Information security on its computers and networks should be a concern for every organization – big and small, profit and not for profit, manufacturing and service. We may hear occasional national news stories about breaches of security and lost confidential information at big corporations or government agencies, but security breaches happen every day with victims of all sizes and types.
Protecting information has to be a priority – and it requires effort. How effective these efforts are, however, mostly depends on how organized and systematic the efforts are. That is the purpose of ISO 27001. It provides a proven, systematic Information Security Management System (ISMS) framework that can work for any business or organization. Like other successful aspects of a business, a successful information security effort requires having defined and controlled processes to fulfill objectives. This comes from a properly designed and implemented management system as described in ISO 27001.
Information Security Management with ISO 27001
Like other ISO standards (i.e, ISO 9001, ISO 14001), ISO 27001 uses a management philosophy based on the Plan-Do-Check-Act (PDCA) continually improving process approach. Here, the processes needed to produce desired results are defined (Plan), executed (Do), and monitored (Check), then periodically reviewed and improved (Act). This is an important distinction between simply defining requirements. With a process approach, not only are requirements defined, but the processes to fulfill the requirements are defined as well.
Using a continually improving process approach, objectives (i.e. fulfill security requirements) are reviewed and corrections made as needed. Just as importantly, requirements and controls are reviewed as well. Are they adequate? Have external or internal changes in the environment affected security requirements? This ISMS approach also allows for building information security slowly by addressing high priority needs first, than adding controls as needed so they match the organization’s needs. This is more practical than a huge initial effort to put a large, perhaps unnecessary, bureaucracy in place from the beginning.
What is in ISO 27001?
Since the ISO 27001 ISMS approach to information security closely aligns with the Quality Management System described by ISO 9001 or the Environmental Management System described by ISO 14001, it can be used in conjunction with other organizational efforts to define and meet requirements, perhaps under an integrated quality management system.
Like other ISO standards, the ISO 27001 document starts with several sections covering scope and definitions. The real requirements of the ISMS begin in Section 4. Sections 4 through 8 describe:
- General Requirements: The foundational requirements to put an Information Security Management System in place – like creating and communicating policies, defining processes, creating a system for documentation and records
- Management Responsibility: Every successful organizational effort requires a strong commitment from top management to take responsibility for it just like other quality management processes.
- Continual Improvement: The standard requires evidence that processes are being reviewed for effectiveness, and that the ISMS is regularly audited to ensure it is operating as defined.
That standard also includes three annex sections. Annex A provides a list of security controls typically required by organizations. IT security managers sometimes use this annex as shopping list of where to start when building ISMS requirements.
Importance of Information Security
Organizations that implement an ISO 27001 ISMS can also gain independent 3rd party certification that the information security system conforms to ISO 27001 Standard’s requirements. This signals to everyone, inside and outside the organization, that information security is taken seriously, and it has a functional management system in place to meet information security requirements.
Building a reputation for information security in today’s climate can have strategic and competitive advantages.