01 Nov

ISO 27001:2013 Information Security Management System

Information security is the protection of information to ensure:

    • Confidentiality: ensuring that the information is accessible only to those authorized to access it.
    • Integrity: ensuring that the information is accurate and complete and that the information is not modified without authorization.
  • Availability: ensuring that the information is accessible to authorized users when required.

Information security is achieved by applying a suitable set of controls (policies, processes, procedures, organizational structures, and software and hardware functions). An Information Security Management System (ISMS) is way to protect and manage information based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security.
ISO publishes two standards that focus on an organization’s ISMS:

    • The code of practice standard: ISO 27002. This standard can be used as a starting point for developing an ISMS. It provides guidance for planning and implementing a program to protect information assets. It also provides a list of controls (safeguards) that you can consider implementing as part of your ISMS.
    • The management system standard: ISO 27001. This standard is the specification for an ISMS. It explains how to apply ISO/IEC 27002. It provides the standard against which certification is performed, including a list of required documents. An organization that seeks certification of its ISMS is examined against this standard.
    • The standards set forth the following practices:

      • All activities must follow a method. The method is arbitrary but must be well defined and documented.
      • A company or organization must document its own security goals. An auditor will verify whether these requirements are fulfilled.
      • All security measures used in the ISMS shall be implemented as the result of a risk analysis in order to eliminate or reduce risks to an acceptable level.
      • The standard offers a set of security controls. It is up to the organization to choose which controls to implement based on the specific needs of their business.
      • A process must ensure the continuous verification of all elements of the security system through audits and reviews.
    • A process must ensure the continuous improvement of all elements of the information and security management system. (The ISO 27001 standard adopts the Plan-Do-Check-Act [PDCA] model as its basis and expects the model will be followed in an ISMS implementation.)
    • These practices form the framework within which you will establish an ISMS.