, clients and servers.
Stage 3: Establish Baseline Security Environment
This stage of the project builds on the work already done to create a baseline for security. The remediation work created in the previous phase will help to describe a pragmatic minimum level of security controls, policies and procedures, based on the risk appetite of the organisation. This phase of the project delivers the majority of the documentation requirements of the ISO27001: 2013 standard. The standard includes 113 control objectives, but it is the discretion of the organisation to determine how, or if those control objectives are required.
Stage 4: Risk Management
The objective of this stage of the project is to design and implement risk remediation based on the
organisational risk appetite (identified in phase 1, stream 1 within the risk analysis). Technical remediation options for infrastructure and ICT have already been defined in a previous phase, and so the focus therefore is on policy, people, process and procedure. This phase also helps to plan how the management system is embedded within the organisation through the allocation of roles and responsibilities, competence management and the creation of an information security forum who are responsible for the maintenance and running of the management system. A further objective for this stage of the project is to identify the legal regulatory framework register for the organisation and develop a process to maintain that register.
Stage 5: Embed the management system
This stage of the project ensures that the ISMS is embedded within the organisation and that the associated knowledge transfer has taken place. This is an important activity with regards to the proposed certification of the management system. Should you choose to obtain external certification then the external assessor will seek evidence that the organisation that has adopted the management system and is responsible for its day-to-day running.
Why do companies adopt ISO 27001?
It may be a requirement for a contract framework or contract award such as Public sector or financial organisations or can effectively be a license to trade with companies in certain regulated sectors. It demonstrates to clients, suppliers and third parties that the organisation has demonstrable control of its information risk. It will provide a competitive advantage over organisations that cannot demonstrate they are controlling information risks. It provides independent (accredited) proof of management of information against such risks as cyber-attack.
It may provide proof of due diligence for protection of information during litigation against a board of directors
It allows senior management confidence in knowingly and objectively accepting risk in their operations.
ISO27001:2013 Security Team Skillset
The ISO27001 Security Team skillsets include:
ISO27001:2013 IRCA Lead Auditors
ISO27001:2013 implementation specialist