Information Security Management
Information is an all-pervasive asset that drives operations and processes across all business areas. Today, information is considered as a key business commodity and is ascribed business value, utility and importance.
Recognizing the business value of information is of extreme importance to all organizations. In summary, business needs to make sure it manages its information effectively to get the most value out of it.
This means managing information security risks to ensure that information is not :
- denied or made unavailable – e.g. this could be a denial of service attack from an external threat, or due to an accidental system failure or overload ;
- lost, destroyed or corrupted – e.g. this could be an attack from an external threat, or an accidental system failure or user processing error ; or
- leaked, disclosed without authority, or stolen – e.g. this could be an attack from an external threat, an accidental system failure, or an insider leaking information to competitors or external colleagues.
Without information security, the business is faced with various negative impacts including financial consequences, weakened protection of the organization’s intellectual capital and IPR, loss of market share, poor productivity and performance ratings, ineffective operations, inability to comply with laws and regulations, or loss of image and reputation.
The standard ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements, provides a basis for designing and deploying a management system for information security.
As a management tool, ISO/IEC 27001 relates to the broader roles and responsibilities of an organization such as corporate social responsibility, governance and legal and regulatory obligations. All these aspects can be associated with the increasing dependence of businesses on information systems and information and communication technologies (ICT).
ISO/IEC 27001 is a risk-based specification designed to take care of the information security aspects of corporate governance, protection of tangible and non-tangible assets information assets and legal and contractual obligations, as well as the wide range of threats to the organization’s ICT systems and business processes.
Applying the ISO/IEC 27001 risk management philosophy as part of the business’s overall risk approach provides the organization with the means to implement effective information security management in compliance with the organization’s objectives and business requirements.
ISO 27001:2005
The current family of ISO/IEC 27000 ISMS standards comprises:
- ISO/IEC 27001 ISMS requirements (published)
- ISO/IEC 27002 Code of practice for information security management (published
The process of ISMS certification covers following stages
Phase One Development and Preparation for an ISMS Certification Audit
The processes that need to be undertaken in establishing your ISMS (Plan Phase) include:
- Defining ISMS scope & policy (in terms of the nature of the organisation and its business and its assets taking account the business objectives, legal and regulatory requirements and any contractual obligations)
- •Define risk assessment approach
- •Identify, assess and evaluate risks
- •Identify and evaluate options for treating risks
- •Select control objective and controls (these should be justified on the basis of the risk assessment and conclusions of the risk treatment process)
- •Produce a Statement of Applicability (SoA) (a document describing the controls that are relevant and applicable to your organisation's ISMS based on the results of the risk assessment and conclusions of the risk treatment process).
After establishing the design goals for your ISMS the next step is to implement and then use the ISMS in your business (Do Phase). This involves applying the ISMS policies, procedures and any technical controls you produced and implemented as well providing adequate training to users, making sure the security roles and responsibilities have been allocated and understood, and that you have an incident handling process in place for detecting and reacting to security incidents.
You should also have processes in place for monitoring and reviewing the ISMS and processes for maintaining improving the ISMS as and when necessary (to support the Check and Act Phases).
Before going for certification your ISMS should have been operational for a period of time to ensure it is functioning properly, users are trained and that your ISMS documentation and record systems are fully functional and operating correctly. Once you are satisfied that your ISMS is running according your design specification then you should contact one of the certification bodies that have been accredited to carry out ISO/IEC 27001 certification audits. You then go into the Phase Two mentioned below.
Phase Two Certification Audit Process
The second phase involves employing one of the accredited certification bodies to carry out an audit of your ISMS. The audit itself involves an initial discussion with the certification body regarding certification requirements; then a review of your ISMS documentation (Stage 1 Audit) is followed by a visit to your ISMS site(s) (Stage 2 Audit).
During the Stage 1 part of the audit, the CB obtains documentation from the organisation about the design of the ISMS covering at least the organisation's information security risk assessment, the Statement of Applicability, and the core elements of the ISMS. The objectives of this stage are to provide a focus for planning the Stage 2 Audit by gaining an understanding of the ISMS in the context of the organisation's security policy and objectives, and, in particular, of the organisation's state of preparedness for the audit.
The objectives of the (stage 2) audit are to confirm that the organisation adheres to its own policies, objectives and procedures and that ISMS conforms with all the requirements of the ISMS standard or normative document and is achieving the organisation’s policy objectives. To do this, the Certification Body’s audit team is likely to focus on the:
- Assessment of information security related risks and the resulting design of the ISMS
- The Statement of Applicability
- Objectives and targets derived from this process
- Performance monitoring, measuring, reporting and reviewing against the objectives and targets
- Security and management reviews
- Management responsibility for the information security policy
- Links between policy, the results of information security risk assessments, objectives and targets, responsibilities, programmes, procedures, performance data, and security reviews.
Phase Three Follow-up Management Activities
The certificate that is awarded will last for three years after which the ISMS needs to be re-certified. Therefore there is a third phase of the process (assuming the certification has been successful and a certificate has been issued), which involves the certification body visiting your ISMS site on a regular basis (e.g. every 6-9 months) to carry out a surveillance audit. This type of surveillance visit carries on throughout the three-year period. The purpose of these surveillance and reassessment visits is to verify that the information security management system (ISMS) is still compliant with the requirements of ISO/IEC 27001and that the ISMS has been properly implemented and maintained: is the scope of the ISMS still valid, is the security provided still effective, is there an appropriate monitoring and improvement programme in place, etc.
Unique features of ISO 14001
- Comprehensive: all members of the organization participate in environmental protection, the EMS considers all stakeholders, and there are processes to identify all environmental impacts.
- Proactive: it focuses on forward thinking and action instead of reacting to command and control policies.
- Systems approach: it stresses on improving environmental protection by using a single environmental management system across all functions of the organization.
- Continual improvement: of processes based on objective measurement
Benefits
Many leading companies have discovered the business benefits that can be achieved through ISMS. Below are examples of some of the advantages that your company might experience:
Overview of ISO 27001:2005 ISMS
The ISO IEC 27001 2005 standard is an information security management standard. It defines a set of information security management requirements. These information security requirements are listed in sections 4 to 8. Therefore, the following information starts with section 4.
FAQ (ISO 27001)
CERTIFICATION
If an organisation says they are compliant with ISO/IEC 27002 does this mean they have been certified?
NO.
ISO/IEC 27002 is not a certification standard.
The only standard that can used for certification is ISO/IEC 27001.
Who is allowed to undertake ISO/IEC 27001 certification audits and award certificates?
Certification audits are carried out by an accredited certification body.
To become accredited the certification body needs to be assessed by a national accreditation body examples being UKAS (UK), SWEDAC (Sweden), KBA (South Korea), JIPDEC or JAB (Japan) and RBA (USA).
Certificates awarded by the certification upon successful completion of a certification audit.
How long is a ISO/IEC 27001 certificate valid for?
An accredited certificate is valid for three years after which the organisation can choose to have its ISMS re-certified.
During the three year period the certification body will under take a number of surveillance audits to check that the ISMS is being maintain and updated to an effective level of information security.
Are ISO/IEC 27001 and ISO/IEC 27002 IT security Standards?
NO they are both information security standards.
What does ISO/IEC 27001 cover?
This standard covers the processes needed to establish, implement and deploy, monitor and review, and maintain and improve an ISMS.
It covers processes such as risk assessment, risk treatment, selection of information security controls, monitoring activities, management reviews, measuring the effectiveness of information security, incident handing process, corrective and preventive activities.
An Annex (A) contains a range of controls that can be selected to manage the risks identified through the risk assessment and treatment processes.
What does ISO/IEC 27002 cover?
This standard is a code of practice which means it contains a set of best practice controls that are used throughout the business world. In addition to defining the control it also provides implementation guidance regarding the control. The controls given in ISO/IEC 27002 are expressed in terms of “should” statements which makes them non-compliant statements. Whereas the controls in Annex A of ISO/IEC 27001, which are the same set of controls, are expressed in terms of “shall” statements which makes them formal compliance statements which is why this standard can be used for certification purposes.
Can an organisation get a certificate by just implementing the controls in ISO/IEC 27001?
NO
An organisation needs to have implemented all the requirements specified in ISO/IEC 27001 relating to the processes defined in this standard. So, for example, they must have undertaken a risk assessment in order to decide which controls they should select from Annex A.
Can ISO/IEC 27001 and ISO/IEC 27002 be used by small businesses?
YES.
These standards are very flexible to suit all business needs irrespective of size of business or the nature of the business.
Can ISO/IEC 27001 and ISO/IEC 27002 be used by all types of organisation: commercial, government s and not-for-profit?
YES.
There are many examples of organisations in all these categories that have been certified.
|
