Any one that requires management guidance on how to secure their information assets must implement the ISO 27001 framework. The intention behind the ISO 27001 standard is to provide a standardised template for organisations, so that they can manage their information security and data in a durable way. Let us discuss what is ISO 27001 framework and how to comply with it in the following article.
What is ISO 27001?
The ISO 27001 framework was developed in partnership between International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). This is why, you may have come across the alternative name for the standard, which is ISO/IEC 27001. Irrespective of what you call it, ISO 27001 is basically a set of recommendations for information security management that provides best practises for the creation of an buoyant Information Security Management System (ISMS). The aim of the standard is to guide organisations, both small and large, to better protect their information in a cost-effective and risk-based manner.
A point to note that the standard cannot be implemented independently in your organisation, and requires strategic input from organisational decision-makers and top management, so that an accurate picture of the security threats, risks and vulnerabilities can be presented. The involvement of all stakeholders helps to customise security controls and address organisation-specific issues. ISO consultants can help you to framework your ISO 27001.
What are the ISO 27001 controls?
ISO 27001 contains a document called Annex A, which contains 14 domains or categories of controls. In total, there are 114 controls, and to gain compliance, you need to implement only those controls that are relevant for your organisation. Moreover, it should be noted that the sole focus of these controls expand beyond information technology security, and include other managing processes, legal compliance, human resources, and other areas of organisational management.
List of ISO 27001 Controls
The list of ISO 27001 clauses and controls include:
- Organisation of information security: These controls provide a framework for information security by defining roles and responsibilities.
- Human resource security: These controls help tackle the information security elements of Human Resource management.
- Asset management: These controls helps to identify vulnerable assets and allow management to designate plans and responsibilities for their security.
- Access control: These controls limit access to sensitive data through both logical and physical placement of controls.
- Cryptography: These controls teach the management the proper usage of encryption, so that the organisation’s information can remain confidential, authentic and integral.
- Physical and environmental security: These controls focus on the physical areas, equipment and facilities, which provide protection against intervention, both by nature or by humans.
- Operations security: These controls ensure that the operating systems and software are secure, functional and protected.
- Communication security: These are controls for infrastructure and service networks.
- System acquisition, development, and maintenance: These are controls that ensure that information security is maintained when purchasing or upgrading information systems.
- Supplier relationships: These are controls that are meant to ensure that right information security controls are utilised by suppliers and partners, so as to monitor the security performance of all third-parties.
- Information security incident management: These controls are related to security, incident management, and focus on incident handling, communication, resolution and prevention of incident recurrence.
- Information security aspects of business continuity management: These controls ensure that information security management continuity takes place even when there are disruptions to the information system.
- Compliance: These controls prevent legal, regulatory, statutory and other breaches of contract.
Who needs ISO 27001?
All organisations can benefit from strengthening their information security programmes, because in today’s day and age, data is equivalent to gold. Moreover, with the ever increasing threat of hacks, data leaks, or cyber threats, prevention is always better than cure. Having said that, any organisation that deals with sensitive data or has a lot of data of their customers will find ISO 27001 advantageous.
What is needed for ISO 27001 compliance?
There are a list of mandatory requirements that organisations must adhere to in order to comply with ISO 27001. These requirements are outlined in the 10 clauses of the standard. Some examples include documentations such as the scope of the ISMS, risk assessment and risk treatment methodology, information security policy and objectives, statement of applicability, risk treatment plan, risk assessment reports, inventory of assets, suppliers security policy, et cetera.
Additionally, you will also need to present records of training, skill, experience in addition to results of internal audit program. The idea for achieving compliance is to adhere to the recommendations of ISO 27001.
At this point, it is necessary to remember that compliance is different from certification. Compliance is more of a self-declaration, whereas certification is awarded by an accredited certification body. After implementing your ISMS, the organisation needs to invite an accredited certification body to perform the certification audit. If the organisation passes the audit, it is issued an ISO 27001 certificate, validating the fact that it is fully compliant with ISO 27001. The validity of the certificate lasts for three years and to maintain it, the organisation must conduct yearly surveillance audits.
Conclusion
The ISO 27001 framework contains 10 clauses and 114 controls divided into 14 domains. In order to achieve compliance, organization’s must select the controls that are relevant to their individual circumstances.
Must Read: GPS Tracking Software: 4 Best Ones Apart From Linxup