- 24x7 live Support
- +971 56 2960963 | +91 6369 188 425
An Information Security Management System (ISMS) is a management system based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to establishing information security. ISO/IEC 27001 (BS 7799) is a standard for information security that focuses on an organization's ISMS.
Some of the requirements that ought to be developed and implemented as part of the ISMS of an organization seeking certification are:
The benefits of standardization, and of implementation of one or more of the ISO 27000 series are wide and varied. Although they tend to differ from organization to organization, many are common.
The following is a list of potential benefits. As with many items on this website, this is an ongoing project. Please feel free to add further points via the comments option below.
InteroperabilityThis is a general benefit of standardization. The idea is that systems from diverse parties are more likely to fit together if they follow a common guideline.
AssuranceManagement can be assured of the quality of a system, business unit, or other entity, if a recognized framework or approach is followed.
Due DiligenceCompliance with, or certification against, and international standard is often used by management to demonstrate due diligence.
Bench MarkingOrganizations often use a standard as a measure of their status within their peer community. It can be used as a bench mark for current position and progress.
AwarenessImplementation of a standard such as ISO 27001 can often result in greater security awareness within an organization.
AlignmentBecause implementation of ISO 27001 (and the other ISO 27000 standards) tends to involve both business management and technical staff, greater IT and Business alignment often results.
ComplianceIt might seem odd to list this as the first benefit, but it often shows the quickest "return on investment" - if an organization must comply to various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organization), then ISO 27001 can bring in the methodology which enables to do it in the most efficient way.
Marketing edgeIn a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of your customers. ISO 27001 could be indeed a unique selling point, especially if you handle clients' sensitive information.
Lowering the expensesInformation security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower your expenses caused by incidents. You probably do have interruption in service, or occasional data leakage, or disgruntled employees. Or disgruntled former employees.
The truth is, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management's attention.
Putting your business in orderThis one is probably the most underrated - if you are a company which has been growing sharply for the last few years, you might experience problems like - who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems etc.
Implementation of ISO 27001 reduces risks related to confidentiality, availability, and integrity of information in an organization. It also helps the organization to achieve conformity with legislation regulating protection of confidential information, protection of information systems, personal data protection, etc., which are already in place in most countries. Finally, implementation of the standard should reduce business costs due to fewer incidents, and improve marketing because of the publicity that can be gained with the standard.
Risk assessment as defined by ISO, is the overall process of risk analysis and risk evaluation. This embraces the study of relevant threats, vulnerabilities and of course potential impacts. A typical Risk Assessment (RA) methodology is as follows:
Once the above set of activities is completed, you can arrive at the Risk Treatment Plan and Statement of Applicability (SOA). This completes your Risk Assessment / Risk Management process.
ISO/IEC 27001 is becoming the international benchmark for effective, secure information management practices that protect organizations and ensure their compliance with data protection, privacy and effective business risk management.
The current ISO 27001 version was published in October 2013. There are no plans to update it soon.
The ISO 27001 standard was originally written by a BSI/DISC committee, which included representatives from a wide section of industry/commerce. Later it was reviewed by an ISO (International Standards Organization) committee and ultimately emerged through the ISO publication process.
Once a company becomes "certified", they undergo periodic audits by their registrars for a period of 3 years, upon which a full "re-certification" audit is conducted.
Periodic audits are typically conducted every 6 months or every year - depending on the registrar and the contract signed with the organization. Periodic audits are normally lesser in days than the original certification audits.
A re-certification audit involves the auditing of all requirements of the standard and may be equal in length as the original certification.
The full name of ISO 27002 is Information Technology - Security Techniques - Code of Practice for Information Security Management. The base standard stems from an original publication in 1993, from the DTI in the UK. It became BS7799 in 1995, ISO17799 in 2000 and ISO27002 in April 2007.
The standard itself is intended to be used in conjunction with ISO 27001 (this is a specification for a management system: part of which -Annex A - is the selection of controls as appropriate). Those controls are broadly described by ISO 27002.
