ISO 27001 is an international standard describing the best practice of Information Security Management System(ISMS). If a company chooses to achieve this certification, it means that the suggestive company is following the best practice of information security which provides an independent and expert verification that the information is managed with international best practice and business objectives. This ISO is supported by the code of practice of Information Security Management, ISO/IEC27002:2013.
This standard covers all types of organizations like a commercial, enterprise, government agencies or non-profit, all sizes from micro businesses to large multinationals and all industries or markets. There is no compulsion to any specific information security controls that are required are marked across the wide range of the organization. Companies who are adopting this ISO standard are not bound to choose any particular information security controls. They can choose the most applicable one according to their information risk.
What is an ISMS?
Information Security Management System(ISMS) is a managed system of processes, documents, technology, and people which helps to manage, monitor, and audit and improve the organization’s information security. It helps to manage all the security practices in one place with consistency and cost-effectively.
We can also say that ISMS is a business driven risk assessment which enables you to identify security threats and treat them according to your organization’s risk appetite and tolerance.
Benefits And Importance of ISO 27001 Certification –
There are essentially four business benefits that a company can achieve with the implementation of this information security standard:
1) Comply with Legal Requirements –
The best thing about this standard is that it gives you the perfect methodology to comply with all the laws, regulations and contractual requirements related to information security. All the risks and threats can be resolved by implementing ISO Certification (ISO27001).
2) Achieve Marketing Advantage –
Your company will have an advantage over the competitors if you have the certificate and the other companies do not. In the eyes of the customers who are sensitive about keeping their information, your company will be safer.
3) Lower Costs –
The main motive behind ISO 27001 is to prevent security incidents from happening and every incident, large or small, costs money. Therefore, by preventing them, your company will save quite a lot of money. Investment in ISO 27001 is far smaller than the cost savings you’ll achieve is the best thing.
4) Better Organization –
Fast-growing companies generally do not have time to explain their processes and procedures as a consequence the employees don’t know what is to be done. Implementation of ISO 27001 resolves such a situation as it encourages the companies to write up the main processes, enabling them to reduce their costs and lost time.
How to implement ISO 27001?
Following steps has to be followed to implement ISO 27001 in your company –
1) Get top management support
2) Use project management methodology
3) Define the ISMS scope
4) Write the top-level Information security policy
5) Define the Risk assessment methodology
6) Perform the risk assessment and risk treatment
7) Write the Statement of Applicability
8) Write the Risk treatment plan
9) Define how to measure the effectiveness of your controls and of your ISMS
10) Implement all applicable controls and procedures
11) Implement training and awareness programs
12) Perform all the daily operations prescribed by your ISMS documentation
13) Monitor and measure your ISMS
14) Perform internal audit
15) Perform management review
16) Implement corrective actions
Documents Required Mandatorily –
ISO 27001 requires the following documentation to be written –
- The scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1.1)
- Incident management procedure (clause A.16.1.5)
- Business continuity procedures (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
And these are the mandatory records:
- Records of training, skills, experience, and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
How to Get Certified?
Two types of ISO 27001 certificates exist, one is for individuals, and the other is for the organization. Organizations get certified to prove that they are flexible with all the mandatory clauses of the standard; individuals can attend the course and pass the exam in order to get the certificate.
For an organization to become certified, it is must to implement the standard as explained, and then go through the certification audit performed by the certification body. The ISO certification audit is performed in the following steps:
- Stage 1 audit (Documentation review) – All the documentation should be reviewed by the auditor.
- Stage 2 audit (Main audit) – The task of the auditor is to check whether the activities performed in the company are flexible with the standard and ISMS documentation or not.
- Surveillance visits – During its 3-year validity, the auditors will check whether the company maintains its ISMS after the certificate is issued.
Individuals can go for several courses in order to obtain certificates – the most popular are:
- ISO 27001 Lead Auditor Course – This is a 5-day course that will teach you how the auditing is done for certification which is intended for auditors and consultants.
- ISO 27001 Lead Implementer Course – This is also a five-day programme, initially, teaching how to implement for the standard which is intended for the information security practitioners and for consultants.
- ISO 27001 Internal Auditor Course – This is a two to three days programme which will teach you the basics of the standard and internal auditing, intended for beginners and for internal auditors.
Related Post: How to obtain IS/ISO 9001:2008 certification?