Information security – management standards in a professional business environment

Demand for information security has increased in both the private and the public sector. The Financial Supervisory Authorities in various countries have recommended their fellow organizations to ensure information security in their sectors. The law regarding the protection of privacy (The Date Protection Authority) requires the persons who hold personal information to ensure their security appropriately.

Standards for information security management 

ISO has in recent years issued several safety standards in the series ISO / IEC 2700x. These are all standards of management information and specific aspects such as risk assessment. The standards deal with the best practice of information security management and the certification standard ISO / IEC 27001 is the specification for information security management systems.

Management standards, not technical

The standard ISO / IEC 27001 is a management standard, not a technology standard. The standard is the same kind as or closely related to other international management standards such as ISO quality standards and environmental standards.The standard basically contains detailed information on design development and implementation of control information among companies and organizations, just like the quality standard ISO 9001 is a framework for quality management in companies. The concept is based on the fact that the information is the property of the company or organization and therefore needs to be well defined and controlled like other tangible assets or funds. The certification standard ISO / IEC 27001 also requires that risk assessment is made for information assets of the corporation, all the relevant threats towards the assets are identified and the vulnerability of the assets towards each threat is determined.

Managing the risk

Identifying information assets is undoubtedly the most challenging task for the standard and many companies hire a consultant to work on such matters. Getting an opinion from a neutral third party is also often very good. Risk management is nevertheless an administrative decision. The decision may be to accept the risk or reduce the risk by implementing appropriate measures to protect, delete, or present it to a third party.

Information systems are not the only company information assets

In the standards ISO / ICE 27001 the terms correctness, availability and integrity of information assets are defined.The main reason that companies implement information security management systems is to ensure the features that these terms stand for. Because we increasingly rely on information technology, there is often the misconception that the information assets are only the systems we use in operation. Information assets can however be of various kinds. They can for example be a company’s reputation and the workers’ knowledge as well as traditional information assets such as data, hardware and software. Information is stored, processed and worked with in many different ways than in the company system and this information needs to be controlled. The verbal information is no less important than information in paper or electronic form. Take the example the flight control system, which is important in air transport.

What is essential is that the pilot gets the critical information i.e. that the information is available when needed. In order for that to happen, the air traffic, ground and aircraft control systems, along with the pilot have to work together. The human factor is no less important in this example, i.e. the oral communication between the pilot and the flight control system. These things must be taken into account when information assets are identified.

Implementation of information security system

To enable a better understanding of the certification standard ISO / IEC 27001 the standard can be considered from several key actions:
• Ensuring the approval of senior management in the implementation of standard
• Identifying information assets, managing and assessing risks
• Developing policies and procedures to ensure effective management that takes account of information security
• Determining the staff roles and responsibilities in the company management system • Informing and educating staff and users regarding the security requirements standard • Patrolling and maintaining the system in accordance with approved procedures.

There are many common elements with ISO/IEC 27001 and other ISO management standards. The standards are based on the process of Plan-Do-Check-Act. The companies that have already implemented management according to one of the ISO management standards can in most cases easily implement information security management systems.

By: Svana Helen Björnsdóttir, Chariman of the Board for Stiki