ISO27001, a.k.a. ISO/IEC 27001:2013 for Information security management systems
All companies are in pursuit of making bigger profit and avoiding losses and financial mismanagement. Among other benefits that ISO 27001 brings to the company, this is one of the tools ...
ISO 27001 brings to companies the management framework that helps them enhance the existing management system, professional image, market expansion by being qualified to apply for tenders and meet customer & legal requirements. Promote your business values to your clients by being Cyber-Resilient, Data Protection Readiness & Regulatory Compliance (e.g. GDPR). Prepare for a seamless paradigm shift without hurting your budget but giving your business the extra miles
- An information security management system (ISMS) is "a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation's information security to achieve business objectives" (ISO/IEC 27000:2014).
- By ISO27001 Certification, the controls are never only IT-related – they always involve organizational issues, human resources management, physical security and legal protection. It is the standards that enables your organization to take into account all the information in various forms, all the potential problems, and gives you the methodology how to keep the information secure. Therefore, information security is a set of combined controls, very diversified in nature (see diagram below).
An ISO 27001-aligned ISMS functions will perform in protecting and monitoring information and following a continual improvement approach, allowing the organization to keep up with evolving threats. The Standard provides a holistic approach to information security that encompasses people, processes, and technology, not neglecting assets.
An ISO 27001-compliant ISMS helps you coordinate all your security efforts (both technological, people-based, and physical) coherently, consistently, and cost-effectively. The ISMS is a constantly evolving system, and is based on regular risk assessments to ensure that threats are being identified and treated in an appropriate manner, in line with the organization’s risk appetite.
- Market Differentiation
- Proactive versus Reactive Security Management, and Defensibility
- Consistent Third-party Governance, Risk, and Compliance (GRC) Management
- Legal and Regulatory Compliance
- Information Risk Management
- Time-based Assurance
- Organizations, large and small, have felt increasing pressure from current customers, potential customers, and regulators, to adopt a defensible, risk-based ISMS, as opposed to abiding by the customary and vague reliance on "best practices" or other standards that are not specific to the discipline of information security; e.g., SAS 70 Type II.
- The effort involved in raising the maturity of the security program to a certifiable level is proof to clients and potential clients that your organization is actively maintaining its information security posture.
- Thus, Increased selling opportunities by offering a mature and capable ISMS, certified to an international standard. A greater potential to land business where touting your company's security is a critical element, including opportunities to work with clients seeking to do business with a company that has a certified security program already in place.
- Defensible approach to information security yields a reduction in response effort to the rising volume of information security questionnaires that an organization receives from clients and potential clients. Given the increasingly cumbersome regulatory environment, detailed inquiries are often defended as "doing due diligence," even though such inquiries impose a significant time and workload burden on the receiving organization
- allows the information security function to be proactive in developing, deploying, managing, and maintaining an information security program. Information security is no longer forced into a constant "fire-fighting" mode and the usual lack of efficiencies is avoided.
- Reduced effort and time to respond to inquiries, shortening the sales cycle, and reducing the number of audit or review cycles, thereby increasing efficiencies.
- Contract or service agreement language often does not address specific requirements for the preservation of information confidentiality, integrity, and availability. A supplier risk assessment or audit can check to see if security expectations are adequately met, but by itself, this activity does not communicate the actual requirements or criteria.
- With an ISO 27001-based ISMS, third-party requirements, specifications, empowerment, and communication are an integral part of the system. you can raise your level of assurance by knowing that the third parties are "on the same page" as your company. Suppliers are able to deliver services at desired levels and with processes and security measures which are defined, visible, and accountable to you.
- Benefit: Clear communication of security requirements to third parties and scheduled periodic reviews of compliance with such requirements.
- Third parties with a full understanding of requirements can provide more accurate pricing for services and are not "surprised" near the end of the contract process with unanticipated demands. Periodic compliance assessments become a scheduled part of third-party governance with specific, stated objectives and increased focus on defined remediation tasks where necessary.
- The legal and regulatory environment is increasingly more rigorous, and unfortunately, increasingly more burdensome. Recently introduced law and regulation often requires a risk-based approach and informed-choice decision making to achieve compliance. Both of these qualities are inherent in an ISO 27001 ISMS, along with a defined responsibility for the Legal department to advise security of pending legislation. A risk-based, structured approach to security management, policies and standards, means accommodating shifts in the regulatory environment can often be accomplished as part of the normal review and update cycle rather than an ad hoc, reactive mode. When changes are required, they can be accomplished incrementally rather than as a major overhaul.
- Benefit: The risk-based decision making inherent in an ISO 27001 ISMS means the system shares a common basis with many new legal requirements. Changes to the ISMS can be made in an orderly, incremental fashion.
- Bottom line impact: Legal and regulatory compliance is accomplished through an ongoing change process, often using maintenance cycles rather than unplanned efforts or forced reaction. Disruption to the business is lessened, and compliance is achieved through simple alignment rather than repetitive and unplanned reengineering of security policies, standards, and practices.
- ISO 27001 requires a risk methodology to perform an assessment of their security practices. With the risk assessment information security and management together make informed choices regarding which controls must be applied, and justify these choices.
- Within the context of the ISMS, each choice can be defended on the basis of evaluated risks and defined controls. There is no "gray area" and no reliance on individual interpretation of security practices, no matter how well intended.
- Thus, an organization can easily defend and justify its choices to management, customers, and regulators. Which also means reduced effort and confusion in explaining security choices. It them shorten audit cycles and provide important reassurance to both management and clients that information security is based on informed-choice decisions, not just common practices.
- provides a mechanism to integrate information security into your company's overall risk management strategy. business executives can now be presented with information security in its proper context of asset protection and risk mitigation, without a need to explain the intricacies or jargon of the discipline.
- By making information security decisions on the defensible basis of risk management, the information security practitioner and business manager can employ a common terminology. In addition, the information security function becomes more integrated with the organization as a whole.
- Increased understanding and acceptance of the role of information security in the organization's overall risk management strategy.
- Implementation of an ongoing management or "continuous process improvement." Organizations are required to not only identify what is in place now, but monitor, review, and change controls if the environment dictates such change, that it is based on the W. Edwards Deming model of Plan, Do, Check, Act (PDCA) to achieve continuous improvement.
- If your organization must respond to customer security inquiries, there is nearly always a requirement for annual renewal or periodic review. Once certified under ISO, the ISMS will be subject to annual surveillance audits and recertification every 3 years. These independent audits performed by the certifying authority offer proof to your management and your clients that the ISMS is operating in a satisfactory manner with continuous improvement.
- In the nutshell, it offers independent proof of ISMS adequacy and the ongoing benefit of continuous process improvement. It offers clients and management proof that the ISMS continues to meet due diligence.
Relationship between ISO/IEC 27001 versus ISO27002
- IS27001:2013 (Certification standards) Versus ISO27002 (a code of practice/guideline)
- ISO/IEC 27001 formally defines the mandatory requirements for an Information Security Management System (ISMS). It uses ISO/IEC 27002 to indicate suitable information security controls within the ISMS, but since ISO/IEC 27002 is merely a code of practice/guideline rather than a certification standard, organizations are free to select and implement other controls, or indeed adopt alternative complete suites of information security controls as they see fit. In practice, most organizations that adopt ISO/IEC 27001 also adopt ISO/IEC 27002.
iTGRC Asia Pte Ltd