Introduction to ISO 27001
ISO 27001 is the international standard prepared by ISO (International Organization for Standardization) and IEC (International ElectroTechnical Commission) for worldwide standardization in September, 2013. In addition to this, there are 2 revisions of ISO 27000 standard.
- ISO/IEC 27001:2005
- ISO/IEC 27001:2013 (Technical revision of the initial version)
ISO 27001 is a generic standard which defines a set of requirements for ISMS (Information Security Management Systems) and also, you can read it as “Information technology – Security Techniques – Information Security Management Systems – Requirements”. To comply with the standard, you must need to meet each and every requirement mentioned in ISO 27001.
What is ISMS?
ISMS is an abbreviated term for Information Security Management System. ISMS is a set of interrelated elements (Like Policies, Procedures, Processes etc.) of an organization therefore it can be used to:
- Manage & Control Information security risks
- Protect & Preserve confidentiality, integrity, and availability of information
ISO/IEC 27001 is a generic standard because an organization with any size and operation can use it to establish and maintain ISMS.
How to use ISO 27001 standard?
If you want your organization to be ISO 27001 certified then you need to follow some steps.
- Initially, you need to make a decision whether you want to implement ISO 27001 or not. If yes, then you can start using this standard to establish your ISMS in your organization.
- You must apply project management in order to manage all your projects.
- Definition of scope
- Gap Analysis
- Drafting of ISMS policy
- Complete all standard related relevant documents.
- Perform an internal audit within your organization in order to check
- Finally, ask registrar or an auditor to audit your organization followed by certification.
Control & Control Objectives
It is described in the standard that how an organization can respond to risks with risk treatment plan by choosing appropriate controls. In 2005 standard, it was insisted that controls identified in the risk assessment to manage the risks must have been selected from Annex A, while as per the new 2013 version of standard, there is no requirement to sue Annex A. Previously ISO/IEC 27001:2005 had 133 controls in 11 groups; now there are 35 control objectives and 114 controls in 14 groups in ISO/IEC 27001:2013.
- A.5 – Information security policies [2 controls]
- A.6 – Organization of information security [7 controls]
- A.7 – Human resource security [6 controls that are applied before, during, or after employment]
- A.8 – Asset management [10 controls]
- A.9 – Access control [14 controls]
- A.10 – Cryptography [2 controls]
- A.11 – Physical and environmental security [15 controls]
- A.12 – Operations security [14 controls]
- A.13 – Communications security [7 controls]
- A.14 – System acquisition, development and maintenance [13 controls]
- A.15 – Supplier relationships [5 controls]
- A.16 – Information security incident management [7 controls]
- A.17 – Information security aspects of business continuity management [4 controls]
- A.18 – Compliance; with internal requirements, such as policies, and with external requirements, such as laws [8 controls]
Structure of ISO/IEC 27001:2013
“Information technology – Security Techniques – Information Security Management System – Requirements” is the main title for the standard. Furthermore, the standard has ten clauses and a long annex, which covers:
- Introduction to standard
- Scope of the standard
- Normative references [How the document is referenced]
- Terms and definitions in ISO/IEC 27000
- Context [Organizational context and stakeholders]
- Leadership [Information security leadership and high-level support for policy]
- Planning [Planning an information security management system, risk assessment, and risk treatment]
- Support [Supporting an information security management system]
- Operation [Making an information security management system operational]
- Performance Evaluation [Reviewing the system’s performance]
- Improvement [Corrective action]
- Annex A: List of controls and their objectives.
In addition to this, it is very evident that ISO 27001 has been always proved to be more efficient, more profits, and better processes. Therefore, implementing it would definitely be beneficial if you want your organization to have process improvement plan with better returns and high customer satisfaction. In conclusion, we have covered all the important points related to ISO/IEC 27001 standard. The benefits of information security and it’s implementation are numerous, hence you must consider this for your organization to have world wide recognition.