What is ISO 27001? (information security management system)
It is the leading international standard focused on information security.
The purpose of ISO 27001
ISO 27001 provides a framework to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).
What are the 3 ISMS security objectives?
The basic goal of ISO 27001 is to protect three aspects of information:
- Confidentiality: only the authorized persons have the right to access information.
- Integrity: only the authorized persons can change the information.
- Availability: the information must be accessible to authorized persons whenever it is needed.
- What is an ISMS?
is a set of rules that a company needs to establish in order to:
- identify stakeholders and their expectations of the company in terms of information security
- identify which risks exist for the information
- define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks
- set clear objectives on what needs to be achieved with information security
- implement all the controls and other risk treatment methods
- continuously measure if the implemented controls perform as expected
- make continuous improvement to make the whole ISMS work better
This set of rules can be written down in the form of policies, procedures, and other types of documents, or it can be in the form of established processes and technologies that are not documented. ISO 27001 defines which documents are required, i.e., which must exist at a minimum.
How does ISO 27001 work?
The focus of ISO 27001 is to protect the confidentiality, integrity, and availability of the information in a company. This is done by finding out what potential problems could happen to the information (i.e., risk assessment), and then defining what needs to be done to prevent such problems from happening (i.e., risk mitigation or risk treatment).
Therefore, the main philosophy of ISO 27001 is based on a process for managing risks: find out where the risks are, and then systematically treat them, through the implementation of security controls (or safeguards).
ISO 27001 requires a company to list all controls that are to be implemented in a document called the Statement of Applicability
What are the ISO 27001 controls?
The ISO 27001 controls (also known as safeguards) are the practices to be implemented to reduce risks to acceptable levels. Controls can be technical, organizational, legal, physical, human, etc.
How do you implement ISO 27001 controls?
Technical controls are primarily implemented in information systems, using software, hardware, and firmware components added to the system. E.g. backup, antivirus software, etc.
Organizational controls are implemented by defining rules to be followed, and expected behavior from users, equipment, software, and systems (e.g., Access Control Policy, BYOD Policy, etc.).
Legal controls are implemented by ensuring that rules and expected behaviors follow and enforce the laws, regulations, contracts, and other similar legal instruments that the organization must comply with (e.g., NDA (non-disclosure agreement), SLA (service level agreement), etc.).
Physical controls are primarily implemented by using equipment or devices that have a physical interaction with people and objects (e.g., CCTV cameras, alarm systems, locks, etc.).
Human resource controls are implemented by providing knowledge, education, skills, or experience to persons to enable them to perform their activities in a secure way (e.g., security awareness training, ISO 27001 internal auditor training, etc.).
Is ISO 27001 mandatory?
In most countries, implementation of ISO 27001 is not mandatory. However, some countries have published regulations that require certain industries to implement ISO 27001.
To determine whether ISO 27001 is mandatory or not for your company, you should look for expert legal advice in the country where you operate
Is ISO 27001 a legal requirement?
Public and private organizations can define compliance with ISO 27001 as a legal requirement in their contracts and service agreements with their providers. Further, as mentioned above, countries can define laws or regulations turning the adoption of ISO 27001 into a legal requirement to be fulfilled by the organizations operating in their territory.