Information Security Management Systems – ISO 27001:2013
Why implement an ISMS?
It seems that every day another information security incident makes the news. Now, more and more organisations are implementing an ISMS (information security management system) to preserve the confidentiality, integrity and availability of their information. With the increased need for businesses to share private and sensitive information with their business networks (e.g. defence, insurance, and finance industries, etc.) and ever-increasing need for access via mobile devices and home-based systems, Information Security is now a CRITICAL requirement!
Whilst there are several models that may be used as a basis for an ISMS, the ISO 27001 standard is fast becoming the industry-standard model in use. It is an international standard that specifies requirements for an ISMS and enables organisations to seek formal certification as an assurance to their clients and other interested parties.
27001 follows a common ISO risk-based structure
ISO 27001 is based on the common ISO high-level clause structure, and common terminology. The risk-based approach and structure is consistent with the various other ‘new generation’ standards such as ISO 9001 (Quality management), ISO 14001 (environmental management), and ISO 45001 (OH&S management). This is particularly useful for those organisations that wish to implement an IMS (integrated management system) to address the requirements of ISO 27001 in conjunction with one or more of the other ISO standards.
Following the PDCA cycle
The PDCA cycle is a continuous loop of Planning, Doing, Checking, and Acting. It provides a simple and effective approach for solving problems and managing change. The Plan-Do-Check-Act (PDCA) cycle is the operating principle of all ISO management system standards, including ISO 27001, and so by following this cycle, you can effectively manage and continually improve your organisation's effectiveness in regard to managing information securely.
The following table illustrates the clause structure of ISO 27001:2013 in the context of the PDCA cycle –
Using the ‘Annex A’ from ISO 27001
Annex A of ISO 27001 provides an essential tool for managing security. It provides a list of security controls to be considered and addressed as applicable to improve the security of information.
One thing that sets ISO 27001 apart from other ISO management systems standards is its Annex A. It specifies 114 controls over 14 sets or domains, each dealing with a different aspect of information security. These controls are to be used in the context of the organisation’s ‘Statement of applicability’, and should address the relevant risks and opportunities that have been identified.
What is your next step?
The above is just a broad outline of the ISO 27001 standard and its requirements. The full standard includes lots of detail and is available from your local standards association and other sources.
For an organisation looking to implement a system based on ISO 27001 (and possibly also achieve certification), the first step would be to perform a Gap Analysis. That is an examination of how well the organisation’s current controls meet the requirements of the standard. The analysis report identifies the starting point of the journey and how much needs to be done to get to the desired outcomes.
EQAS and its partners can provide a full range of services to transform your information security, including:
• Gap analysis
• System development and documentation
• System testing
• Management system software platform
• ISO 27001 Certification audit services.
Contact us now to discuss your ISO 27001 information security needs.