ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEM

In today's ERA, Information is the soul of any organizations and can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by mail or by electronic means, shown in films, or spoken in conversation. In today’s competitive business environment, such information is constantly under threat from many sources. These can be internal, external, accidental, or malicious.

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems. ISO/IEC 27001 establish best practices of control objectives and controls in the following areas of information security management:

Security policy;
Organization of information security;
Asset management;
Human resources security;
Physical and environmental security;
Communications and operations management;
Access control;
Information systems acquisition, development and maintenance;
Information security incident management;
Business continuity management;
Compliance.

KEY BENEFITS OF ACHIEVING ISO 27001 CERTIFICATION TO YOUR ORGANIZATION

ISO 27001 implementation improves / leads to

Management Understanding of the Value of Organisational Information
Customer Confidence, Satisfaction and TRUST
Business Partner Confidence, Satisfaction and TRUST
e.g. Handling Sensitive Information of Customers & Business Partners
Level of Assurance in Organisational Security & QUALITY
Conformance to Legal and Regulatory Requirements
Organisational Effectiveness of Communicating Security Requirements
Organisational Effectiveness of Communicating Security Requirements

Employee Motivation and Participation in Security (Best Practices)
Organisational Profitability
Management and Handling of Security Incidents
Ability to Differentiate Organisation for Competitive Advantage
Organisational Credibility & Reputation
Ability to Differentiate Organisation for Competitive Advantage
Organisational Credibility & Reputation

ISO 27001 REQUIREMENTS

Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and the recorded results are reproducible.

It is important to be able to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives.

ISO 27001 DOCUMENTATION REQUIREMENTS

The ISMS documentation shall include:

Documented statements of the ISMS policy and objectives
The scope of the ISMS
Procedures and controls in support of the ISMS
A description of the risk assessment methodology
The risk assessment report
The risk treatment plan

What is ISO 27001 AND HOW IT RELATES TO IT?

British Standard 7799 (BS 7799) is an internationally-recognized standard describing the protection of information assets:

ISO/IEC 17799 (also known as BS 7799 Part 1), a code of practice for information security management. It will be renumbered to ISO/IEC 27002.
BS 7799 Part 2, the specification for an ISMS that can be used as the basis for certification. It has been adopted as an international standard, ISO/IEC 27001.

HOW DOES ISO 27001 RELATES TO OTHER MANAGEMENT SYSTEM STANDARDS?

ISO/IEC 27001 (BS 7799-2) is aligned with both the ISO 9001 (quality management systems) and ISO 14001 (environmental management systems) standards. The three standards share system elements and principles, including adopting the PLAN, DO, CHECK, ACT cyclic process. This approach makes it possible to integrate the systems to the extent it makes sense.

WHY IS0 27001 IS NECESSARY FOR ORGANISATION?

If information assets are important to your business, you should consider implementing an ISMS in order to protect those assets within a sustainable framework.

If you implement an ISMS, you should consider going through the process to be certified against the ISO/IEC 27001 standard. ISO/IEC 27001 and BS 7799 continues to build a reputation for helping to model business practices that enhance an organization’s ability to protect its information assets. A growing number of organizations around the world have already gone through the certification process.