ISO 27001:2013 – Information Security Management System (ISMS)
Most organizations have a number of information security controls. However, without an ISO 27001:2013 information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Security controls in operation typically address certain aspects of IT or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole. Moreover, business continuity planning and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.
ISO 27001:2013 requires that management:
- Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
What controls will be tested as part of certification to ISO 27001:2013 is dependent on the certification auditor. This can include any controls that the organisation has deemed to be within the scope of the ISMS and this testing can be to any depth or extent as assessed by the auditor as needed to test that the control has been implemented and is operating effectively.
Management determines the scope of the ISO 27001:2013 ISMS for certification purposes and may limit it to, say, a single business unit or location. The ISO/IEC 27001 certificate does not necessarily mean the remainder of the organization, outside the scoped area, has an adequate approach to information security management.
Who can go for this Standard?
“ISO 27001:2013” is suitable for any organization, large or small, in any sector or part of the world. The standard is particularly suitable where the protection of information is critical, such as in the finance, health, public and IT sectors.
ISO 27001:2013 is also highly effective for organizations which manage information on behalf of others, such as IT outsourcing companies: it can be used to assure customers that their information is being protected
Risk management and mitigation
Managing ISO 27001:2013 (Information security Management) in essence means managing and mitigating the various threats and vulnerabilities to assets, while at the same time balancing the management effort expended on potential threats and vulnerabilities by gauging the probability of them actually occurring. A meteorite crashing into a server room is certainly a threat, for example, but an information security officer will likely put little effort into preparing for such a threat.
After appropriate asset identification and valuation has occurred, risk management and mitigation of those assets involves the analysis of the following issues:
- Threats: Unwanted events that could cause the deliberate or accidental loss, damage, or misuse of information assets
- Vulnerabilities: How susceptible information assets and associated controls are to exploitation by one or more threats
- Impact and likelihood: The magnitude of potential damage to information assets from threats and vulnerabilities and how serious of a risk they pose to the assets; cost–benefit analysis may also be part of the impact assessment or separate from it
- Mitigation: The proposed method(s) for minimizing the impact and likelihood of potential threats and vulnerabilities
Once a threat and/or vulnerability has been identified and assessed as having sufficient impact/likelihood to information assets, a mitigation plan can be enacted. The mitigation method chosen largely depends on which of the seven information technology (IT) domains the threat and/or vulnerability resides in. The threat of user apathy toward security policies (the user domain) will require a much different mitigation plan than one used to limit the threat of unauthorized probing and scanning of a network (the LAN-to-WAN domain).
Implementation and education strategy components.
Implementing effective information security management (including risk management and mitigation) requires a management strategy that takes note of the following:
- Upper-level management must strongly support information security initiatives, allowing information security officers the opportunity “to obtain the resources necessary to have a fully functional and effective education program” and, by extension, information security management system.
- Information security strategy and training must be integrated into and communicated through departmental strategies to ensure all personnel are positively affected by the organization’s information security plan.
- A privacy training and awareness “risk assessment” can help an organization identify critical gaps in stakeholder knowledge and attitude towards security.
- Proper evaluation methods for “measuring the overall effectiveness of the training and awareness program” ensure policies, procedures, and training materials remain relevant.
- Policies and procedures that are appropriately developed, implemented, communicated, and enforced “mitigate risk and ensure not only risk reduction, but also ongoing compliance with applicable laws, regulations, standards, and policies.”
- Milestones and timelines for all aspects of information security management help ensure future success.
Without sufficient budgetary considerations for all the above—in addition to the money allotted to standard regulatory, IT, privacy, and security issues—an information security management plan/system can not fully succeed.
Benefits of ISO 27001:
Certifying your ISMS against ISO 27001:2013 can bring the following benefits to your organization:
- Demonstrates the independent assurance of your internal controls and meets corporate governance and business continuity requirements
- Independently demonstrates that applicable laws and regulations are observed
Provides a competitive edge by meeting contractual requirements and demonstrating to your customers that the security of their information is paramount - Independently verifies that your organizational risks are properly identified, assessed and managed, while formalizing information security processes, procedures and documentation
- Proves your senior management’s commitment to the security of its information
The regular assessment process helps you to continually monitor your performance and improve
Contact Us Today or send an Enquiry for your ISO/IEC 27002 requirements.
