What is ISO 27001:Information Security Management System

By Prempal Singh 0 Comment June 12, 2019  ISO, ISO : 27001, What is ISO, What is ISO:27001

What is ISO 27001?

Information security (IS) issues for a modern organization are vital.The presence of an information security management system in accordance with the requirements of ISO / IEC 27001 will help an organization save its assets and ensure the integrity, reliability and confidentiality of information.

Since 2005, more than 25 thousand companies worldwide (according to IRCA) have passed the certification audit for compliance with the requirements of ISO / IEC 27001.

Certification is a useful tool to increase trust, thereby demonstrating that the products and services that are presented to meet the needs of customers in the field of information security.

The ISO / IEC 27001 standard is a source of best practices in the design of control systems, applicable to almost any organization, regardless of ownership, type of activity, size and external conditions. It is technologically neutral and always leaves room for a choice of technologies. ISO / IEC 27001 is one of the most well-known standards in this series that meets the requirements of information security management systems. There are more than a dozen standards for the 27000 series.

The Information Security Management System (ISMS) is part of a general management system based on a business risk approach, with the goal of creating, implementing, operating, constantly monitoring, analyzing, maintaining in working condition, and improving information security. It is a systematic approach to managing confidential information. This system includes personnel, produced processes and IT systems, which are combined by implementing risk management processes.

In order to formulate complex information security requirements, the standard defines three main indicators:

• Assessment of risks faced by the organization (identification of threats to resources, their vulnerability and the likelihood of threats, as well as possible damage);
• Compliance with legal, regulatory and contractual requirements that must be met by the organization itself, its business partners, contractors and service providers;
• The formation of a set of principles, goals and requirements for information processing, developed by the organization to support its activities.

The main elements of the information security system:

• Protection against unauthorized access (unauthorized access) to systems
• Including internal protection against unauthorized access to employees of the organization;
• Authorization and authentication;
• Protection of data transmission channels, ensuring integrity;
• Ensuring the relevance of data in the exchange of information with customers;
• Electronic document management;
• IS incident management;
• Business continuity management;
• Internal and external audit of the information security system.

The main objectives of the Standard:

• The establishment of uniform requirements for ensuring the information security of organizations;
• Ensuring the interaction of management and employees;
• Increasing the effectiveness of measures to ensure and maintain information security of organizations.

The ISO / IEC 27001 standard provides:

• Setting goals and understanding the direction and principles of activities regarding information security;
• Identification of approaches to risk assessment and management in the organization;
• Information security management in accordance with applicable law and regulatory requirements;
• Using a unified approach in the creation, implementation, operation, monitoring, analysis, support and improvement of the management system so that the goals in the field of information security are achieved;
• Identification of information security management system processes;
• Determining the status of information security measures;
• use of internal and external audits to determine the degree of compliance of the information security management system with the requirements of the standard;
• Provision of adequate information to partners and other stakeholders on information security policies.

Benefits from implementation and certification

• Increasing the confidence of customers, partners and other stakeholders;
• Increasing the stability of the functioning of organizations;
• Obtaining international recognition and strengthening the image of the company in the domestic and foreign markets;
• Achieving the adequacy of measures to protect against real threats to information security;
• Prevention and (or) reduction of damage from information security incidents;
• Demonstration of a certain level of information security to ensure the confidentiality of information of interested parties;
• An increase in the value of intangible assets, a decrease in insurance premiums, which makes the company’s value higher;
• Reduction of transaction costs and exclusion of “cross-financing” in the framework of a single ISMS;
• Expanding the company’s participation in large government contracts;
• Can significantly facilitate the passage of audits for compliance with PCI DSS, ISO / IEC 20000-1.

What does the ISO / IEC 27001 do

The main advantage of creating and implementing an ISMS in accordance with the requirements of ISO / IEC 27001 is independent proof of the stability and reliability of the organization’s business processes, including:

• Increasing the credibility of the organization;
• Increasing the stability of the organization as a whole;
• Achieving the adequacy of measures to protect against real threats to information security;
• Prevention and / or reduction of damage from information security incidents.

Advantages of implementing the ISO / IEC 27001 standard

• Harmonization of the ISO / IEC 27001 standard to the new structure will help organizations wishing to implement more than one management system at the same time.
• A similar structure of standards will save organizations time and money, as they can implement integrated policies and procedures.
• Ensuring a flexible, optimized approach, with the aim of more effective risk management of information security in modern conditions.
• Security management tools make it possible to ensure the relevance of the standard, its adequate protection and its applicability to modern risks, namely, identity theft, threats related to the use of mobile devices and other network vulnerabilities.

In addition, the ISO / IEC 27001 standard has been modified to adapt to the new general structure used in all standards for management systems, which simplifies its integration with other management systems.