An Introduction to ISO 27001
ISO 27001 is an international standard which provides a model for launching, applying, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). ISO 27001 is an appropriate management standard for all sectors of industry and commerce and is not limited to electronic information on computers. It is a common misconception that ISO 27001 and information security is meant only to prevent hackers from gaining access to a computer or network.
On the contrary, the ISO 27001 Information Security Management System standard can be applied to any organization that deals with the security of information whatever form the information may be. For example, a law firm handles a magnitude of information, primarily confidential information. As such, a law firm has a commitment to its clients to protect that information and ensure it remains confidential. By implementing ISO 27001 controls, said law firm can ensure the confidentiality of its clients information.
ISO 27001 addresses the security of all information, whether it is printed, written, stored electronically, spoken, presented in video or audio, or sent via traditional mail or email. ISO 27001 ensures information, no matter how it is transmitted, shared or stored, is always protected in an appropriate manner.
Information security is the safeguarding of:
- Confidentiality: information and assets are not available or disclosed to unapproved individuals, entities, or processes.
- Integrity: The preservation of the accuracy and completeness of information and assets.
- Availability: Information and assets are accessible and usable upon demand by an approved individual, entity, or process.
Protecting information and assets includes implementing mitigating controls that address threats. ISO 27001 assesses threats based on:
- Probability: The likelihood the event will occur.
- Impact: The level of disruption the event has on the specific asset.
- Vulnerability: The level of damage caused by the event to the specific asset.
The ISO 27001 standard includes multiple controls and control objectives aimed at ensuring the security of information in regards to the above properties (confidentiality, integrity, and availability). These include:
- Security Policy: a security policy should provide organizational direction and provision for information security with consideration to business objectives and requirements, laws and government regulations.
- Organization of Information Security: objectives, policies and processes which manage information security.
- Asset Classification: includes ensuring assets are identified and appropriately protected.
- Personnel Security: Personnel security deals with the information employees, contractors, and third parties are exposed to (see our blogs on Prior, During, and After Employment).
- Physical and Environmental Security: Controls that address unauthorized physical access, damage and interference to an organization's premises and information, as well as the prevention of loss, damage, theft or compromising of assets and organizational activities.
- Communications and Operation Management: focuses on ensuring correct and secure operation of information, including; third parties, systems, software, back-ups, networks, media, exchange of information, ecommerce, and monitoring.
- Access Control: focuses controlling the level of access in regards to the management of access, responsibilities and application information.
- System Development and Maintenance: ensures that information security is a vital component of information technology and information systems.
- Incident Management: verifies that information security vulnerabilities, events and weaknesses related to information systems are communicated and addressed in a timely manner, allowing for corrective action to take place.
- Business Continuity Management: The process of creating, testing, and implementing plans that counter disruptions in business activities and protect critical business processes.
- Compliance: ensuring laws, regulations and contractual obligations are obeyed through audits and review of controls.
Why is Information Security Important?
Organizational information, whether customer data, credit card information, intellectual property, or other forms is considered a vital asset for organizations. The confidentiality, integrity, and availability of information allows for organizations to sustain a competitive advantage, cost-effectiveness, a steady cash flow, profitability, legal compliance and a positive reputation.
We have discussed at length the benefits of ISO 27001 certification, the ISO 27001 certification process (part 1, part 2, part 3), risk management (Back to Basics: part 1, part 2, part 3), and how long it takes to get certified in previous post. We encourage you to review these post for more information regarding ISO 27001 certification.