Information Security Management
ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements.”
It is the leading international standard focused on information security, published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards.
ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC 27000 series.
ISO 27001 provides an international methodology for the implementation, management, and maintenance of information security within a company.
Becoming ISO 27001 certified demonstrates conformity of your Information Security Management System (ISMS) with the documented standards and provides your customers with assurance regarding the security of your system.
ISO 27001 certification provides your organization with the following benefits:
- An ISO 27001 certification demonstrates the conformity of your company’s ISMS with the documented standards, exemplifying the maturity of your organization’s information security environment.
- Gain an edge against the competition by instilling confidence in stakeholders and potential clients about your organization’s ability to protect information.
- Earn new clientele and retain existing clients, resulting in revenue growth.
The basic goal of ISO 27001 is to protect three aspects of information:
- Confidentiality: only the authorized persons have the right to access information.
- Integrity: only the authorized persons can change the information.
- Availability: the information must be accessible to authorized persons whenever it is needed.
The two most important activities when implementing ISO 27001 are:
- Scoping your ISMS (clause 4.3), in which you define what information needs to be protected; and
- Conducting a risk assessment and defining a risk treatment methodology (clause 6.12), in which you identify the threats to your information.
Organizations are also required to complete the following mandatory clauses:
- Information security policy and objectives (clauses 5.2 and 6.2)
- Information risk treatment process (clause 6.1.3)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit programme (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- And the Annex A controls